23adebb00fb61ee4f08cf0bb32ca411e3ac3e11963b5651410a3945a1dc48139

Analysis

max time kernel
9s
max time network
20s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 17:11

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-20T17:11:49Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win7-20240215-en/instance_1-dirty.qcow2\"}"

Report Analysis Logs

General

Target

PreSetup1 X.bat
Size

151KB
MD5

a350842eabbf511f2027408c5b0ba9a6
SHA1

d41988348a107fb87ddac10cf542434b42f482ac
SHA256

23adebb00fb61ee4f08cf0bb32ca411e3ac3e11963b5651410a3945a1dc48139
SHA512

c2c9d2059f0a284ab5ea55f80564f45415a1025da9b5ac2f8a541babaed81bc3d870e7110c5808733538031d12807e34e37750e363d129cf6344659d271bb081
SSDEEP

768:+hs33O6od10EkOGDlsfK2Jd7hP3AveP1PAXiAIO1WuWDIkWZI7S4W4Kzz+xKY6zG:LYpOwR

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 27 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3064	bcdedit.exe
692	bcdedit.exe
844	bcdedit.exe
1100	bcdedit.exe
1116	bcdedit.exe
3000	bcdedit.exe
1608	bcdedit.exe
2116	bcdedit.exe
1784	bcdedit.exe
1464	bcdedit.exe
352	bcdedit.exe
1696	bcdedit.exe
1692	bcdedit.exe
956	bcdedit.exe
240	bcdedit.exe
1288	bcdedit.exe
1548	bcdedit.exe
932	bcdedit.exe
1728	bcdedit.exe
112	bcdedit.exe
3044	bcdedit.exe
1704	bcdedit.exe
280	bcdedit.exe
1200	bcdedit.exe
904	bcdedit.exe
760	bcdedit.exe
2072	bcdedit.exe

Registers new Print Monitor 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Maps connected drives based on registry 3 TTPs 12 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	reg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\System32\\Fox.png"	reg.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2952	sc.exe
2304	sc.exe
2444	sc.exe

Checks SCSI registry key(s) 3 TTPs 44 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1832	timeout.exe
2636	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeCreatePagefilePrivilege	2420	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1832	2256	cmd.exe	29
PID 2256 wrote to memory of 1832	2256	cmd.exe	29
PID 2256 wrote to memory of 1832	2256	cmd.exe	29
PID 2256 wrote to memory of 2636	2256	cmd.exe	30
PID 2256 wrote to memory of 2636	2256	cmd.exe	30
PID 2256 wrote to memory of 2636	2256	cmd.exe	30
PID 2256 wrote to memory of 2024	2256	cmd.exe	31
PID 2256 wrote to memory of 2024	2256	cmd.exe	31
PID 2256 wrote to memory of 2024	2256	cmd.exe	31
PID 2256 wrote to memory of 3028	2256	cmd.exe	32
PID 2256 wrote to memory of 3028	2256	cmd.exe	32
PID 2256 wrote to memory of 3028	2256	cmd.exe	32
PID 2256 wrote to memory of 2812	2256	cmd.exe	33
PID 2256 wrote to memory of 2812	2256	cmd.exe	33
PID 2256 wrote to memory of 2812	2256	cmd.exe	33
PID 2256 wrote to memory of 2508	2256	cmd.exe	34
PID 2256 wrote to memory of 2508	2256	cmd.exe	34
PID 2256 wrote to memory of 2508	2256	cmd.exe	34
PID 2256 wrote to memory of 2468	2256	cmd.exe	35
PID 2256 wrote to memory of 2468	2256	cmd.exe	35
PID 2256 wrote to memory of 2468	2256	cmd.exe	35
PID 2256 wrote to memory of 1256	2256	cmd.exe	36
PID 2256 wrote to memory of 1256	2256	cmd.exe	36
PID 2256 wrote to memory of 1256	2256	cmd.exe	36
PID 2256 wrote to memory of 2556	2256	cmd.exe	37
PID 2256 wrote to memory of 2556	2256	cmd.exe	37
PID 2256 wrote to memory of 2556	2256	cmd.exe	37
PID 2256 wrote to memory of 2572	2256	cmd.exe	38
PID 2256 wrote to memory of 2572	2256	cmd.exe	38
PID 2256 wrote to memory of 2572	2256	cmd.exe	38
PID 2256 wrote to memory of 2576	2256	cmd.exe	39
PID 2256 wrote to memory of 2576	2256	cmd.exe	39
PID 2256 wrote to memory of 2576	2256	cmd.exe	39
PID 2256 wrote to memory of 2588	2256	cmd.exe	40
PID 2256 wrote to memory of 2588	2256	cmd.exe	40
PID 2256 wrote to memory of 2588	2256	cmd.exe	40
PID 2256 wrote to memory of 2620	2256	cmd.exe	41
PID 2256 wrote to memory of 2620	2256	cmd.exe	41
PID 2256 wrote to memory of 2620	2256	cmd.exe	41
PID 2256 wrote to memory of 2560	2256	cmd.exe	42
PID 2256 wrote to memory of 2560	2256	cmd.exe	42
PID 2256 wrote to memory of 2560	2256	cmd.exe	42
PID 2256 wrote to memory of 2520	2256	cmd.exe	43
PID 2256 wrote to memory of 2520	2256	cmd.exe	43
PID 2256 wrote to memory of 2520	2256	cmd.exe	43
PID 2256 wrote to memory of 2372	2256	cmd.exe	44
PID 2256 wrote to memory of 2372	2256	cmd.exe	44
PID 2256 wrote to memory of 2372	2256	cmd.exe	44
PID 2256 wrote to memory of 3004	2256	cmd.exe	45
PID 2256 wrote to memory of 3004	2256	cmd.exe	45
PID 2256 wrote to memory of 3004	2256	cmd.exe	45
PID 2256 wrote to memory of 2808	2256	cmd.exe	46
PID 2256 wrote to memory of 2808	2256	cmd.exe	46
PID 2256 wrote to memory of 2808	2256	cmd.exe	46
PID 2256 wrote to memory of 2480	2256	cmd.exe	47
PID 2256 wrote to memory of 2480	2256	cmd.exe	47
PID 2256 wrote to memory of 2480	2256	cmd.exe	47
PID 2256 wrote to memory of 1972	2256	cmd.exe	48
PID 2256 wrote to memory of 1972	2256	cmd.exe	48
PID 2256 wrote to memory of 1972	2256	cmd.exe	48
PID 2256 wrote to memory of 2420	2256	cmd.exe	49
PID 2256 wrote to memory of 2420	2256	cmd.exe	49
PID 2256 wrote to memory of 2420	2256	cmd.exe	49
PID 2256 wrote to memory of 2536	2256	cmd.exe	50

