8f5b8b8dfd4db004a4ad3299203b87ea132cc6614aab9daadc286587d4e61d0f

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
Size

2.8MB
MD5

0563b0bea708ab80e00466511090cdf0
SHA1

b8c7f6c2961a0b8ac4dfdce79cd2d701f5db8b8d
SHA256

8f5b8b8dfd4db004a4ad3299203b87ea132cc6614aab9daadc286587d4e61d0f
SHA512

3f4bbc951b095bb591cdaf3b740296858f9baf739e1fea188d80b9164ee9a68d35ae8c40568952d422d6a0be206fb112fc078a8f6701ce322002a2e37dabc2a4
SSDEEP

49152:BXzhpDtKSK1cb8PGK+Tfuqmpc3elWo8GnQAsYZEV1R:BXzhW148Pd+Tf1mpcOldJQ3/Vb

Score

10^/10

evasion persistence ransomware themida trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

spoolsv.exesvchost.exespoolsv.exeFree_Candy_Optimizer.exe.00295d4b_0003b200.exeicsys.icn.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

3952 bcdedit.exe
416 bcdedit.exe
1728 bcdedit.exe
5112 bcdedit.exe

pid	process
3952	bcdedit.exe
416	bcdedit.exe
1728	bcdedit.exe
5112	bcdedit.exe

Sets file execution options in registry 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spoolsv.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exeFree_Candy_Optimizer.exe.00295d4b_0003b200.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

free_candy_optimizer.exe.00295d4b_0003b200.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

4488 free_candy_optimizer.exe.00295d4b_0003b200.exe
4128 icsys.icn.exe
1236 explorer.exe
404 spoolsv.exe
548 svchost.exe
2108 spoolsv.exe

pid	process
4488	free_candy_optimizer.exe.00295d4b_0003b200.exe
4128	icsys.icn.exe
1236	explorer.exe
404	spoolsv.exe
548	svchost.exe
2108	spoolsv.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\	powershell.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3588-0-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral2/memory/4128-14-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3588-21-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\explorer.exe	themida
behavioral2/memory/1236-25-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
\??\c:\windows\resources\spoolsv.exe	themida
behavioral2/memory/404-34-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\svchost.exe	themida
behavioral2/memory/548-43-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4128-48-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2108-52-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/404-53-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4128-54-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1236-55-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/548-56-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1236-67-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/548-108-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1236-109-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1236-119-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/548-120-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exefree_candy_optimizer.exe.00295d4b_0003b200.exe explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	free_candy_optimizer.exe.00295d4b_0003b200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Free_Candy_Optimizer.exe.00295d4b_0003b200.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Maps connected drives based on registry 3 TTPs 18 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe

Drops file in System32 directory 2 IoCs

Processes:

explorer.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

Free_Candy_Optimizer.exe.00295d4b_0003b200.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid process

3588 Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
4128 icsys.icn.exe
1236 explorer.exe
404 spoolsv.exe
548 svchost.exe
2108 spoolsv.exe

Drops file in Windows directory 6 IoCs

Processes:

Free_Candy_Optimizer.exe.00295d4b_0003b200.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\tjcm.cmn	explorer.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4328 sc.exe
948 sc.exe
5532 sc.exe
5544 sc.exe
3044 sc.exe
4216 sc.exe
2252 sc.exe
5048 sc.exe

pid	process
4328	sc.exe
948	sc.exe
5532	sc.exe
5544	sc.exe
3044	sc.exe
4216	sc.exe
2252	sc.exe
5048	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumber	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Address	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\PowerCycleCount	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ContainerID	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ContainerID	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumber	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Address	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\DefaultRequestFlags	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\MinimumIdleTimeoutInMS	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Driver	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	reg.exe

Delays execution with timeout.exe 51 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
1412	timeout.exe
4776	timeout.exe
3864	timeout.exe
2436	timeout.exe
1860	timeout.exe
4320	timeout.exe
3860	timeout.exe
2600	timeout.exe
3356	timeout.exe
4748	timeout.exe
2164	timeout.exe
1192	timeout.exe
2408	timeout.exe
3960	timeout.exe
3576	timeout.exe
2324	timeout.exe
3528	timeout.exe
2484	timeout.exe
2780	timeout.exe
4260	timeout.exe
3472	timeout.exe
4184	timeout.exe
4528	timeout.exe
1344	timeout.exe
2764	timeout.exe
3876	timeout.exe
3840	timeout.exe
4116	timeout.exe
1768	timeout.exe
1908	timeout.exe
740	timeout.exe
3384	timeout.exe
3660	timeout.exe
3564	timeout.exe
3780	timeout.exe
4828	timeout.exe
1676	timeout.exe
3076	timeout.exe
3220	timeout.exe
1624	timeout.exe
1612	timeout.exe
4676	timeout.exe
2468	timeout.exe
4308	timeout.exe
1884	timeout.exe
884	timeout.exe
2656	timeout.exe
2608	timeout.exe
5032	timeout.exe
4248	timeout.exe
3848	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe

Modifies registry class 4 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Free_Candy_Optimizer.exe.00295d4b_0003b200.exeicsys.icn.exe

pid	process
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
4128	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1236 explorer.exe
548 svchost.exe

pid	process
1236	explorer.exe
548	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeIncreaseQuotaPrivilege	2100	powershell.exe
Token: SeSecurityPrivilege	2100	powershell.exe
Token: SeTakeOwnershipPrivilege	2100	powershell.exe
Token: SeLoadDriverPrivilege	2100	powershell.exe
Token: SeSystemProfilePrivilege	2100	powershell.exe
Token: SeSystemtimePrivilege	2100	powershell.exe
Token: SeProfSingleProcessPrivilege	2100	powershell.exe
Token: SeIncBasePriorityPrivilege	2100	powershell.exe
Token: SeCreatePagefilePrivilege	2100	powershell.exe
Token: SeBackupPrivilege	2100	powershell.exe
Token: SeRestorePrivilege	2100	powershell.exe
Token: SeShutdownPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeSystemEnvironmentPrivilege	2100	powershell.exe
Token: SeRemoteShutdownPrivilege	2100	powershell.exe
Token: SeUndockPrivilege	2100	powershell.exe
Token: SeManageVolumePrivilege	2100	powershell.exe
Token: 33	2100	powershell.exe
Token: 34	2100	powershell.exe
Token: 35	2100	powershell.exe
Token: 36	2100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: 36	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: 36	1212	WMIC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

