Malware Analysis Report

2024-09-11 03:38

Sample ID 240615-ar6d2swdrr
Target ac38bacc61efe264decc42d65542c5ee_JaffaCakes118
SHA256 7467b440647ba267e1dc0bff58cd208511009a370fb7fdd09ecb2ae36e8fccc9
Tags
evasion execution discovery exploit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7467b440647ba267e1dc0bff58cd208511009a370fb7fdd09ecb2ae36e8fccc9

Threat Level: Known bad

The file ac38bacc61efe264decc42d65542c5ee_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

evasion execution discovery exploit persistence

Modifies visibility of file extensions in Explorer

Turns off Windows Defender SpyNet reporting

Modifies visiblity of hidden/system files in Explorer

Disables service(s)

Modifies Windows Firewall

Drops file in Drivers directory

Sets file execution options in registry

Possible privilege escalation attempt

Registers COM server for autorun

Modifies file permissions

Modifies system executable filetype association

Checks computer location settings

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Runs ping.exe

Delays execution with timeout.exe

Kills process with taskkill

Runs net.exe

Gathers network information

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
System Services
T1569
Service Execution
T1569.002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Disable or Modify System Firewall
T1562.004
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Service Stop
T1489
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

156s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\10_BLOCK.htm

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\10_BLOCK.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3516,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4012,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5284,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5428,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5440,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5864,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5672,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_OBSOL.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_OBSOL.vbs"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTDNS.cmd"

Signatures

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\ipconfig.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 3180 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 1964 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 1964 wrote to memory of 1400 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 1964 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1964 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1964 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 1964 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 3152 wrote to memory of 668 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3152 wrote to memory of 668 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1964 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 1964 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STARTDNS.cmd"

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG DNSCache START= auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE START DNSCache

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 START DNSCache

C:\Windows\SYSTEM32\ipconfig.exe

C:\Windows\SYSTEM32\IPCONFIG.EXE /flushdns

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

158s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.cmd"

Signatures

Disables service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\ipconfig.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 636 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 636 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 636 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 636 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 4352 wrote to memory of 2336 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4352 wrote to memory of 2336 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 636 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 636 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 636 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 636 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 636 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 1688 wrote to memory of 1048 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 1688 wrote to memory of 1048 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 636 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 636 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.cmd"

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG DNSCache START= auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE START DNSCache

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 START DNSCache

C:\Windows\SYSTEM32\ipconfig.exe

C:\Windows\SYSTEM32\IPCONFIG.EXE /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP DNSCache

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP DNSCache

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG DNSCache START= disabled

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3708 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20240220-en

Max time kernel

118s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.cmd"

Signatures

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE
PID 2856 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE
PID 2856 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE
PID 2856 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE
PID 2252 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2900 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2900 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2900 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2900 wrote to memory of 2388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.cmd"

C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE

ELEVATE.EXE E10BLOK.CMD

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD"

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GetAdm!.vbs"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\GetAdm!.vbs

MD5 2f64dec465c75a15085737e9c1179da4
SHA1 5ac244cbbf2c77daf41b3bbe071ce806611b2593
SHA256 a7e388573d92b9eb56b83c8724ef9f94b6f581386a5761c28c6a7f7fafc46ca7
SHA512 a38edb43f0dd1a7e4b74915fc441dcae287fcea2a06360cce12cc27d8f658d94cb5bfbd173a0ed16d9961ef5aadf52c2ae3c833dc1927bc453042b0782532c6a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.cmd"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3140 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE
PID 3140 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE
PID 3140 wrote to memory of 2336 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE
PID 2336 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE C:\Windows\SysWOW64\cmd.exe
PID 1092 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 2756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 5012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1092 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1092 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1092 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1092 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1092 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 1092 wrote to memory of 4200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.cmd"

C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE

ELEVATE.EXE E10BLOK.CMD

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD"

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\GetAdm!.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\GetAdm!.vbs

MD5 2f64dec465c75a15085737e9c1179da4
SHA1 5ac244cbbf2c77daf41b3bbe071ce806611b2593
SHA256 a7e388573d92b9eb56b83c8724ef9f94b6f581386a5761c28c6a7f7fafc46ca7
SHA512 a38edb43f0dd1a7e4b74915fc441dcae287fcea2a06360cce12cc27d8f658d94cb5bfbd173a0ed16d9961ef5aadf52c2ae3c833dc1927bc453042b0782532c6a

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ELEVAT64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ELEVAT64.exe

"C:\Users\Admin\AppData\Local\Temp\ELEVAT64.exe"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240611-en

Max time kernel

125s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ELEVATE.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ELEVATE.exe

"C:\Users\Admin\AppData\Local\Temp\ELEVATE.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4084,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\E10BLOK.cmd"

Signatures

Disables service(s)

evasion execution

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\SYSTEM32\reg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\SYSTEM32\reg.exe N/A

Turns off Windows Defender SpyNet reporting

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\hosts C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\lmhosts.sam C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\services C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\protocol C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\services C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\networks C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\protocol C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\hosts C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\lmhosts.sam C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\networks C:\Windows\SYSTEM32\attrib.exe N/A
File created C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS C:\Windows\system32\cmd.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gwx.exe C:\Windows\SYSTEM32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gwx.exe\Debugger = "systray.exe" C:\Windows\SYSTEM32\reg.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\SysWOW64\OneDriveSetup.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{6BB93B4E-44D8-40E2-BD97-42DBCF18A40F}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32 C:\Windows\SYSTEM32\reg.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnableAutoUpgrade = "0" C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\EnableAutoUpgrade = "0" C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Geolocation C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Geolocation\BlockAllWebsites = "1" C:\Windows\SYSTEM32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{466F31F7-9892-477E-B189-FA5C59DE3603}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{31508CC7-9BC7-494B-9D0F-7B1C7F144182} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{10C9242E-D604-49B5-99E4-BF87945EF86C}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{6BB93B4E-44D8-40E2-BD97-42DBCF18A40F}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\VERSIONINDEPENDENTPROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\FileSyncClient.AutoPlayHandler.1 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VERSIONINDEPENDENTPROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{F0440F4E-4884-4A8F-8A45-BA89C00F96F2}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\FLAGS C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\SYNCENGINECOMSERVER.SYNCENGINECOMSERVER.1\CLSID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\odopen\shell C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{C2FE84F5-E036-4A07-950C-9BFD3EAB983A} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{E9DE26A1-51B2-47B4-B1BF-C87059CC02A7}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\PROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\WOW6432NODE\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\VERSIONINDEPENDENTPROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 2388 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4428 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2900 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2900 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2900 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2900 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 4484 wrote to memory of 472 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 4484 wrote to memory of 472 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2900 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2900 wrote to memory of 900 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 900 wrote to memory of 3252 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 900 wrote to memory of 3252 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2900 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2900 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 3628 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3628 wrote to memory of 4876 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2900 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2900 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2024 wrote to memory of 3060 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2024 wrote to memory of 3060 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2900 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 3196 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2900 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2900 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2900 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 3220 wrote to memory of 5032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3220 wrote to memory of 5032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\E10BLOK.cmd"

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_DWORD /d 1 /f

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP diagtrack

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP diagtrack

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config diagtrack START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP diagnosticshub.standardcollector.service

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP diagnosticshub.standardcollector.service

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config diagnosticshub.standardcollector.service START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP dmwappushservice

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP dmwappushservice

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config dmwappushservice START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP RetailDemo

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP RetailDemo

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config RetailDemo START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP Wecsvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP Wecsvc

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG Wecsvc START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP RemoteRegistry

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP RemoteRegistry

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG RemoteRegistry START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP OneSyncSvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP OneSyncSvc

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG OneSyncSvc START= disabled

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE add"HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_Session1" /v "Start" /t REG_DWORD /d 4 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\cacls.exe

C:\Windows\SYSTEM32\CACLS.EXE C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl /d SYSTEM

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /v "AutoLogger-Diagtrack-Listener" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /v "SQMLogger" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\WcmSvc\WifiNetworkManager" /v "WifiSenseCredShared" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\WcmSvc\WifiNetworkManager" /v "WifiSenseOpen" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "AUOptions" /t REG_DWORD /d 2 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "IncludeRecommendedUpdates" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "EnableFeaturedSoftware" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\15.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\16.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" /v "EnableQueryRemoteServer" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance" /v "Disable Performance Counters" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters" /v "MaxCacheTtl" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters" /v "MaxNegativeCacheTtl" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DODownloadMode" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Application Experience\AitAgent" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ConfigureInternetTimeService" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\DispatchRecoveryTasks" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ehDRMInit" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\InstallPlayReady" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\mcupdate" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\OCURActivate" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\OCURDiscovery" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PBDADiscovery" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW1" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW2" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PvrRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PvrScheduleTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\RegisterSearch" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ReindexSearchRoot" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\SqlLiteRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\UpdateRecordPath" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\gwx\launchtrayprocess" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfig" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\Time-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\PI\Sqm-Tasks" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gwx.exe" /v "Debugger" /t REG_SZ /d "systray.exe" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ElevateNonAdmins" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v "AllowOSUpgrade" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v "ReservationsAllowed" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade\State" /v "OSUpgradeState" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade\State" /v "OSUpgradeStateTimeStamp" /t REG_SZ /d "2015-09-09 09:09:09" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutoInstallMinorUpdates" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAUAsDefaultShutdownOption" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Policies\Microsoft\Windows\DriverSearching" /v "DontSearchWindowsUpdate" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSync" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM OneDrive.exe /T /F

C:\Windows\SYSTEM32\PING.EXE

C:\Windows\SYSTEM32\PING.EXE 127.0.0.1 -n 5

C:\Windows\SysWOW64\OneDriveSetup.exe

"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall

C:\Windows\SysWOW64\OneDriveSetup.exe

"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /cusid:S-1-5-21-1337824034-2731376981-3755436523-1000

C:\Windows\SysWOW64\OneDriveSetup.exe

C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall

C:\Windows\SYSTEM32\PING.EXE

C:\Windows\SYSTEM32\PING.EXE 127.0.0.1 -n 5

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Internet Explorer\Geolocation" /v "BlockAllWebsites" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /v "EnableAutoUpgrade" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "EnableAutoUpgrade" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_134.170.30.202" dir=out action=block remoteip=134.170.30.202 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_137.116.81.24" dir=out action=block remoteip=137.116.81.24 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_157.56.106.189" dir=out action=block remoteip=157.56.106.189 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_184.86.53.99" dir=out action=block remoteip=184.86.53.99 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_2.22.61.43" dir=out action=block remoteip=2.22.61.43 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_2.22.61.66" dir=out action=block remoteip=2.22.61.66 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_65.39.117.230" dir=out action=block remoteip=65.39.117.230 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_65.52.108.33" dir=out action=block remoteip=65.52.108.33 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_64.4.54.254" dir=out action=block remoteip=64.4.54.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_vortex.data.microsoft.com" dir=out action=block remoteip=191.232.139.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telecommand.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.92 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_oca.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.63 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_sqm.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.93 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.43,65.52.108.29 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_redir.metaservices.microsoft.com" dir=out action=block remoteip=194.44.4.200,194.44.4.208 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_choice.microsoft.com" dir=out action=block remoteip=157.56.91.77 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.7 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_reports.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.91 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.93 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_services.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.92 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_sqm.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.94 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.9 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.ppe.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.11 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telemetry.appex.bing.net" dir=out action=block remoteip=168.63.108.233 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telemetry.urs.microsoft.com" dir=out action=block remoteip=157.56.74.250 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_settings-sandbox.data.microsoft.com" dir=out action=block remoteip=111.221.29.177 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_vortex-sandbox.data.microsoft.com" dir=out action=block remoteip=64.4.54.32 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_survey.watson.microsoft.com" dir=out action=block remoteip=207.68.166.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.live.com" dir=out action=block remoteip=207.46.223.94 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.microsoft.com" dir=out action=block remoteip=65.55.252.71 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe2.ws.microsoft.com" dir=out action=block remoteip=64.4.54.22 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_corpext.msitadfs.glbdns2.microsoft.com" dir=out action=block remoteip=131.107.113.238 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_compatexchange.cloudapp.net" dir=out action=block remoteip=23.99.10.11 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_cs1.wpc.v0cdn.net" dir=out action=block remoteip=68.232.34.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_a-0001.a-msedge.net" dir=out action=block remoteip=204.79.197.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe2.update.microsoft.com.akadns.net" dir=out action=block remoteip=64.4.54.22 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_sls.update.microsoft.com.akadns.net" dir=out action=block remoteip=157.56.77.139 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_fe2.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.58.121,134.170.58.123,134.170.53.29,66.119.144.190,134.170.58.189,134.170.58.118,134.170.53.30,134.170.51.190 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_diagnostics.support.microsoft.com" dir=out action=block remoteip=157.56.121.89 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_corp.sts.microsoft.com" dir=out action=block remoteip=131.107.113.238 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe1.ws.microsoft.com" dir=out action=block remoteip=134.170.115.60 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_pre.footprintpredict.com" dir=out action=block remoteip=204.79.197.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_i1.services.social.microsoft.com" dir=out action=block remoteip=104.82.22.249 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_feedback.windows.com" dir=out action=block remoteip=134.170.185.70 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_feedback.microsoft-hohm.com" dir=out action=block remoteip=64.4.6.100,65.55.39.10 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_feedback.search.microsoft.com" dir=out action=block remoteip=157.55.129.21 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_rad.msn.com" dir=out action=block remoteip=207.46.194.25 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_preview.msn.com" dir=out action=block remoteip=23.102.21.4 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_dart.l.doubleclick.net" dir=out action=block remoteip=173.194.113.220,173.194.113.219,216.58.209.166 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_ads.msn.com" dir=out action=block remoteip=157.56.91.82,157.56.23.91,104.82.14.146,207.123.56.252,185.13.160.61,8.254.209.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_a.ads1.msn.com" dir=out action=block remoteip=198.78.208.254,185.13.160.61 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_global.msads.net.c.footprint.net" dir=out action=block remoteip=185.13.160.61,8.254.209.254,207.123.56.252 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_az361816.vo.msecnd.net" dir=out action=block remoteip=68.232.34.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_oca.telemetry.microsoft.com.nsatc.net" dir=out action=block remoteip=65.55.252.63 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_reports.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.91 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.7 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_cs1.wpc.v0cdn.net" dir=out action=block remoteip=68.232.34.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_vortex-sandbox.data.microsoft.com" dir=out action=block remoteip=64.4.54.32 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_pre.footprintpredict.com" dir=out action=block remoteip=204.79.197.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_i1.services.social.microsoft.com" dir=out action=block remoteip=104.82.22.249 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_ssw.live.com" dir=out action=block remoteip=207.46.101.29 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe1.ws.microsoft.com" dir=out action=block remoteip=134.170.115.60 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_msnbot-65-55-108-23.search.msn.com" dir=out action=block remoteip=65.55.108.23 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_a23-218-212-69.deploy.static.akamaitechnologies.com" dir=out action=block remoteip=23.218.212.69 enable=yes

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Policies" /v "LongPathsEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{48981759-12F2-42A6-A048-028B3973495F}Machine\System\CurrentControlSet\Policies" /v "LongPathsEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\takeown.exe

C:\Windows\SYSTEM32\TAKEOWN.EXE /f "C:\Windows\SYSTEM32\DRIVERS\ETC" /r /d y

C:\Windows\SYSTEM32\icacls.exe

C:\Windows\SYSTEM32\ICACLS.EXE "C:\Windows\SYSTEM32\DRIVERS\ETC" /grant:r Admin:F Administrators:F SYSTEM:F "Authenticated Users":F /t /c /q

C:\Windows\SYSTEM32\attrib.exe

C:\Windows\SYSTEM32\ATTRIB.EXE /D /S -A -H -R -S -I "C:\Windows\SYSTEM32\DRIVERS\ETC\*.*"

C:\Windows\SYSTEM32\attrib.exe

C:\Windows\SYSTEM32\ATTRIB.EXE /S +A -H -R -S -I "C:\Windows\SYSTEM32\DRIVERS\ETC\*.*"

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0001.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0002.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0003.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0004.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0005.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0006.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0007.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0008.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0009.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.ads1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.ads2.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.ads2.msads.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.rad.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ac3.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ad.doubleclick.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ads.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ads1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ads1.msads.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "adnexus.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "adnxs.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "aidps.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "aka-cdn-ns.adtech.de" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "apps.skype.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "az361816.vo.msecnd.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "az512334.vo.msecnd.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "b.ads1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "b.ads2.msads.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "b.rad.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "bs.serving-sys.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "c.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "c.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cdn.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cds26.ams9.msecn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "choice.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "choice.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "compatexchange.cloudapp.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "corpext.msitadfs.glbdns2.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cdnjs.cloudflare.com.cdn.cloudflare.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cs1.wpc.v0cdn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cdp1.public-trust.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "corp.sts.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "db3aqu.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "diagnostics.support.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e2835.dspb.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e8218.ce.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e7341.g.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e7502.ce.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ec.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "feedback.windows.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "feedback.microsoft-hohm.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "feedback.search.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "fe2.update.microsoft.com.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "fe2.ws.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "flex.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "g.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "h1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "hostedocsp.globalsign.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "i1.services.social.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "i1.services.social.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "li581-132.members.linode.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "lb1.www.ms.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "live.rads.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "m.adnxs.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "m.hotmail.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msftncsi.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msnbot-65-55-108-23.search.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msntest.serving-sys.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "oca.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "oca.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "pre.footprintpredict.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "preview.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "pricelist.skype.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "rad.live.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "rad.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "redir.metaservices.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "reports.wes.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "s.gateway.messenger.live.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "schemas.microsoft.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "secure.adnxs.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "secure.flashtalking.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "services.wes.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "settings-win.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "settings-sandbox.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sls.update.microsoft.com.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sO.2mdn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sqm.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sqm.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sqm.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "static.2mdn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "statsfe1.ws.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "statsfe2.ws.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "statsfe2.update.microsoft.com.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "survey.watson.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telecommand.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telecommand.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.appex.bing.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.appex.bing.net:443" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.urs.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ui.skype.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "view.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-bn2.metron.live.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-cy2.metron.live.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-win.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-sandbox.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "wes.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.ppe.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.live.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "www.go.microsoft.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "www.msftncsi.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM GWX.exe /T /F

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM GWXUXWorker.exe /T /F

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM GWXConfigManager.exe /T /F

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM consent.exe /T /F

C:\Windows\SYSTEM32\takeown.exe

C:\Windows\SYSTEM32\TAKEOWN.EXE /f "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy" /r /d y

C:\Windows\SYSTEM32\icacls.exe

C:\Windows\SYSTEM32\ICACLS.EXE "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy" /grant:r Administrators:F /t /c /q

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM ShellExperienceHost.exe /T /F

C:\Windows\SYSTEM32\takeown.exe

C:\Windows\SYSTEM32\TAKEOWN.EXE /f "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy" /r /d y

C:\Windows\SYSTEM32\icacls.exe

C:\Windows\SYSTEM32\ICACLS.EXE "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy" /grant:r Administrators:F /t /c /q

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM SearchUI.exe /T /F

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:971033 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2952664 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2990214 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3012973 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3021917 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3022345 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3035583 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3044374 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3068708 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3075249 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3080149 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3112343 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3083711 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3083325 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3075853 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3072318 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3065988 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3064683 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3058168 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3050267 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2976978 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2977759 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3081954 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3123862 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3138612 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3172605 /quiet /norestart

C:\Windows\system32\timeout.exe

TIMEOUT /T 5 /NOBREAK

Network

Files

C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl

MD5 2f8f3230bbc42e379a1554ca3419d46d
SHA1 48ba89d52c74a8305673d502a342c390ba0c5511
SHA256 3efe94e50d33a368dca95d1b612243aec88ddbd1353245769c79b82fc857ae09
SHA512 46258013b5450494eedb16dcfc2142f54876b86048210a7b102096cc42502a28879fba3e193ce1116c8f1046d1178a60a2436270e94cc5002593b82f2d57156d

C:\Users\Admin\AppData\Local\Temp\tmpA4CB.tmp

MD5 bd2866356868563bd9d92d902cf9cc5a
SHA1 c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b
SHA256 6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb
SHA512 5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\UNINST~1.LOG

MD5 26b1ca4d655e6a9af6909d65e89537f9
SHA1 3537dcee3fed1a9514acb61291d4f897e3b85b6f
SHA256 947e48a2d4086bc1782a868e4fadde09129c835145b389c1134555acf99abe21
SHA512 91ffd27e67bbcaa1d3e6266c0f0d2c6724937f54c8b049b34ab1f9d6f8b518f1e59a6b9334a4ce72edc7c1c3ef3cb16bb9bf719d6b3a6cda31fc71122cdd1d8c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\UNINST~2.LOG

MD5 5ae87edce0ffe4db4967d694393929cf
SHA1 a90ac06ad771b0d4ee651a90a461fee67b1efe85
SHA256 f762a6162ee251ebb7cabc73e7cb24ee3b813ced2aac869a765981344a96fc6f
SHA512 db14cd98ddfab8a264463051ab3f76650bd71344ac723a99dc66ba0055a66bf3d986a756bc614426995a26837af139c44c4bdb050b64f5f2b1b49244a8c0435e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\UNINST~1.ODL

MD5 cef01ceb124fdc9852cdcb25493508b3
SHA1 667532c32bd12712949b483645d81363d2508dd9
SHA256 47d869797a14d426a229943c3eb9fa13ad713e0f067ed527dbcb785928cd2657
SHA512 8fa9180aef02336c07db68f3156a6edb049f20f3248d62741c1fb1548c392bdbfeb0ec89fc7c15523462824f057f45b950872033379b742b4c0f72b729bf714c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\UNINST~3.ODL

MD5 9b92ae96ea9a461db239f8559f46ab19
SHA1 d73720f542c4d4b28165ed63d47578f979c6fb83
SHA256 8bc7a6f996c96c829a8bdbef5342ccd3b1a0e932847f9fed93fd3bbde4c8a954
SHA512 56d9d90bec7ff004fdd20df716b473e7bfaa00d643e8da729a4567c727b47aa55b014da39df9cce8393bd67893e672b63307b8cbdc47e495cc33c9dc16564d79

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\PARENT~1.SES

MD5 7528357b1ffa818c14bb782ad625b79a
SHA1 7d4838ddfeef87da35a0d707ec4c8ff3f787c068
SHA256 3925f9163f1023023dbfa3c7bbc9c0584ce95e745d602fbd9fef6032db32d915
SHA512 bdb16729cfa65f4d55dccdc2f9d29f79ed9fd947d68aacb625df527db0d89af0632101c708e315fe07f9bf95a380dab5c90b18613ddcc9a1d318b3558029e4df

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\MACHIN~1.SES

MD5 78d06bef3a4740915877b077796c4904
SHA1 8f3d04d7e78c90d047d9fd3613d367582edacdf7
SHA256 ae99361a3accbf245ba120bebe938dbfefd7f7b83c62aca00160ffc406e4fd6c
SHA512 9eb901e3a4c2a79334c69aa05f0fc407f323bd6b860877db4371ba35509707a11dd38ca39d00191eddb638f5c649ac49783eadae55ae48a1bd4148e8c46773b4

C:\Windows\System32\drivers\etc\HOSTS

MD5 e6bff7eaaeefcbb4d5a3966ff213bcbe
SHA1 b94c5644962d5e54eecd0c7b488cc2ebe8140e02
SHA256 a27b3964c97c28432220336e3f788b28aacf311b54514f074b4265d39cd55f30
SHA512 18f356ae5fc45e9c2c6aff6f9347b9139dd944d221280fab7dc62ebd960af13abf80289b84d90af7c5f3b305ae7f2d988944e9eeef4ea8c2b45c61238666269d

C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

MD5 09a267b744f55435328f48684546d910
SHA1 c0bd2300aa05314cf1f680a657e6e0b3da7d4e0e
SHA256 d1f27f04e2cf5c39618668c90ea03efdbd0d9479fb85af1abe319d3895f454b4
SHA512 e529400c6fd59e541f5e4c27a3b1b551c27335a5970c7d4e79c9c5d2016795c3e83901c9253279a5b5b90133d3e195b7a1043b286d564c77331d73e99d90c174

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240508-en

Max time kernel

80s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ELEVAT64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ELEVAT64.exe

"C:\Users\Admin\AppData\Local\Temp\ELEVAT64.exe"

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.cmd"

Signatures

Disables service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\ipconfig.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2188 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2188 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2188 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2188 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2188 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2188 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 3028 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3028 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 3028 wrote to memory of 2484 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2188 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 2188 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 2188 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 2188 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2188 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2188 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2636 wrote to memory of 2580 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2636 wrote to memory of 2580 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2636 wrote to memory of 2580 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2188 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2188 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2188 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.cmd"

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG DNSCache START= auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE START DNSCache

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 START DNSCache

C:\Windows\SYSTEM32\ipconfig.exe

C:\Windows\SYSTEM32\IPCONFIG.EXE /flushdns

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP DNSCache

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP DNSCache

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG DNSCache START= disabled

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\10_BLOCK.htm

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{173491E1-2AAE-11EF-9BF1-5630532AF2EE} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424573157" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1616 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1616 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1616 wrote to memory of 2856 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\10_BLOCK.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp
US 8.8.8.8:53 www.mdgx.com udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_OBSOL.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10_OBSOL.vbs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20240508-en

Max time kernel

121s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\E10BLOK.cmd"

Signatures

Disables service(s)

evasion execution

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\SYSTEM32\reg.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Windows\SYSTEM32\reg.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\lmhosts.sam C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\protocol C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\hosts C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\networks C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\protocol C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\services C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\hosts C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\networks C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\services C:\Windows\SYSTEM32\attrib.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\lmhosts.sam C:\Windows\SYSTEM32\attrib.exe N/A
File created C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS C:\Windows\system32\cmd.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gwx.exe C:\Windows\SYSTEM32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gwx.exe\Debugger = "systray.exe" C:\Windows\SYSTEM32\reg.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\SYSTEM32\wusa.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Geolocation\BlockAllWebsites = "1" C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\EnableAutoUpgrade = "0" C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\EnableAutoUpgrade = "0" C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Geolocation C:\Windows\SYSTEM32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\SYSTEM32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\SYSTEM32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\SYSTEM32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" C:\Windows\SYSTEM32\reg.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2644 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2344 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2344 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2344 wrote to memory of 2756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cacls.exe
PID 2344 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2344 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2344 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2700 wrote to memory of 2640 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2700 wrote to memory of 2640 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2700 wrote to memory of 2640 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2344 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2344 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2344 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2344 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2344 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2344 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2344 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2508 wrote to memory of 3032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2508 wrote to memory of 3032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2508 wrote to memory of 3032 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2344 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2344 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2344 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2344 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\E10BLOK.cmd"

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\E10BLOK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\10_BLOCK.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVATE.EXE" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\ELEVAT64.EXE" /t REG_DWORD /d 1 /f

C:\Windows\system32\cacls.exe

"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP diagtrack

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP diagtrack

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config diagtrack START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP diagnosticshub.standardcollector.service

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP diagnosticshub.standardcollector.service

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config diagnosticshub.standardcollector.service START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP dmwappushservice

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP dmwappushservice

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config dmwappushservice START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP RetailDemo

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP RetailDemo

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE config RetailDemo START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP Wecsvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP Wecsvc

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG Wecsvc START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP RemoteRegistry

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP RemoteRegistry

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG RemoteRegistry START= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE STOP OneSyncSvc

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 STOP OneSyncSvc

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG OneSyncSvc START= disabled

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE add"HKLM\SYSTEM\CurrentControlSet\Services\OneSyncSvc_Session1" /v "Start" /t REG_DWORD /d 4 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\cacls.exe

C:\Windows\SYSTEM32\CACLS.EXE C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl /d SYSTEM

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /v "AutoLogger-Diagtrack-Listener" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger" /v "SQMLogger" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\WcmSvc\WifiNetworkManager" /v "WifiSenseCredShared" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\WcmSvc\WifiNetworkManager" /v "WifiSenseOpen" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "AUOptions" /t REG_DWORD /d 2 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "IncludeRecommendedUpdates" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "EnableFeaturedSoftware" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /v "SpyNetReporting" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\15.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\16.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy" /v "EnableQueryRemoteServer" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Control\Diagnostics\Performance" /v "Disable Performance Counters" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters" /v "MaxCacheTtl" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Services\DnsCache\Parameters" /v "MaxNegativeCacheTtl" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DODownloadMode" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Application Experience\AitAgent" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Autochk\Proxy" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Maintenance\WinSAT" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ConfigureInternetTimeService" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\DispatchRecoveryTasks" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ehDRMInit" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\InstallPlayReady" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\mcupdate" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\OCURActivate" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\OCURDiscovery" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PBDADiscovery" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW1" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PBDADiscoveryW2" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PvrRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\PvrScheduleTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\RegisterSearch" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\ReindexSearchRoot" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\SqlLiteRecoveryTask" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Media Center\UpdateRecordPath" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\gwx\launchtrayprocess" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfig" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Setup\GWXTriggers\Time-5d" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\PI\Sqm-Tasks" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /DISABLE

C:\Windows\SYSTEM32\schtasks.exe

C:\Windows\SYSTEM32\SCHTASKS.EXE /change /TN "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /DISABLE

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gwx.exe" /v "Debugger" /t REG_SZ /d "systray.exe" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "ElevateNonAdmins" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v "AllowOSUpgrade" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade" /v "ReservationsAllowed" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade\State" /v "OSUpgradeState" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\OSUpgrade\State" /v "OSUpgradeStateTimeStamp" /t REG_SZ /d "2015-09-09 09:09:09" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutoInstallMinorUpdates" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAUAsDefaultShutdownOption" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Policies\Microsoft\Windows\DriverSearching" /v "DontSearchWindowsUpdate" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSync" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM OneDrive.exe /T /F

C:\Windows\SYSTEM32\PING.EXE

C:\Windows\SYSTEM32\PING.EXE 127.0.0.1 -n 5

C:\Windows\SYSTEM32\PING.EXE

C:\Windows\SYSTEM32\PING.EXE 127.0.0.1 -n 5

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE delete "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Internet Explorer\Geolocation" /v "BlockAllWebsites" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /v "EnableAutoUpgrade" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "EnableAutoUpgrade" /t REG_DWORD /d 0 /f

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_134.170.30.202" dir=out action=block remoteip=134.170.30.202 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_137.116.81.24" dir=out action=block remoteip=137.116.81.24 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_157.56.106.189" dir=out action=block remoteip=157.56.106.189 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_184.86.53.99" dir=out action=block remoteip=184.86.53.99 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_2.22.61.43" dir=out action=block remoteip=2.22.61.43 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_2.22.61.66" dir=out action=block remoteip=2.22.61.66 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_65.39.117.230" dir=out action=block remoteip=65.39.117.230 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_65.52.108.33" dir=out action=block remoteip=65.52.108.33 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_64.4.54.254" dir=out action=block remoteip=64.4.54.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_vortex.data.microsoft.com" dir=out action=block remoteip=191.232.139.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telecommand.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.92 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_oca.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.63 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_sqm.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.93 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.telemetry.microsoft.com" dir=out action=block remoteip=65.55.252.43,65.52.108.29 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_redir.metaservices.microsoft.com" dir=out action=block remoteip=194.44.4.200,194.44.4.208 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_choice.microsoft.com" dir=out action=block remoteip=157.56.91.77 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.7 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_reports.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.91 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.93 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_services.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.92 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_sqm.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.94 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.9 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.ppe.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.11 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telemetry.appex.bing.net" dir=out action=block remoteip=168.63.108.233 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_telemetry.urs.microsoft.com" dir=out action=block remoteip=157.56.74.250 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_settings-sandbox.data.microsoft.com" dir=out action=block remoteip=111.221.29.177 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_vortex-sandbox.data.microsoft.com" dir=out action=block remoteip=64.4.54.32 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_survey.watson.microsoft.com" dir=out action=block remoteip=207.68.166.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.live.com" dir=out action=block remoteip=207.46.223.94 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_watson.microsoft.com" dir=out action=block remoteip=65.55.252.71 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe2.ws.microsoft.com" dir=out action=block remoteip=64.4.54.22 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_corpext.msitadfs.glbdns2.microsoft.com" dir=out action=block remoteip=131.107.113.238 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_compatexchange.cloudapp.net" dir=out action=block remoteip=23.99.10.11 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_cs1.wpc.v0cdn.net" dir=out action=block remoteip=68.232.34.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_a-0001.a-msedge.net" dir=out action=block remoteip=204.79.197.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe2.update.microsoft.com.akadns.net" dir=out action=block remoteip=64.4.54.22 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_sls.update.microsoft.com.akadns.net" dir=out action=block remoteip=157.56.77.139 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_fe2.update.microsoft.com.akadns.net" dir=out action=block remoteip=134.170.58.121,134.170.58.123,134.170.53.29,66.119.144.190,134.170.58.189,134.170.58.118,134.170.53.30,134.170.51.190 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_diagnostics.support.microsoft.com" dir=out action=block remoteip=157.56.121.89 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_corp.sts.microsoft.com" dir=out action=block remoteip=131.107.113.238 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe1.ws.microsoft.com" dir=out action=block remoteip=134.170.115.60 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_pre.footprintpredict.com" dir=out action=block remoteip=204.79.197.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_i1.services.social.microsoft.com" dir=out action=block remoteip=104.82.22.249 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_feedback.windows.com" dir=out action=block remoteip=134.170.185.70 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_feedback.microsoft-hohm.com" dir=out action=block remoteip=64.4.6.100,65.55.39.10 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_feedback.search.microsoft.com" dir=out action=block remoteip=157.55.129.21 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_rad.msn.com" dir=out action=block remoteip=207.46.194.25 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_preview.msn.com" dir=out action=block remoteip=23.102.21.4 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_dart.l.doubleclick.net" dir=out action=block remoteip=173.194.113.220,173.194.113.219,216.58.209.166 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_ads.msn.com" dir=out action=block remoteip=157.56.91.82,157.56.23.91,104.82.14.146,207.123.56.252,185.13.160.61,8.254.209.254 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_a.ads1.msn.com" dir=out action=block remoteip=198.78.208.254,185.13.160.61 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_global.msads.net.c.footprint.net" dir=out action=block remoteip=185.13.160.61,8.254.209.254,207.123.56.252 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_az361816.vo.msecnd.net" dir=out action=block remoteip=68.232.34.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_oca.telemetry.microsoft.com.nsatc.net" dir=out action=block remoteip=65.55.252.63 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_reports.wes.df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.91 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_df.telemetry.microsoft.com" dir=out action=block remoteip=65.52.100.7 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_cs1.wpc.v0cdn.net" dir=out action=block remoteip=68.232.34.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_vortex-sandbox.data.microsoft.com" dir=out action=block remoteip=64.4.54.32 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_pre.footprintpredict.com" dir=out action=block remoteip=204.79.197.200 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_i1.services.social.microsoft.com" dir=out action=block remoteip=104.82.22.249 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_ssw.live.com" dir=out action=block remoteip=207.46.101.29 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_statsfe1.ws.microsoft.com" dir=out action=block remoteip=134.170.115.60 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_msnbot-65-55-108-23.search.msn.com" dir=out action=block remoteip=65.55.108.23 enable=yes

C:\Windows\SYSTEM32\netsh.exe

C:\Windows\SYSTEM32\NETSH.EXE advfirewall firewall add rule name="telemetry_a23-218-212-69.deploy.static.akamaitechnologies.com" dir=out action=block remoteip=23.218.212.69 enable=yes

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Policies" /v "LongPathsEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{48981759-12F2-42A6-A048-028B3973495F}Machine\System\CurrentControlSet\Policies" /v "LongPathsEnabled" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\takeown.exe

C:\Windows\SYSTEM32\TAKEOWN.EXE /f "C:\Windows\SYSTEM32\DRIVERS\ETC" /r /d y

C:\Windows\SYSTEM32\icacls.exe

C:\Windows\SYSTEM32\ICACLS.EXE "C:\Windows\SYSTEM32\DRIVERS\ETC" /grant:r Admin:F Administrators:F SYSTEM:F "Authenticated Users":F /t /c /q

C:\Windows\SYSTEM32\attrib.exe

C:\Windows\SYSTEM32\ATTRIB.EXE /D /S -A -H -R -S -I "C:\Windows\SYSTEM32\DRIVERS\ETC\*.*"

C:\Windows\SYSTEM32\attrib.exe

C:\Windows\SYSTEM32\ATTRIB.EXE /S +A -H -R -S -I "C:\Windows\SYSTEM32\DRIVERS\ETC\*.*"

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0001.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0002.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0003.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0004.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0005.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0006.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0007.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0008.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a-0009.a-msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.ads1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.ads2.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.ads2.msads.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "a.rad.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ac3.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ad.doubleclick.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ads.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ads1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ads1.msads.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "adnexus.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "adnxs.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "aidps.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "aka-cdn-ns.adtech.de" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "apps.skype.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "az361816.vo.msecnd.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "az512334.vo.msecnd.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "b.ads1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "b.ads2.msads.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "b.rad.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "bs.serving-sys.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "c.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "c.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cdn.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cds26.ams9.msecn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "choice.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "choice.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "compatexchange.cloudapp.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "corpext.msitadfs.glbdns2.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cdnjs.cloudflare.com.cdn.cloudflare.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cs1.wpc.v0cdn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "cdp1.public-trust.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "corp.sts.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "db3aqu.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "diagnostics.support.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e2835.dspb.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e8218.ce.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e7341.g.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "e7502.ce.akamaiedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ec.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "feedback.windows.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "feedback.microsoft-hohm.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "feedback.search.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "fe2.update.microsoft.com.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "fe2.ws.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "flex.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "g.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "h1.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "hostedocsp.globalsign.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "i1.services.social.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "i1.services.social.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "li581-132.members.linode.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "lb1.www.ms.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "live.rads.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "m.adnxs.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "m.hotmail.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msedge.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msftncsi.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msnbot-65-55-108-23.search.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "msntest.serving-sys.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "oca.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "oca.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "pre.footprintpredict.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "preview.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "pricelist.skype.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "rad.live.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "rad.msn.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "redir.metaservices.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "reports.wes.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "s.gateway.messenger.live.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "schemas.microsoft.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "secure.adnxs.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "secure.flashtalking.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "services.wes.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "settings-win.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "settings-sandbox.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sls.update.microsoft.com.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sO.2mdn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sqm.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sqm.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "sqm.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "static.2mdn.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "statsfe1.ws.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "statsfe2.ws.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "statsfe2.update.microsoft.com.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "survey.watson.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telecommand.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telecommand.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.appex.bing.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.appex.bing.net:443" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.urs.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "ui.skype.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "view.atdmt.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-bn2.metron.live.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-cy2.metron.live.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-win.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "vortex-sandbox.data.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.telemetry.microsoft.com.nsatc.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "wes.df.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.ppe.telemetry.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.live.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "watson.microsoft.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "www.go.microsoft.akadns.net" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\find.exe

C:\Windows\SYSTEM32\FIND.EXE /C /I "www.msftncsi.com" C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM GWX.exe /T /F

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM GWXUXWorker.exe /T /F

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM GWXConfigManager.exe /T /F

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM consent.exe /T /F

C:\Windows\SYSTEM32\takeown.exe

C:\Windows\SYSTEM32\TAKEOWN.EXE /f "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy" /r /d y

C:\Windows\SYSTEM32\icacls.exe

C:\Windows\SYSTEM32\ICACLS.EXE "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy" /grant:r Administrators:F /t /c /q

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM ShellExperienceHost.exe /T /F

C:\Windows\SYSTEM32\takeown.exe

C:\Windows\SYSTEM32\TAKEOWN.EXE /f "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy" /r /d y

C:\Windows\SYSTEM32\icacls.exe

C:\Windows\SYSTEM32\ICACLS.EXE "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy" /grant:r Administrators:F /t /c /q

C:\Windows\SYSTEM32\taskkill.exe

C:\Windows\SYSTEM32\TASKKILL.EXE /IM SearchUI.exe /T /F

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:971033 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2952664 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2990214 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3012973 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3021917 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3022345 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3035583 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3044374 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3068708 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3075249 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3080149 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3112343 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3083711 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3083325 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3075853 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3072318 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3065988 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3064683 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3058168 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3050267 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2976978 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:2977759 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3081954 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3123862 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3138612 /quiet /norestart

C:\Windows\SYSTEM32\wusa.exe

C:\Windows\SYSTEM32\WUSA.EXE /uninstall /KB:3172605 /quiet /norestart

C:\Windows\system32\timeout.exe

TIMEOUT /T 5 /NOBREAK

Network

N/A

Files

C:\Windows\System32\drivers\etc\HOSTS

MD5 e6bff7eaaeefcbb4d5a3966ff213bcbe
SHA1 b94c5644962d5e54eecd0c7b488cc2ebe8140e02
SHA256 a27b3964c97c28432220336e3f788b28aacf311b54514f074b4265d39cd55f30
SHA512 18f356ae5fc45e9c2c6aff6f9347b9139dd944d221280fab7dc62ebd960af13abf80289b84d90af7c5f3b305ae7f2d988944e9eeef4ea8c2b45c61238666269d

C:\Windows\SYSTEM32\DRIVERS\ETC\HOSTS

MD5 09a267b744f55435328f48684546d910
SHA1 c0bd2300aa05314cf1f680a657e6e0b3da7d4e0e
SHA256 d1f27f04e2cf5c39618668c90ea03efdbd0d9479fb85af1abe319d3895f454b4
SHA512 e529400c6fd59e541f5e4c27a3b1b551c27335a5970c7d4e79c9c5d2016795c3e83901c9253279a5b5b90133d3e195b7a1043b286d564c77331d73e99d90c174

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ELEVATE.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ELEVATE.exe

"C:\Users\Admin\AppData\Local\Temp\ELEVATE.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-15 00:27

Reported

2024-06-15 00:30

Platform

win7-20240220-en

Max time kernel

121s

Max time network

124s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\STARTDNS.cmd"

Signatures

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\ipconfig.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2864 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 2012 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\reg.exe
PID 2864 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2864 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2864 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\sc.exe
PID 2864 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 1324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2864 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2864 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2864 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\net.exe
PID 2792 wrote to memory of 2876 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2792 wrote to memory of 2876 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2792 wrote to memory of 2876 N/A C:\Windows\SYSTEM32\net.exe C:\Windows\system32\net1.exe
PID 2864 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 2864 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe
PID 2864 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\SYSTEM32\ipconfig.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\STARTDNS.cmd"

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_SZ /d "RUNASADMIN" /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STOP!DNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\reg.exe

C:\Windows\SYSTEM32\REG.EXE ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted" /v "C:\Users\Admin\AppData\Local\Temp\STARTDNS.CMD" /t REG_DWORD /d 1 /f

C:\Windows\SYSTEM32\sc.exe

C:\Windows\SYSTEM32\SC.EXE CONFIG DNSCache START= auto

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECHO Y"

C:\Windows\SYSTEM32\net.exe

C:\Windows\SYSTEM32\NET.EXE START DNSCache

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 START DNSCache

C:\Windows\SYSTEM32\ipconfig.exe

C:\Windows\SYSTEM32\IPCONFIG.EXE /flushdns

Network

N/A

Files

N/A