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\PreSetup1 X.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\system32\timeout.exe
  timeout 5
  2⤵
  - Delays execution with timeout.exe
  PID:1832
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2636
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
  2⤵
  PID:2024
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc" /v "DependOnService" /t REG_MULTI_SZ /d "NSI\0RpcSs\0TcpIp" /f
  2⤵
  PID:3028
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\HotStart" /f
  2⤵
  PID:2812
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Sidebar" /f
  2⤵
  PID:2508
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Telephony" /f
  2⤵
  PID:2468
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Screensavers" /f
  2⤵
  PID:1256
- C:\Windows\system32\reg.exe
  reg delete "HKCU\Printers" /f
  2⤵
  PID:2556
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet001\Control\Print" /f
  2⤵
  - Registers new Print Monitor
  PID:2572
- C:\Windows\system32\reg.exe
  reg delete "HKLM\SYSTEM\ControlSet002\Control\Print" /f
  2⤵
  - Registers new Print Monitor
  PID:2576
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
  2⤵
  PID:2620
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2372
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3004
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "1" /f
  2⤵
  PID:2808
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell set-ProcessMitigation -System -Disable DEP, StrictHandle, SEHOP
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\system32\powercfg.exe
  powercfg -h off
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection\CameraAlternate\ShowPicturesOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f
  2⤵
  PID:2536
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\EventHandlersDefaultSelection\StorageOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers\CameraAlternate\ShowPicturesOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers\StorageOnArrival" /ve /t REG_SZ /d "MSTakeNoAction" /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "WinStationsDisabled" /t REG_SZ /d "1" /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize" /v "DisableRemoteFontBootCache" /t REG_DWORD /d "1" /f
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize" /v "DisableRemoteFontBootCache" /t REG_DWORD /d "1" /f
  2⤵
  PID:2484
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings" /v "StringCacheGeneration" /t REG_DWORD /d "0" /f
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "disabledomaincreds" /t REG_DWORD /d "1" /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymous" /t REG_DWORD /d "1" /f
  2⤵
  PID:2956
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableLog" /t REG_DWORD /d "0" /f
  2⤵
  PID:2628
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableDpxLog" /t REG_DWORD /d "0" /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableLog" /t REG_DWORD /d "0" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Component Based Servicing" /v "EnableDpxLog" /t REG_DWORD /d "0" /f
  2⤵
  PID:2156
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f
  2⤵
  PID:1856
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f
  2⤵
  PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"| FINDSTR /V "EnableHIPM"
  2⤵
  PID:2660
- - C:\Windows\system32\reg.exe
    REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "EnableHIPM"
    3⤵
    - Maps connected drives based on registry
    PID:2664
- - C:\Windows\system32\findstr.exe
    FINDSTR /V "EnableHIPM"
    3⤵
    PID:2688
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHIPM" /T REG_DWORD /d 0
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableDIPM" /T REG_DWORD /d 0
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /F /V "EnableHDDParking" /T REG_DWORD /d 0
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "IoLatencyCap"| FINDSTR /V "IoLatencyCap"
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    REG QUERY "HKLM\SYSTEM\CurrentControlSet\Services" /S /F "IoLatencyCap"
    3⤵
    - Maps connected drives based on registry
    PID:2464
- - C:\Windows\system32\findstr.exe
    FINDSTR /V "IoLatencyCap"
    3⤵
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort" | findstr /e "StorPort"
  2⤵
  PID:2708
- - C:\Windows\system32\reg.exe
    reg query "HKLM\System\CurrentControlSet\Enum" /S /F "StorPort"
    3⤵
    - Checks SCSI registry key(s)
    PID:2724
- - C:\Windows\system32\findstr.exe
    findstr /e "StorPort"
    3⤵
    PID:2740
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "3" /f
  2⤵
  - Sets file execution options in registry
  PID:1568
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Sets file execution options in registry
  PID:1484
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Windows\System32\Fox.png" /f
  2⤵
  - Sets desktop wallpaper using registry
  PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"
  2⤵
  PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"
    3⤵
    - Checks SCSI registry key(s)
    PID:300
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"
  2⤵
  PID:1888
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"
    3⤵
    - Checks SCSI registry key(s)
    PID:1924
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"
  2⤵
  PID:764
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"
    3⤵
    - Checks SCSI registry key(s)
    PID:1004
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"
  2⤵
  PID:1612
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"
    3⤵
    - Checks SCSI registry key(s)
    PID:2036