Free_Candy_Optimizer.exe.00295d4b_0003b200.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
4128	icsys.icn.exe
4128	icsys.icn.exe
1236	explorer.exe
1236	explorer.exe
404	spoolsv.exe
404	spoolsv.exe
548	svchost.exe
548	svchost.exe
2108	spoolsv.exe
2108	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Free_Candy_Optimizer.exe.00295d4b_0003b200.exefree_candy_optimizer.exe.00295d4b_0003b200.exe cmd.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exe

description	pid	process	target process
PID 3588 wrote to memory of 4488	3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe	free_candy_optimizer.exe.00295d4b_0003b200.exe
PID 3588 wrote to memory of 4488	3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe	free_candy_optimizer.exe.00295d4b_0003b200.exe
PID 4488 wrote to memory of 3604	4488	free_candy_optimizer.exe.00295d4b_0003b200.exe	cmd.exe
PID 4488 wrote to memory of 3604	4488	free_candy_optimizer.exe.00295d4b_0003b200.exe	cmd.exe
PID 3588 wrote to memory of 4128	3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe	icsys.icn.exe
PID 3588 wrote to memory of 4128	3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe	icsys.icn.exe
PID 3588 wrote to memory of 4128	3588	Free_Candy_Optimizer.exe.00295d4b_0003b200.exe	icsys.icn.exe
PID 3604 wrote to memory of 3812	3604	cmd.exe	chcp.com
PID 3604 wrote to memory of 3812	3604	cmd.exe	chcp.com
PID 3604 wrote to memory of 3960	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 3960	3604	cmd.exe	timeout.exe
PID 4128 wrote to memory of 1236	4128	icsys.icn.exe	explorer.exe
PID 4128 wrote to memory of 1236	4128	icsys.icn.exe	explorer.exe
PID 4128 wrote to memory of 1236	4128	icsys.icn.exe	explorer.exe
PID 1236 wrote to memory of 404	1236	explorer.exe	spoolsv.exe
PID 1236 wrote to memory of 404	1236	explorer.exe	spoolsv.exe
PID 1236 wrote to memory of 404	1236	explorer.exe	spoolsv.exe
PID 404 wrote to memory of 548	404	spoolsv.exe	svchost.exe
PID 404 wrote to memory of 548	404	spoolsv.exe	svchost.exe
PID 404 wrote to memory of 548	404	spoolsv.exe	svchost.exe
PID 548 wrote to memory of 2108	548	svchost.exe	spoolsv.exe
PID 548 wrote to memory of 2108	548	svchost.exe	spoolsv.exe
PID 548 wrote to memory of 2108	548	svchost.exe	spoolsv.exe
PID 3604 wrote to memory of 4796	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 4796	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 2592	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 2592	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 1060	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 1060	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 3356	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 3356	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 5020	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 5020	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 2164	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 2164	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 4196	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 4196	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 4320	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 4320	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 4292	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 4292	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 4528	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 4528	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 4976	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 4976	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 1268	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 1268	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 3472	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 3472	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 4200	3604	cmd.exe	chcp.com
PID 3604 wrote to memory of 4200	3604	cmd.exe	chcp.com
PID 3604 wrote to memory of 2100	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 2100	3604	cmd.exe	powershell.exe
PID 3604 wrote to memory of 3548	3604	cmd.exe	chcp.com
PID 3604 wrote to memory of 3548	3604	cmd.exe	chcp.com
PID 3604 wrote to memory of 3384	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 3384	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 3908	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 3908	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 2348	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 2348	3604	cmd.exe	reg.exe
PID 3604 wrote to memory of 3860	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 3860	3604	cmd.exe	timeout.exe
PID 3604 wrote to memory of 3348	3604	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Free_Candy_Optimizer.exe.00295d4b_0003b200.exe
"C:\Users\Admin\AppData\Local\Temp\Free_Candy_Optimizer.exe.00295d4b_0003b200.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3588

\??\c:\users\admin\appdata\local\temp\free_candy_optimizer.exe.00295d4b_0003b200.exe
c:\users\admin\appdata\local\temp\free_candy_optimizer.exe.00295d4b_0003b200.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\SYSTEM32\cmd.exe
cmd /c "Free Candy Optimizer.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3812

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3960

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
4⤵
PID:4796

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
4⤵
PID:2592

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
4⤵
PID:1060

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3356

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSensitivity" /t REG_SZ /d "10" /f
4⤵
PID:5020

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2164

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f
4⤵
PID:4196

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4320

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Keyboard" /v "KeyboardSpeed" /t REG_SZ /d "31" /f
4⤵
PID:4292

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4528

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
4⤵
- Sets file execution options in registry
PID:4976

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
4⤵
- Sets file execution options in registry
PID:1268

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3472

C:\Windows\system32\chcp.com
chcp 437
4⤵
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Disable-MMAgent -MemoryCompression"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3548

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3384

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
4⤵
PID:3908

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
4⤵
PID:2348

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3860

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
4⤵
PID:3348

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
4⤵
PID:2204

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3528

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d "0" /f
4⤵
PID:3876

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
4⤵
PID:4136

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "0" /f
4⤵
PID:2656

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolQuota" /t REG_DWORD /d "0" /f
4⤵
PID:4800

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolSize" /t REG_DWORD /d "0" /f
4⤵
PID:4052

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolQuota" /t REG_DWORD /d "0" /f
4⤵
PID:452

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolSize" /t REG_DWORD /d "192" /f
4⤵
PID:2564

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d "1024" /f
4⤵
PID:2120

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionPoolSize" /t REG_DWORD /d "192" /f
4⤵
PID:1088

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionViewSize" /t REG_DWORD /d "192" /f
4⤵
PID:3836

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SystemPages" /t REG_DWORD /d "4294967295" /f
4⤵
PID:2876

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PhysicalAddressExtension" /t REG_DWORD /d "1" /f
4⤵
PID:3292

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
4⤵
PID:1188

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
4⤵
PID:2760

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
4⤵
PID:1004

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "IoPageLockLimit" /t REG_DWORD /d "16710656" /f
4⤵
PID:2188

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PoolUsageMaximum" /t REG_DWORD /d "96" /f
4⤵
PID:4028