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2104
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f
  2⤵
  PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"
  2⤵
  PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"
    3⤵
    - Checks SCSI registry key(s)
    PID:1452
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"
  2⤵
  PID:2652
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"
    3⤵
    - Checks SCSI registry key(s)
    PID:2644
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"
  2⤵
  PID:2656
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"
    3⤵
    - Checks SCSI registry key(s)
    PID:2352
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"
    3⤵
    - Checks SCSI registry key(s)
    PID:320
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1120
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f
  2⤵
  PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"
  2⤵
  PID:1444
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"
    3⤵
    - Checks SCSI registry key(s)
    PID:1320
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"
  2⤵
  PID:2936
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"
    3⤵
    - Checks SCSI registry key(s)
    PID:3060
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"
    3⤵
    PID:2932
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"
    3⤵
    PID:2460
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"
    3⤵
    PID:2176
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IoLatencyCap" | findstr "HKEY"
  2⤵
  PID:1868
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IoLatencyCap"
    3⤵
    PID:2056
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1988
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrDelay" /t REG_DWORD /d "0" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrDdiDelay" /t REG_DWORD /d "0" /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrDebugMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:2216
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrLimitTime" /t REG_DWORD /d "0" /f
  2⤵
  PID:536
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "TdrLimitCount" /t REG_DWORD /d "0" /f
  2⤵
  PID:268
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\GraphicsDrivers" /v "DisableBadDriverCheckForHwProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:780
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:560
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:872
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:1180
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:1292
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore\Children" /f
  2⤵
  PID:1416
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore\Parents" /f
  2⤵
  PID:1236
- C:\Windows\system32\reg.exe
  reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1400
- C:\Windows\system32\reg.exe
  reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:2344
- C:\Windows\system32\reg.exe
  reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:648
- C:\Windows\system32\reg.exe
  reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:848
- C:\Windows\system32\reg.exe
  reg add "HKEY_USERS\.DEFAULT\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\.DEFAULT\System\GameConfigStore\Children" /f
  2⤵
  PID:1456
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\.DEFAULT\System\GameConfigStore\Parents" /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\DmaGuard\DeviceEnumerationPolicy" /v "value" /t REG_DWORD /d "2" /f
  2⤵
  PID:340
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\ControlSet001\Services\pci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\ControlSet001\Services\storahci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:2332
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\ControlSet001\Services\stornvme\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:628
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\ControlSet001\Services\USBXHCI\Parameters" /v "DmaRemappingCompatibleSelfhost" /t REG_DWORD /d "0" /f
  2⤵
  PID:296
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\ControlSet001\Services\USBXHCI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
  2⤵
  PID:2092
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticecaption" /t REG_SZ /d "Welcome to FoxOS, custom Windows for gaming. The ISO was made by CatGamerOP#7828 on Discord." /f
  2⤵
  PID:2204
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "legalnoticetext" /t REG_SZ /d "The ISO is free and is NOT for sale. You can download it from the official FoxOS Discord Server https://discord.gg/4Gg8n6WhPN. IF YOU PAID FOR THIS ISO, YOU WERE SCAMMED, DEMAND A REFUND." /f
  2⤵
  PID:1984
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000067 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3064
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000068 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:692
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {globalsettings} custom:16000069 true
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:844
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} description "FoxOS 1803"
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1100
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootmenupolicy legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1116
- C:\Windows\system32\bcdedit.exe
  bcdedit /set quietboot Yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3000
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootux Disabled
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1608