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"| findstr "StorPort"
4⤵
PID:3276

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"
5⤵
- Checks SCSI registry key(s)
PID:544

C:\Windows\system32\findstr.exe
findstr "StorPort"
5⤵
PID:4788

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
4⤵
PID:4504

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
4⤵
PID:2412

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
4⤵
PID:448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableHIPM" | findstr "HKEY"
4⤵
PID:4624

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableHIPM"
5⤵
- Maps connected drives based on registry
PID:4404

C:\Windows\system32\findstr.exe
findstr "HKEY"
5⤵
PID:1480

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /v "EnableHIPM" /t REG_DWORD /d "0" /f
4⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableDIPM" | findstr "HKEY"
4⤵
PID:5008

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableDIPM"
5⤵
- Maps connected drives based on registry
PID:2228

C:\Windows\system32\findstr.exe
findstr "HKEY"
5⤵
PID:3948

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /v "EnableDIPM" /t REG_DWORD /d "0" /f
4⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableHDDParking" | findstr "HKEY"
4⤵
PID:4512

C:\Windows\system32\reg.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /f "EnableHDDParking"
5⤵
- Maps connected drives based on registry
PID:2948

C:\Windows\system32\findstr.exe
findstr "HKEY"
5⤵
PID:2980

C:\Windows\system32\reg.exe
Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amdsbs\Settings\CAM" /v "EnableHDDParking" /t REG_DWORD /d "0" /f
4⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\System\CurrentControlSet\Services" /s "EnableHIPM"| FINDSTR /V "EnableHIPM"
4⤵
PID:880

C:\Windows\system32\reg.exe
REG QUERY "HKLM\System\CurrentControlSet\Services" /s "EnableHIPM"
5⤵
PID:3364

C:\Windows\system32\findstr.exe
FINDSTR /V "EnableHIPM"
5⤵
PID:3944

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:3488

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t REG_DWORD /d "4" /f
4⤵
PID:1240

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4676

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "DisableTaggedEnergyLogging" /t REG_DWORD /d "1" /f
4⤵
PID:1008

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxApplication" /t REG_DWORD /d "0" /f
4⤵
PID:5108

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxTagPerApplication" /t REG_DWORD /d "0" /f
4⤵
PID:2148

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2484

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
4⤵
PID:4900

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
4⤵
PID:2160

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
4⤵
PID:2496

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
4⤵
PID:3444

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
4⤵
PID:1136

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
4⤵
PID:5076

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
4⤵
PID:2444

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "PlatformAoAcOverride" /t REG_DWORD /d "0" /f
4⤵
PID:864

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:2008

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:2096

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CsEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:4080

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3576

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
4⤵
PID:1812

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2608

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f
4⤵
PID:768

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3076

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
4⤵
PID:5112

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
4⤵
PID:1536

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1412

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "MoveImages" /t REG_DWORD /d "0" /f
4⤵
PID:1760

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize
4⤵
PID:4868

C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "5217772" /f
4⤵
PID:2320

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3220

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
4⤵
PID:3556

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
4⤵
PID:1656

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3876

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
4⤵
PID:2392

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
4⤵
PID:4076

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "2000" /f
4⤵
PID:3088

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
4⤵
PID:644

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
4⤵
PID:1400

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f
4⤵
PID:1468

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4748

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "1" /f
4⤵
PID:1416

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "IoPriority" /t REG_DWORD /d "3" /f
4⤵
PID:1388

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1624

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
4⤵
- Sets file execution options in registry
PID:996

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
4⤵
- Sets file execution options in registry
PID:1328

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3840

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
4⤵
PID:4048

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
4⤵
PID:1332

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f
4⤵
PID:4424

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
4⤵
PID:2568

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f
4⤵
PID:4032

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f
4⤵
PID:4756

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f
4⤵
PID:4472

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f
4⤵
PID:3964

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f
4⤵
PID:992

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f
4⤵
PID:3228

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f
4⤵
PID:4324

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "1" /f
4⤵
PID:2892

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f
4⤵
PID:3224

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f
4⤵
PID:3532

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f
4⤵
PID:2112

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f
4⤵
PID:2940

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f
4⤵
PID:4836

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f
4⤵
PID:2044

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f
4⤵
PID:1972

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f
4⤵
PID:1860

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f
4⤵
PID:4600

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f
4⤵
PID:1684

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
4⤵
PID:3272

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f
4⤵
PID:184

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f
4⤵
PID:416

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f
4⤵
PID:4896

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f
4⤵
PID:3596

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f
4⤵
PID:2260

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
4⤵
PID:2408

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d "1" /f
4⤵
PID:2284

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f
4⤵
PID:1828

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f
4⤵
PID:3364

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
4⤵
PID:3944

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
4⤵
PID:1316

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f
4⤵
PID:2232

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
4⤵
PID:3468

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
4⤵
PID:3548

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2600

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
4⤵
PID:3888

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
4⤵
PID:2584

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3660

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
4⤵
PID:1524

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4116

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
4⤵
PID:1804

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3864

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
4⤵
PID:1260

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2324

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:4480

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3564

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f
4⤵
PID:2336

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1192

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
4⤵
PID:3820

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2468

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
4⤵
PID:452

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
4⤵
PID:4588

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
4⤵
PID:3004

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4184

C:\Windows\system32\chcp.com
chcp 437
4⤵
PID:2688

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Remove-Item -Path \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\" -Recurse -ErrorAction SilentlyContinue"
4⤵
- Sets file execution options in registry
PID:4924

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1344

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3308

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:5032

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
4⤵
PID:1416

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
4⤵
PID:636

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
4⤵
PID:1304

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
4⤵
PID:1564

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "BackgroundPriority" /t REG_DWORD /d "0" /f
4⤵
PID:1216

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
4⤵
PID:412

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
4⤵
PID:2252

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
4⤵
PID:1244

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
4⤵
PID:4232

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
4⤵
PID:1928

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
4⤵
PID:1944

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2436

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
4⤵
PID:1100

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
4⤵
PID:4324

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "BackgroundPriority" /t REG_DWORD /d "0" /f
4⤵
PID:4692

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
4⤵
PID:4848

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "18" /f
4⤵
PID:4088

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
4⤵
PID:4552

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
4⤵
PID:3432

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
4⤵
PID:5028

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
4⤵
PID:5024

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1860

C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
4⤵
- Modifies boot configuration data using bcdedit
PID:3952

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4248

C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock
4⤵
- Modifies boot configuration data using bcdedit
PID:416

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1768

C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
4⤵
- Modifies boot configuration data using bcdedit
PID:1728

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2408

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:332

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3780

C:\Windows\system32\powercfg.exe
powercfg /h off
4⤵
PID:216

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:3488

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "SleepReliabilityDetailedDiagnostics" /t REG_DWORD /d "0" /f
4⤵
PID:2156

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4828

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f
4⤵
PID:564

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2780

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
4⤵
PID:2896

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
4⤵
PID:2160

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
4⤵
PID:4348

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f
4⤵
PID:2816

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "10" /f
4⤵
PID:1912

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f
4⤵
PID:1260

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f
4⤵
PID:4356

C:\Windows\system32\powercfg.exe
powercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
4⤵
PID:2192

C:\Windows\system32\powercfg.exe
powercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
4⤵
PID:768

C:\Windows\system32\powercfg.exe
powercfg /setactive SCHEME_CURRENT
4⤵
PID:2336

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} numproc 2
4⤵
- Modifies boot configuration data using bcdedit
PID:5112

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 0
4⤵
PID:2188

C:\Windows\system32\powercfg.exe
powercfg /setactive SCHEME_CURRENT
4⤵
PID:2784

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 0
4⤵
PID:2992

C:\Windows\system32\powercfg.exe
powercfg /setactive SCHEME_CURRENT
4⤵
PID:3004

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 0
4⤵
PID:3396

C:\Windows\system32\powercfg.exe
powercfg /setactive SCHEME_CURRENT
4⤵
PID:2688

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
4⤵
PID:1764

C:\Windows\system32\powercfg.exe
powercfg /setactive SCHEME_CURRENT
4⤵
PID:696

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1884

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex scheme_current sub_processor IDLESCALING 1
4⤵
PID:4560

C:\Windows\system32\powercfg.exe
powercfg /setactive SCHEME_CURRENT
4⤵
PID:1408

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex scheme_current sub_processor CPMINCORES 100
4⤵
PID:3696

C:\Windows\system32\powercfg.exe
powercfg /setactive SCHEME_CURRENT
4⤵
PID:2144

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:884

C:\Windows\system32\powercfg.exe
powercfg -setacvalueindex scheme_current sub_processor THROTTLING 0
4⤵
PID:3500

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
4⤵
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *3DBuilder* | Remove-AppxPackage"
4⤵
PID:772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"
4⤵
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"
4⤵
PID:4196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"
4⤵
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *BingWeather* | Remove-AppxPackage"
4⤵
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"
4⤵
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"
4⤵
PID:2084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *Facebook* | Remove-AppxPackage"
4⤵
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *Getstarted* | Remove-AppxPackage"
4⤵
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *Microsoft.Messaging* | Remove-AppxPackage"
4⤵
PID:3628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *MicrosoftOfficeHub* | Remove-AppxPackage"
4⤵
PID:1140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *Office.OneNote* | Remove-AppxPackage"
4⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *OneNote* | Remove-AppxPackage"
4⤵
PID:1280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *SkypeApp* | Remove-AppxPackage"
4⤵
PID:2644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *solit* | Remove-AppxPackage"
4⤵
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"
4⤵
PID:4084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *Twitter* | Remove-AppxPackage"
4⤵
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"
4⤵
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"
4⤵
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *WindowsMaps* | Remove-AppxPackage"
4⤵
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *WindowsFeedbackHub* | Remove-AppxPackage"
4⤵
PID:1928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *WindowsSoundRecorder* | Remove-AppxPackage"
4⤵
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *windowscommunicationsapps* | Remove-AppxPackage"
4⤵
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "Get-AppxPackage -allusers *zune* | Remove-AppxPackage"
4⤵
PID:2704

C:\Windows\system32\sc.exe
sc stop DiagTrack
4⤵
- Launches sc.exe
PID:948

C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
4⤵
- Launches sc.exe
PID:4328

C:\Windows\system32\sc.exe
sc stop dmwappushservice
4⤵
- Launches sc.exe
PID:5048

C:\Windows\system32\sc.exe
sc config dmwappushservice start= disabled
4⤵
- Launches sc.exe
PID:3044

C:\Windows\system32\sc.exe
sc stop diagnosticshub.standardcollector.service
4⤵
- Launches sc.exe
PID:2252

C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start= disabled
4⤵
- Launches sc.exe
PID:4216

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
4⤵
PID:5028

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
4⤵
PID:4920

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
4⤵
PID:860

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
4⤵
PID:4020

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
4⤵
PID:4912

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
4⤵
PID:4092

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
4⤵
PID:4476

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
4⤵
PID:3296

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
4⤵
PID:4888

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
4⤵
PID:4692

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
4⤵
PID:3936

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
4⤵
PID:2680

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
4⤵
PID:4280

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
4⤵
PID:724

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
4⤵
PID:440

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
4⤵
PID:556

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
4⤵
PID:2612

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
4⤵
PID:4768

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
4⤵
PID:1484

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
4⤵
PID:4948

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
4⤵
PID:2348

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
4⤵
PID:1844

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
4⤵
PID:3708

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2764

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
4⤵
PID:2480

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:3848

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d "0" /f
4⤵
PID:3148

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f
4⤵
PID:4280

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
4⤵
PID:1560

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
4⤵
PID:1120

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
4⤵
PID:1680

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
4⤵
PID:4604

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1612

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
4⤵
PID:4012

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
4⤵
PID:1512

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
4⤵
PID:3808

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
4⤵
PID:1296

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
4⤵
PID:3944

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:4260

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
4⤵
PID:4988

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
4⤵
PID:3084

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1908

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
4⤵
PID:856

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f
4⤵
PID:4028

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:1676

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
4⤵
PID:1484

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
4⤵
PID:1656

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
4⤵
PID:3400

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
4⤵
PID:2584

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
4⤵
PID:2116

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
4⤵
PID:4628

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
4⤵
PID:4436

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
4⤵
PID:3148

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
4⤵
PID:4972

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
4⤵
PID:4448

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
4⤵
PID:1680

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
4⤵
PID:2120

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
4⤵
PID:4032

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
4⤵
PID:3844

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
4⤵
PID:4892

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
4⤵
PID:1296

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
4⤵
PID:4180

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
4⤵
PID:5012

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
4⤵
PID:440

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
4⤵
PID:3712

C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
4⤵
PID:4660

C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
4⤵
PID:4012

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
4⤵
PID:2884

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
4⤵
PID:3944

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f
4⤵
PID:2544

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
4⤵
PID:1120

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
4⤵
PID:1560

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f
4⤵
PID:4908

C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f
4⤵
PID:1844

C:\Windows\system32\chcp.com
chcp 437
4⤵
PID:3808

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:2656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackage"
4⤵
PID:3640

C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
4⤵
- Delays execution with timeout.exe
PID:740

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:560

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
4⤵
PID:3972

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
4⤵
PID:856

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
4⤵
PID:4280

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
4⤵
PID:4632

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
4⤵
PID:3808

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
4⤵
PID:964

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
4⤵
PID:312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
4⤵
PID:4976

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
4⤵
PID:312

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
4⤵
PID:2884

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
4⤵
PID:4540

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
4⤵
PID:856

C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
4⤵
PID:3808

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
4⤵
PID:4508

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
4⤵
PID:3972

C:\Windows\system32\reg.exe
reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
4⤵
- Modifies data under HKEY_USERS
PID:312

C:\Windows\system32\reg.exe
reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
4⤵
- Modifies visibility of file extensions in Explorer
PID:3288

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
4⤵
PID:4376

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
4⤵
PID:2884

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
4⤵
PID:3808

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
4⤵
PID:4508

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
4⤵
PID:3972

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
4⤵
PID:312

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
4⤵
PID:3288

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
4⤵
PID:4376

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
4⤵
PID:964

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
4⤵
PID:3708

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
4⤵
PID:1744

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
4⤵
PID:1120

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
4⤵
PID:856

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
4⤵
PID:4632

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
4⤵
PID:3808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
4⤵
- Registers COM server for autorun
- Modifies registry class
PID:3792

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
4⤵
PID:5232

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
4⤵
PID:5248

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
4⤵
PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object -ExpandProperty Caption"
4⤵
PID:5280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object -ExpandProperty Caption"
5⤵
PID:5296

C:\Windows\system32\sc.exe
sc config HomeGroupListener start=demand
4⤵
- Launches sc.exe
PID:5532

C:\Windows\system32\sc.exe
sc config HomeGroupProvider start=demand
4⤵
- Launches sc.exe
PID:5544

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
4⤵
PID:5564

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
4⤵
PID:5580

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
4⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell "(Get-NetAdapter | Where-Object {$_.Status -eq 'Up'}).Name"
4⤵
PID:5616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "(Get-NetAdapter | Where-Object {$_.Status -eq 'Up'}).Name"
5⤵
PID:5636

C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4128

\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404

\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548

\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3668 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4373abae4880a277a3859f5734143a19

SHA1
a71759a565541fba5e1ee8d3fceee7645ed75054

SHA256
f151ef7e7996f479ba2ab9334d50ff36ae85917c4451614a254b121d328eb607

SHA512
0af72c0f2ff8716e99a84e67ef4bb921e389459b90f76ca17340384aabcdf41a10c2191801c8d343b649cb547ea8182ca367b7aa6176d7304394be4b9bfe8718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
8b7b708e179125970ef4d9b24fb19162

SHA1
1a4bc1a2b27d54a85ac404c33c686c5b76c64fe7

SHA256
4a9183d02f6aa65030ae2a9183feba6d2cd447bdcf5878eb841d70cbc225328a

SHA512
974e26789d6bdcc4f5f25f390687991127739da6083f6f4ed1fd2c53ba250d7b155dcdf800fe33a87cf1c30cac4e173a0a23ba872fc4c9da0a25e6b47f186e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
01df17c8baf2b7523097ee44d4f908b7

SHA1
25755a242c0d0e692fb660236ce5674ce3405c83

SHA256
9d9e3d97ebb0787240c4ba4ea01e9a9eddfa139a2992bdf22e09ed701ff306b0

SHA512
a68604a19da155ea4eae8d0c67708df95f7996e96432bb8a926e9667e923bd8c31b3cee7d554d70c0040bc9e2fab37cdb1e7045f96aa2d289f5b7b99c01afd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9b5426cd12bcfc89cf7fcaa47ef98321

SHA1
7c27c3e7ce6751ca646fb383784f4c7c895d0ba2

SHA256
6f671d5798faef5e1dad8c1e9dff036d6e5031b1d81e534baaa5e17200beb950

SHA512
20a716a572ad82dfa53dcf5db89c6cd753b4147fa47514f512b7c8873e9695e1053d2d84f4fbe0178c4739200e67e146b67fa57cda6679e8c0171c106652194b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ec512eead036985b59f80a78b86cd3e4

SHA1
0c85ff79fa8dfba9993d9d9fd98f29b7152797a1

SHA256
c9c54dded301a47f1482a5249024f00b294aa04c650afe4ad25069edb5456b7b

SHA512
3dc1e9e6c6bd700331ba4de0bfb681ba06b65bde146a085ae5a2c558b1598cabb9a7fc99f995266204649235ec643c198d3c881ee2db5f0903f0e492c1b8ce53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d28301305baaad90ed8f79e4dff5079f

SHA1
b93a9dd015a1f14e6ff86ec29169ff4f8fefa934

SHA256
54781baa6f3c17b7156b2d031df7fe5ccda065b0d36a5daa8759d9f06b8b0631

SHA512
b764d959e7a088676a44010f24049518708f15a07d1a7c9e70450d4515c2e8581c7d86307e606bc54a889ca5f133411b9369abed394fcf745121510df86356c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c11aa6722f34b9b64dd79ea4c08b2fd1

SHA1
8f40d2b7fa0c2d8178765548213904fc8c9e9938

SHA256
1290ebf3d863971e7a3bba48c5805e8c9a08927429f4413424073193eb638557

SHA512
6d2fdaa171e5027c620417d8e3699a9a7b3cfd768db99f519eab8190970c8d7ade3d066a460f55eb39ee851767dc210c7a2768431041989d66deb333efd1ef15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
98e93c15f4e519f1b84d72fec5fd5c82

SHA1
1acac194143c23e90106b595c38d5a163731c993

SHA256
00719cf0e0543429a65856e293f1fd8c78ca1dc3a8565e831dbbf9218256fa95

SHA512
03eeaacc9d2f8fa4c8137e017bfa39bf3044c5ebd0d52d7a556c406d44aeda2b1ed8c21a8e9379c723ca4f5f559871bd121661cbdea48e02d39396b35fc43a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7953aec4ce24c31a725aa46b1e67ab68

SHA1
70b0adce8fbc59739871a09f6c068faa32801733

SHA256
615af370565e247a9b861f5c944d7283fe9f9588a2c11d8e59f6835a03d53b01

SHA512
fe99612279ba6ae76d6e514b591c1894addcb423309ff16dc8919b0d1fe0788fd9e77d8c2aca71aedf4c2a3057a8e3f80aa01761b71e896802507cc56ebbb455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f56c4bc21a26cd3d3f56d6cbd3c4444b

SHA1
2a7d6df85fd4426a78a088c19317c38a729812fa

SHA256
46205bef24fff7b68251468b41281e61c1b482960d285b43b98362b7ed39323f

SHA512
2a23240b448e2f6c2280a6860250a2df30e280b30dacf0c7779d175b9446443127162f5c67fa810e17e40e97b46e6d1764ae236946d47e4283f7f73c626c5bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f7a2b88051c0dd038523788e657a770d

SHA1
9752b856c3eee5229318695647327aba4e80bc53

SHA256
584eae676ab6c41fb6e5d1117b2032d9777c02acb1bf7d19a827f2269099f8c9

SHA512
c10d8edbced57c081f74373d080302ac0b621afb96f90b357ec4745591db996387d0bc789fe91502c274edc47e11563128625ca678b1fb001af2ca0ce1d47d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f2368a338cfb05e0883aef3e05bff943

SHA1
d8e4470baa5f4e07e63eff38e78d35771bf5a860

SHA256
c03266f8aefbb5c65526c9f7df50bc30e615d645080f42c3424b712d3a54fa77

SHA512
3d175829f9c0c5a586ec17d391cebbbffd0b5d30483a92dbc21a32c150b3040f29018a46328ba06f03f57933ee1672ceb4ac08b68d16b09e745c447444eac39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
39e2d0324e6518fa3b54fda1c5c61186

SHA1
e3679512e0d2e0746427dd08efec4bffa2e905be

SHA256
66c1dc722b6cb236315a0f2d62fdac893502a1e234aa94d210cf148086aba8f0

SHA512
522783cd582facc60fbe1921d70250afa05da1f87f0555ee9360e188a6d7bf3610c4d17256b3c3f5d761d073ff807d1ead132a5fc08de8b0bdde26e45b20175b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9be6e107bb7e38933bbcd321f29d71ec

SHA1
6142fdc136e96850de91e6649fb57cff58b5a876

SHA256
ae991b3b0348067552e625f4b88b7e967840ed86b1ee78f22658ae386e85ebde

SHA512
eb5bf7e0b0da67e9786676a0f76ea7b167828da399315a007e09b60464c36608471e654ecfa0583ce40ec7f4cfe2f7f34ea3df9f9a21ace61e713a69153f319d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0b26578bdee96edf06a91d62d5158567

SHA1
4a4ec3cbb1eb7578214171ba52338a85b854e420

SHA256
cf6ccb9933472f64e48460af7761e5e81d0f077ae5976f01240c0e1c78195c71

SHA512
8b1cd197ac67dca943f93ab4403901deb1d864d06f3c6fb336ffe2f11cf362956089b96c1b4fae28399aeb780bb7ba0579930649395b7366aae6faa025496246

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a21bf9155ff463e7616f915fdf419799

SHA1
2004578b086ffece7655a55c5a1b9c5cf1490a46

SHA256
41cb3cf5fa2c73a01b6622a7810a7f3ea50fb0915e154da08f09f98e9ab2514a

SHA512
72b43fa9aaebf565b1f4accbf5bf6a2f1f2d864f829d8a9fc2a6cf9f92c6823eb79d86a76d972e0d8ecdcd1704947403e4aa169ab1f45e206ff5f6c06e7b14bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
eac7930b391c56c495ec9446943c36d0

SHA1
b567ad6b51a72e170af44e23cd2e650b90ba6002

SHA256
93a501ee204b745ee9cca4161bf0b50bdcedd0cb2a713b14b912e8116455885f

SHA512
5c05458743aca345e8665f61689a01ebdd4da9fc7dfabd4a4fe20cb3300a164e9b95d91cc50f101c033660e725e8fc12d4d0831a663e3c25ad79a31c575f63a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3e76bb7c5dd362d06e54e19d768848e3

SHA1
127929379f8e3f402270c42a380b77d9183fb819

SHA256
ad90804fc42e6af4b8821c3d037b8f6ef104210ba119cfe4c22e291de951d3d4

SHA512
8051102727f877cd2b27b6f76786e567c37cae963d3958e4e0fe43e197f00b60686c0e3c2daae7bd2349a45ed57cc5e670a63eef237d12594955a600d8d3ad61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
40c12015b5858d8808d8546ea7ce2525

SHA1
502cf5a1a3fd5fdfd9d133964687b3e4de6bb575

SHA256
a52e40e8cd00de1f63afa3b5658da4978067581dabcac490601c6b3785de9811

SHA512
e7da52604472802eeaaa6caf5fd9a4f2e3cb57556458a724da4a070da29a55a645c9ce06814af49f40e0225f3f9557d9065f80f7e09772893d3fa5c73a1b25f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7b0385e0022f50b18e76ee187c35bc12

SHA1
190f7f5ffd8c56fb9e3541736d327fa16343b4b7

SHA256
c778fdc88de7cd8aa24422e3816eb081afce4bc1e3ae4e89db2eadc2d4ae9a47

SHA512
a350c0ea231c0dd80fdbf6dd44eef4efc3fd12c429f7e4b86f04ed5091c216ad52c2fbf2703997f39a7fbd300a297a04cc6576144de0b1c5692822ed92327c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5ea2b7e4d9f67341b3344f11d11aaac3

SHA1
0096e9e65ed7f95d0e4cde2b3725e1e2e8fb6b5e

SHA256
355e30bc08eead67ad5404e1d568c7fa7e2875395fe8f0e84f254ffcef407f06

SHA512
587cd0e068b674371606f41d4e9f7bbf12290d0a947bc2a7bf1f513754ec4aa8211b8aad163b0d0daf1903ae42b8f804a0b7d70818a8cf091c982fbd64af5f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
85925f34d122663970e88b8cde281eed

SHA1
52469e5dd674df44322aeb628cc99b3786bb3c63

SHA256
aef4a52003102c2849ebff47b5432346a2bd5ec342247239721ccdedc7082336

SHA512
098e9d571b62d246942050fecfb14e447028f2ac6b8a6cea5083d1872e791774e9775a722b021c07801f77e56ad4d00ff923daf651504214772f741f1bd0d70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ca2e072cbefa8ee3d99704e0a0875ea

SHA1
3fa66f34bffda18f6ad2c0c608f72d475bc3a98e

SHA256
c95ae9912dae663e5196769dffc8a2e371625c50e387fc634ef628e35dab553a

SHA512
e2fa4108b8e825c8775852bd600935e214df3deac4641ccaa15a5b70de5fef500b455d618fadf21b6c22053746d486e5a254586c39ba75cb6e4940711a9033cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9ec4ea4fabbc2c856598863ad4027bbc

SHA1
5b69f434761d05076f3fe8c74fd33fb9bdc01bd0

SHA256
c364d4ff90aece057e354802fc7c348c17b54d42be6bc6f6b00ea3e2a585beb3

SHA512
5a4e22224cace06bdc762fb43a0f3545b133d25829f0d31da329bb2d10e4e3fe2839e50fb5def6d9e00e1bd38c1bdadd9c02d49bbcbedd8886977f70d15ef085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f567075279f4bbefeb281565caf71383

SHA1
843e4a94d87cb9505c489eed99b43bef295f6178

SHA256
6301906acbc373d6d3955643137e8db4994ad570a8d7e34d244a9a55dddc17c8

SHA512
4f8ca568a39cb6f885abab9ce46720ee4afb0de3510e37921d36d3d9e520695cda44de6259b3ecf70db46630443e8d9b8822addac5f335057a7b9c37cba1a394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
750144736c2246cfa213be312d71b3fb

SHA1
086d25990bbaeecdcfaa2430718f18874938470e

SHA256
fd7bf0f110ef8ba704ecc0d4952aa2d294c007469434447e66cadce764447ffd

SHA512
4fa83855b94b9577f3842faf3a0fa7576b1f075a9fec88082eb33ce11bbc738bb6d5c7553eb98f747a9065de1dfdc8f3680e011221523874642bc8aa10c215b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
68ff8379ca9fb2227dc7ee11224fb559

SHA1
c9a802088c1cd59548a0e30cf7f31b7eabe995fe

SHA256
4a95537f0a11d6fd9195029fbf2ba604abf67bb939cc1670a64840cf3334cdec

SHA512
8b091350f511e69d9f7fb3c920c1c53ddea5a79bdab068b0fca1aaf011ba4b8fd05816000ca315db8b4de620b3cdf010b370d02608b1cd8d6c5c68d1f3473b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
7b9837b999324a4b2cc25471cf47b464

SHA1
eed30c3888b9018a059974e26217081d0bbc32c3

SHA256
79bd0d822ba51992a371091c3b0c3bc6b4f43a99cf1993ad2a13093ab29d2b30

SHA512
4fd2e5c490c80ab690184d99a4869df5c1a21e8a487fb1f2df0197a165fddae6e6d750f34547f2ab0ef4d95e020cf709886b8589b61bc4b4f41375eb4b0d11a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ad081b7830221ecc8e1c0e4500a0d7d

SHA1
255fa66a9cbca38f52939c0e7fc6ac73630224c5

SHA256
240019dd73fd6eeabc8ec488afa8ad119615e27112c1db273426512e847441a7

SHA512
1a5e5c25894c97e6af8468d7785148229e00d60a2be94b2b4a3a1d92ff47f52173cc968a12d586beb76df4e2ae5cf699297dd8aa7fb9ab94851b2afc8a1347c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4d1963ce6293825583f8a1a18ef0e5e2

SHA1
292895bda2608fbb4327678fbd1b9362cbaae0e9

SHA256
52c4120e5fe877f8f629c345ff5fe0313f307b1d69f3cff8e26ceb87996aaa38

SHA512
a9f7b0a04eb37214cb7bd5d0d8a369744f0f4194df17f4cc71449251a82635768d00549ed0e26f915875b9f0214c2a38b4f9a277d3b81f85eeab9f3c6c830557

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Free Candy Optimizer.bat
Filesize
98KB

MD5
e86e31bbeb9493c361cfdc29d838f644

SHA1
792d995da93083729d863e5fd48e873ac4052c3f

SHA256
2bbf80db47959a275b23572b7cc7465ac29c6727fefbf6b9935d638589fc17ec

SHA512
21ccce57366c2bf293423edcef79da82932847dae526b3c23536047465aed7b624c053c2a87dc322956e36a98291a128cd33e8149a92515bd80b8db087c66d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sc2uzrqf.sar.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\free_candy_optimizer.exe.00295d4b_0003b200.exe
Filesize
236KB

MD5
cd1fa5bcbc7b251dc0efdfd32d5fd6ee

SHA1
52908e931654115ddb0100ba7795295e31382844

SHA256
9cb855726b752e515fbab26ef7e898f9ed19207d5aa0ee50b9481dd91c6386b6

SHA512
ab93e24942581e5c5b8197c50bf7d0824dbe9f0a53a10e27908fe01a2e5c956f57c69d1cbc01136541195d8776984bf516ea4f1276bdae64ee1d514091f7064c

Download Submit
C:\Windows\Resources\Themes\explorer.exe
Filesize
2.6MB

MD5
1c487471e4a0d3c7f4a3d393cc5c1ba0

SHA1
929a7bbad2dec4cd36b5f3b00760f279b7f4e32b

SHA256
6c95dff29cbc71531d1e59c5a485a31325c83e13d3e49a798500bed98bdb943f

SHA512
0e02ddf1beb1790bce357e17228525a916bb03a9416e040ee9eef31b03dca0d7b3a5b1ce9e526cf2a9f1ee03a97a4dcb8877b1744a1ef9d011b9c97c5c2760e5

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe
Filesize
2.6MB

MD5
39e42e65a8dc5a6ac9bbcd3ac02e1b5c

SHA1
b4dd52aacb1ece94a244a92da138667a8cffa66e

SHA256
68520e531d03e0266db399a820c0cd3c6fdc53d7241b4807c57e226c308f8e80

SHA512
202ea2e15494744612e06abadd83130cbf5479eb6a48c9d9666382fcfe835f0bdae9a2441a069cc47d5ac3b5ad9552d54f27d0343e99cc42ec098bbcd588c181

Download Submit
C:\Windows\Resources\svchost.exe
Filesize
2.6MB

MD5
96bd7de9aed7f7dfca035a459113fae7

SHA1
a2ef54fe9fd8c328b11168fb73fe9e8dd92f37fd

SHA256
331bd0fb85168001d00459105f9671f661e08c8d4ada04ce3b1332d1bfb47a1e

SHA512
e4140ebb5d285d3179c2524ab0de2b1205291b2b665e2c0af981d4cf405d437bde1ff3a8af4cbfd6092dfedb87812d684a98f60e4e8b08968454cb3713c81daf

Download Submit
\??\c:\windows\resources\spoolsv.exe
Filesize
2.6MB

MD5
9c42ef291af41556be076fab8c3a8e67

SHA1
aa5e6ad54c271d0052f850e25f498abbba7c3e87

SHA256
1f4621c22201f3d3d15a32d766bf9c3326551682e9b7239897af5239da536bed

SHA512
6479fc1926029059547ccd010864c07f647a097b2d6f6a20dd0ff79235b29dbad168680092e2078cc11df30fe24f9187e6e1b2e37cd46bf4714ce961cb743497

Download Submit
memory/404-53-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/404-34-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/548-108-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/548-56-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/548-43-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/548-120-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/772-234-0x0000021640330000-0x0000021640356000-memory.dmp

Filesize
152KB

Download
memory/772-219-0x000002163FE90000-0x000002163FEA0000-memory.dmp

Filesize
64KB

Download
memory/772-218-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/772-236-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/772-233-0x000002163FDD0000-0x000002163FDDA000-memory.dmp

Filesize
40KB

Download
memory/772-232-0x000002163FE70000-0x000002163FE86000-memory.dmp

Filesize
88KB

Download
memory/772-231-0x000002163FE90000-0x000002163FEA0000-memory.dmp

Filesize
64KB

Download
memory/772-225-0x000002163FE90000-0x000002163FEA0000-memory.dmp

Filesize
64KB

Download
memory/1140-387-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/1236-67-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1236-55-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1236-25-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1236-119-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/1236-109-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2084-329-0x000001DCF7750000-0x000001DCF7760000-memory.dmp

Filesize
64KB

Download
memory/2084-331-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2084-316-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2084-323-0x000001DCF7750000-0x000001DCF7760000-memory.dmp

Filesize
64KB

Download
memory/2084-317-0x000001DCF7750000-0x000001DCF7760000-memory.dmp

Filesize
64KB

Download
memory/2100-89-0x00000225C00A0000-0x00000225C00B0000-memory.dmp

Filesize
64KB

Download
memory/2100-87-0x00000225C02E0000-0x00000225C0302000-memory.dmp

Filesize
136KB

Download
memory/2100-90-0x00000225C00A0000-0x00000225C00B0000-memory.dmp

Filesize
64KB

Download
memory/2100-88-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2100-95-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2100-92-0x00000225C00A0000-0x00000225C00B0000-memory.dmp

Filesize
64KB

Download
memory/2100-91-0x00000225C00A0000-0x00000225C00B0000-memory.dmp

Filesize
64KB

Download
memory/2108-52-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/2216-250-0x000001AF5DEB0000-0x000001AF5DEC0000-memory.dmp

Filesize
64KB

Download
memory/2216-249-0x000001AF5DEB0000-0x000001AF5DEC0000-memory.dmp

Filesize
64KB

Download
memory/2216-248-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2216-252-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2328-358-0x000001E16C440000-0x000001E16C450000-memory.dmp

Filesize
64KB

Download
memory/2328-361-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2328-348-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2832-289-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2832-294-0x00000205AFE20000-0x00000205AFE30000-memory.dmp

Filesize
64KB

Download
memory/2832-296-0x00000205AFE20000-0x00000205AFE30000-memory.dmp

Filesize
64KB

Download
memory/2832-298-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2932-342-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/2932-343-0x000001D3762C0000-0x000001D3762D0000-memory.dmp

Filesize
64KB

Download
memory/2932-344-0x000001D3762C0000-0x000001D3762D0000-memory.dmp

Filesize
64KB

Download
memory/2932-347-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/3588-0-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3588-1-0x0000000077A14000-0x0000000077A16000-memory.dmp

Filesize
8KB

Download
memory/3588-21-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/3628-373-0x0000017D6A410000-0x0000017D6A420000-memory.dmp

Filesize
64KB

Download
memory/3628-374-0x0000017D6A410000-0x0000017D6A420000-memory.dmp

Filesize
64KB

Download
memory/3628-376-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/3628-372-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4128-54-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4128-14-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4128-48-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4196-266-0x000001BBDF660000-0x000001BBDF670000-memory.dmp

Filesize
64KB

Download
memory/4196-263-0x000001BBDF660000-0x000001BBDF670000-memory.dmp

Filesize
64KB

Download
memory/4196-264-0x000001BBDF660000-0x000001BBDF670000-memory.dmp

Filesize
64KB

Download
memory/4196-262-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4196-268-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4232-311-0x00000254F7240000-0x00000254F7250000-memory.dmp

Filesize
64KB

Download
memory/4232-308-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4232-313-0x00000254F7240000-0x00000254F7250000-memory.dmp

Filesize
64KB

Download
memory/4232-312-0x00000254F7240000-0x00000254F7250000-memory.dmp

Filesize
64KB

Download
memory/4232-315-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4820-269-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4820-270-0x000001EA87700000-0x000001EA87710000-memory.dmp

Filesize
64KB

Download
memory/4820-271-0x000001EA87700000-0x000001EA87710000-memory.dmp

Filesize
64KB

Download
memory/4820-283-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4924-201-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download
memory/4924-202-0x0000023CFFF60000-0x0000023CFFF70000-memory.dmp

Filesize
64KB

Download
memory/4924-214-0x00007FFA04F90000-0x00007FFA05A51000-memory.dmp

Filesize
10.8MB

Download