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootlog no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1784
- C:\Windows\system32\bcdedit.exe
  bcdedit /timeout 8
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2116
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1464
- C:\Windows\system32\bcdedit.exe
  bcdedit /set tscsyncpolicy legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:352
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick Yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1696
- C:\Windows\system32\bcdedit.exe
  bcdedit /event off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1692
- C:\Windows\system32\bcdedit.exe
  bcdedit /bootdebug off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:956
- C:\Windows\system32\bcdedit.exe
  bcdedit /set debug No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:240
- C:\Windows\system32\bcdedit.exe
  bcdedit /set ems No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1288
- C:\Windows\system32\bcdedit.exe
  bcdedit /set bootems No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1548
- C:\Windows\system32\bcdedit.exe
  bcdedit /set hypervisorlaunchtype Off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:932
- C:\Windows\system32\bcdedit.exe
  bcdedit /set vsmlaunchtype Off
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1728
- C:\Windows\system32\bcdedit.exe
  bcdedit /set tpmbootentropy ForceDisable
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:112
- C:\Windows\system32\bcdedit.exe
  bcdedit /set nx alwaysoff
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3044
- C:\Windows\system32\bcdedit.exe
  bcdedit /set integrityservices disable
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1704
- C:\Windows\system32\bcdedit.exe
  bcdedit /set allowedinmemorysettings 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:280
- C:\Windows\system32\bcdedit.exe
  bcdedit /set perfmem 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1200
- C:\Windows\system32\bcdedit.exe
  bcdedit /set isolatedcontext No @rem Virtualization Based Security???
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:904
- C:\Windows\system32\bcdedit.exe
  bcdedit /deletevalue useplatformclock
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:760
- C:\Windows\system32\bcdedit.exe
  bcdedit /deletevalue usefirmwarepcisettings
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2072
- C:\Windows\system32\reg.exe
  reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers" /v "Adobe Type Manager" /f
  2⤵
  PID:568
- C:\Windows\system32\reg.exe
  reg delete "HKLM\System\ControlSet001\Control\Terminal Server\Wds\rdpwd" /v "StartupPrograms" /f
  2⤵
  PID:680
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2864
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\Themes" /v "Start" /t REG_DWORD /d "4" /
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\WSearch" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2968
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\Beep" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\npsvctrig" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\vwififlt" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1920
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\wanarp" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\services\Wanarpv6" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".tif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".tiff" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:1176
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".bmp" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:2212
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".dib" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:1836
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".gif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:2284
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jfif" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:1428
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpe" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:1432
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpeg" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jpg" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:1580
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".jxr" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows Photo Viewer\Capabilities\FileAssociations" /v ".png" /t REG_SZ /d "PhotoViewer.FileAssoc.Tiff" /f
  2⤵
  PID:2288
- C:\Windows\system32\sc.exe
  sc delete CompositeBus
  2⤵
  - Launches sc.exe
  PID:2952
- C:\Windows\system32\sc.exe
  sc delete NdisVirtualBus
  2⤵
  - Launches sc.exe
  PID:2304
- C:\Windows\system32\sc.exe
  sc delete umbus
  2⤵
  - Launches sc.exe
  PID:2444
- C:\Windows\system32\shutdown.exe
  shutdown /r -t 5
  2⤵
  PID:2112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2024

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-4-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1972-5-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1972-6-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-7-0x0000000002CB0000-0x0000000002D30000-memory.dmp

Filesize
512KB

Download
memory/1972-8-0x0000000002CB4000-0x0000000002CB7000-memory.dmp

Filesize
12KB

Download
memory/1972-9-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1972-10-0x0000000002CBB000-0x0000000002D22000-memory.dmp

Filesize
412KB

Download
memory/2024-11-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/3004-12-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads