Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
29/06/2024, 06:32
General
-
Target
tools/CoutX.bat
-
Size
61KB
-
MD5
9d9de233b39212edd52f376bdabc2b9c
-
SHA1
0f0ae692ec22867fbf4ee600efa7a9169f52ea28
-
SHA256
f783d2390ba2b2755c6b2467630d1d2703920cb4d42d34fb789fac9789e7bd18
-
SHA512
71c5e21745cc30f9cc6720cc9049415a8c8495487f7a9d26717ef6b56b49028f7d80ae1f175762e1ed3382fb6df6ae43f843d7cd1d164dbb7a4a25b677205293
-
SSDEEP
768:xGLTOwOkZ6DWMpLcKwtNh60aLIKoPw5PuE3MfFzL2IuGQIGQObWszHPjHv7gBOBF:YacKwXsIKoCuEFC0WszHPbv72+
Score
9/10
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
-
Stops running service(s) 4 TTPs
-
Boot or Logon Autostart Execution: LSASS Driver 1 TTPs 1 IoCs
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Power Settings 1 TTPs 30 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in Windows directory 4 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 33 IoCs
-
Modifies registry key 1 TTPs 29 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 23 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tools\CoutX.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dism.exedism2⤵
- Drops file in Windows directory
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get VideoProcessor /value2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_VideoController get VideoProcessor /value3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "2⤵
-
-
C:\Windows\system32\find.exefind /I "GeForce"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "2⤵
-
-
C:\Windows\system32\find.exefind /I "NVIDIA"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "2⤵
-
-
C:\Windows\system32\find.exefind /I "RTX"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo SeaBIOS VBE(C) 2011 "2⤵
-
-
C:\Windows\system32\find.exefind /I "GTX"2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v "DisplayParameters" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "__COMPAT_LAYER" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKLM\System\GameConfigStore" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKU\.Default\System\GameConfigStore" /f2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\reg.exeReg delete "HKU\S-1-5-19\System\GameConfigStore" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKU\S-1-5-20\System\GameConfigStore" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKCU\Software\Classes\System\GameConfigStore" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add HKCU\System\GameConfigStore /v GameDVR_Enabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Policies\Microsoft\Windows\GameDVR /v AllowGameDVR /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKLM\Software\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR /v value /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR /v AppCaptureEnabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR /v AudioCaptureEnabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR /v CursorCaptureEnabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR /v MicrophoneCaptureEnabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR /v HistoricalCaptureEnabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\GameBar /v UseNexusForGameBarEnabled /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\GameBar /v GamepadDoublePressIntervalMs /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\GameBar /v ShowStartupPanel /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\GameBar /v GamePanelStartupTipIndex /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Gaming.GameBar.PresenceServer.Internal.PresenceWriter" /v "ActivationType" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add HKCU\System\GameConfigStore /v GameDVR_FSEBehaviorMode /t REG_DWORD /d 2 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\System\GameConfigStore /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\System\GameConfigStore /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKCU\System\GameConfigStore /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKCU\Software\Microsoft\DirectX\UserGpuPreferences" /v "DirectXUserGlobalSettings" 2>nul | Find "REG_SZ"2⤵
-
C:\Windows\system32\reg.exeReg query "HKCU\Software\Microsoft\DirectX\UserGpuPreferences" /v "DirectXUserGlobalSettings"3⤵
-
-
C:\Windows\system32\find.exeFind "REG_SZ"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "2⤵
-
-
C:\Windows\system32\find.exeFind /I "VRROptimizeEnable"2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\DirectX\UserGpuPreferences" /v "DirectXUserGlobalSettings" /t REG_SZ /d "VRROptimizeEnable=1;" /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKCU\Software\Microsoft\DirectX\UserGpuPreferences" /v "DirectXUserGlobalSettings" 2>nul | Find "REG_SZ"2⤵
-
C:\Windows\system32\reg.exeReg query "HKCU\Software\Microsoft\DirectX\UserGpuPreferences" /v "DirectXUserGlobalSettings"3⤵
-
-
C:\Windows\system32\find.exeFind "REG_SZ"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo VRROptimizeEnable=1; "2⤵
-
-
C:\Windows\system32\find.exeFind /I "SwapEffectUpgradeEnable"2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\DirectX\UserGpuPreferences" /v "DirectXUserGlobalSettings" /t REG_SZ /d "VRROptimizeEnable=1;SwapEffectUpgradeEnable=1;" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add HKCU\Software\Microsoft\DirectX\GraphicsSettings /v SwapEffectUpgradeCache /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\System\CurrentControlSet\Control\Class" /v "VgaCompatible" /s 2>nul | findstr "HKEY"2⤵
-
C:\Windows\system32\reg.exeReg query "HKLM\System\CurrentControlSet\Control\Class" /v "VgaCompatible" /s3⤵
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵
-
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /f /v "UserPreferencesMask" /t REG_BINARY /d "9012078012000000"2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "FontSmoothing" /t REG_SZ /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\DWM" /v "AlwaysHibernateThumbnails" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\DWM" /v "ListviewShadow" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DelayedDesktopSwitchTimeout" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "RunStartupScriptSync" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootuxdisabled on2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootmenupolicy standard2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set quietboot yes2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "2000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "20" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\Setup\LabConfig" /v "BypassTPMCheck" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\Setup\LabConfig" /v "BypassRAMCheck" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\Setup\LabConfig" /v "BypassSecureBootCheck" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\Setup\MoSetup" /v "AllowUpgradesWithUnsupportedTPMOrCPU" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "BranchReadinessLevel" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WecSvc start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\AppV\CEIP" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Messenger\Client" /v "CEIP" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\MSDeploy\3" /v "EnableTelemetry" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "MaxTelemetryAllowed" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableTelemetryOptInChangeNotification" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableTelemetryOptInSettingsUx" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowCommercialDataPipeline" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableEnterpriseAuthProxy" /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowDesktopAnalyticsProcessing" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "MicrosoftEdgeDataOptIn" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "DiagTrackAuthorization" /t REG_DWORD /d "775" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "DiagTrackStatus" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "UploadPermissionReceived" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TraceManager" /v "MiniTraceSlotContentPermitted" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TraceManager" /v "MiniTraceSlotEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Policies\Microsoft\Windows\CloudContent" /v "disabletailoredexperiencesWithDiagnosticData" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "DisableDiagnosticDataViewer" /T REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DiagSvc start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput" /v "AllowLinguisticDataCollection" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "InsightsEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "DisableTaggedEnergyLogging" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxApplication" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxTagPerApplication" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\Maps" /v "AutoDownloadAndUpdateMapData" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\Maps" /v "AllowUntriggeredNetworkTrafficOnSettingsPage" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\sc.exesc config MapsBroker start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaConsent" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "AllowCortana" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\setx.exesetx DOTNET_CLI_TELEMETRY_OPTOUT 12⤵
-
-
C:\Windows\system32\setx.exesetx POWERSHELL_TELEMETRY_OPTOUT 12⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB1" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB2" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RestrictAnonymous" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RestrictAnonymousSAM" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Services\NetBT\Parameters\Interfaces" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Services\NetBT\Parameters\Interfaces" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\NetBT\Parameters" /v "NodeType" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Services\NetBT\Parameters" /v "NodeType" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Services\NetBT\Parameters" /v "NodeType" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\sc.exesc stop LanmanWorkstation2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\LanManServer\Parameters" /v "DisableCompression" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "AuditLevel" /t REG_DWORD /d "8" /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation" /v "AllowProtectedCreds" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdminOutboundCreds" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d "1" /f2⤵
- Boot or Logon Autostart Execution: LSASS Driver
- Access Token Manipulation: Create Process with Token
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "Negotiate" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "UseLogonCredential" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\net.exenet user defaultuser0 /delete2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user defaultuser0 /delete3⤵
-
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\.NetFramework\v4.0.30319" /v "SchUseStrongCrypto" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\WOW6432Node\Microsoft\.NETFramework\v4.0.30319" /v "SchUseStrongCrypto" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete HKEY_CLASSES_ROOT\ms-msdt /f2⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exeReg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "InstallationType"2⤵
-
-
C:\Windows\system32\find.exefind /I "Server Core"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /format:value2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get TotalVisibleMemorySize /format:value3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "4193772" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "4193772" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "4193772" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "IOPageLockLimit" /t REG_DWORD /d "4193772" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "HeapDeCommitFreeBlockThreshold" /t REG_DWORD /d "262144" /f2⤵
-
-
C:\Windows\system32\bcdedit.exebcdedit /set pae ForceEnable2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -Command $ErrorActionPreference = 'SilentlyContinue';Disable-NetAdapterPowerManagement -Name "*";Set-NetOffloadGlobalSetting -PacketCoalescingFilter Disabled -Chimney Disabled;Set-NetTCPSetting -SettingName "Internet" -MemoryPressureProtection Disabled2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh interface ip show interface | findstr /I "connected"2⤵
-
C:\Windows\system32\netsh.exenetsh interface ip show interface3⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\findstr.exefindstr /I "connected"3⤵
-
-
-
C:\Windows\system32\netsh.exenetsh interface ipv6 set interface 1 weakhostreceive=enabled weakhostsend=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set interface 1 weakhostreceive=enabled weakhostsend=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh interface ipv6 set interface 3 weakhostreceive=enabled weakhostsend=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set interface 3 weakhostreceive=enabled weakhostsend=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh int tcp show supplemental | findstr /I "template"2⤵
-
C:\Windows\system32\netsh.exenetsh int tcp show supplemental3⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\findstr.exefindstr /I "template"3⤵
-
-
-
C:\Windows\system32\netsh.exenetsh int tcp set supplemental internet CongestionProvider=bbr22⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\MSMQ\Parameters" /v "TCPNoDelay" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards" /f "ServiceName" /s |findstr /i /l "ServiceName"2⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards" /f "ServiceName" /s3⤵
-
-
C:\Windows\system32\findstr.exefindstr /i /l "ServiceName"3⤵
-
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AD78E13A-39B3-44FB-82FC-64E8283FE9F9}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AD78E13A-39B3-44FB-82FC-64E8283FE9F9}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{AD78E13A-39B3-44FB-82FC-64E8283FE9F9}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\netsh.exenetsh winsock set autotuning on2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get numberOfCores /format:value2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get numberOfCores /format:value3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /k /v /f "Description" /s /e | findstr /ri "REG_SZ"2⤵
-
C:\Windows\system32\reg.exeReg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards" /k /v /f "Description" /s /e3⤵
-
-
C:\Windows\system32\findstr.exefindstr /ri "REG_SZ"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" /s /f "RTL8139C+ Fast Ethernet NIC" /d | findstr /C:"HKEY"2⤵
-
C:\Windows\system32\reg.exeReg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" /s /f "RTL8139C+ Fast Ethernet NIC" /d3⤵
-
-
C:\Windows\system32\findstr.exefindstr /C:"HKEY"3⤵
-
-
-
C:\Windows\system32\reg.exeReg export "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" "C:\Backup\(Default) RTL8139C+ Fast Ethernet NIC.reg" /y2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnMagicPacket" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*WakeOnPattern" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WakeOnLink" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "S5WakeOnLan" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "WolShutdownLinkSpeed" /t REG_SZ /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*ModernStandbyWoLMagicPacket " /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*DeviceSleepOnDisconnect" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*NicAutoPowerSaver" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*FlowControl" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*EEE" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePME" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EEELinkAdvertisement" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ReduceSpeedOnPowerDown" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerSavingMode" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableGreenEthernet" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ULPMode" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "GigaLite" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableSavePowerNow" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnablePowerManagement" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableDynamicPowerGating" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "EnableConnectedPowerGating" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoPowerSaveModeEnabled" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AutoDisableGigabit" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AdvancedEEE" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PowerDownPll" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "S5NicKeepOverrideMacAddrV2" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "MIMOPowerSaveMode" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "AlternateSemaphoreDelay" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*interruptmoderation" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "JumboPacket" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ITR" /t REG_SZ /d "125" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ReceiveBuffers" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TransmitBuffers" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "ThroughputBoosterEnabled" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "PnPCapabilities" /t REG_DWORD /d "24" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV1IPv4" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv4" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "LsoV2IPv6" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TCPUDPChecksumOffloadIPv4" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TCPUDPChecksumOffloadIPv6" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "UDPChecksumOffloadIPv4" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "UDPChecksumOffloadIPv6" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TCPChecksumOffloadIPv4" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "TCPChecksumOffloadIPv6" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "IPChecksumOffloadIPv4" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "IPsecOffloadV1IPv4" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "IPsecOffloadV2" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*IPsecOffloadV2IPv4" /t REG_SZ /d "3" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMARPOffload" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMNSOffload" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*PMWiFiRekeyOffload" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "RSS" /t REG_SZ /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*NumRssQueues" /t REG_SZ /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*RssBaseProcNumber" /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001" /v "*RssMaxProcNumber" /f2⤵
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rss=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport udp start=1025 num=645112⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=1025 num=645112⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\netsh.exeNetsh int ip set global taskoffload=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\system32\reg.exeReg add HKLM\System\CurrentControlSet\Services\TCPIP\Parameters /v DisableTaskOffload /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\reg.exeReg add HKLM\System\CurrentControlSet\Services\Ipsec /v EnabledOffload /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\sc.exesc query MMCSS2⤵
- Launches sc.exe
-
-
C:\Windows\system32\find.exefind "STOPPED"2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "8" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "IOMMUFlags" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path Win32_VideoController get PNPDeviceID | find "PCI\VEN_"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path Win32_VideoController get PNPDeviceID3⤵
-
-
C:\Windows\system32\find.exefind "PCI\VEN_"3⤵
-
-
-
C:\Windows\system32\reg.exereg query "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported"2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /h off2⤵
- Power Settings
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\microsoft\windows\power efficiency diagnostics\analyzesystem" /disable2⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil set-log "Microsoft-Windows-SleepStudy/Diagnostic" /e:False2⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil set-log "Microsoft-Windows-Kernel-Processor-Power/Diagnostic" /e:False2⤵
-
-
C:\Windows\system32\wevtutil.exewevtutil set-log "Microsoft-Windows-UserModePowerService/Diagnostic" /e:False2⤵
-
-
C:\Windows\system32\reg.exeReg query "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation"2⤵
-
-
C:\Windows\system32\find.exefind "0x18"2⤵
-
-
C:\Windows\system32\reg.exeReg query "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation"2⤵
-
-
C:\Windows\system32\find.exefind "0x26"2⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set memoryusage 22⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set mftzone 22⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disabledeletenotify 02⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set encryptpagingfile 02⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disable8dot3 12⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disablecompression 12⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk where "DriveType='3' and DeviceID='C:'" get DeviceID2⤵
-
-
C:\Windows\system32\find.exefind "C:"2⤵
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disableLastAccess 02⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\FileSystem" /v "NtfsDisableLastAccessUpdate" /t REG_DWORD /d "2147483648" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Control\FileSystem" /v "NtfsDisableLastAccessUpdate" /t REG_DWORD /d "2147483648" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Control\FileSystem" /v "NtfsDisableLastAccessUpdate" /t REG_DWORD /d "2147483648" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\NvTelemetryContainer" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Services\NvTelemetryContainer" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Services\NvTelemetryContainer" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\sc.exesc stop NvTelemetyContainer2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config NvTelemetyContainer start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\NVIDIA Corporation\NvControlPanel2\Client" /v "OptInOrOutPreference" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Services\nvlddmkm\Global\Startup" /v "SendTelemetryData" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\NVIDIA Corporation\Global\FTS" /v "EnableRID44231" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\NVIDIA Corporation\Global\FTS" /v "EnableRID64640" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\NVIDIA Corporation\Global\FTS" /v "EnableRID66610" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exeReg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "NvBackend" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /disable /tn "NvTmRep_CrashReport1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /disable /tn "NvTmRep_CrashReport2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /disable /tn "NvTmRep_CrashReport3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /change /disable /tn "NvTmRep_CrashReport4_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA" | findstr "HKEY"2⤵
-
C:\Windows\system32\reg.exeReg query "HKLM\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}" /t REG_SZ /s /e /f "NVIDIA"3⤵
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /deletevalue useplatformclock2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f2⤵
- Power Settings
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\System\Services\NetBT\Parameters" /v "CsEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\System\Services\NetBT\Parameters" /v "CsEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\System\Services\NetBT\Parameters" /v "CsEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\System\Services\NetBT\Parameters" /v "PlatformAoAcOverride" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\System\Services\NetBT\Parameters" /v "PlatformAoAcOverride" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\System\Services\NetBT\Parameters" /v "PlatformAoAcOverride" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /delete eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /delete bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor THROTTLING 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_none DEVICEIDLE 02⤵
- Power Settings
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo AMD64 Family 6 Model 13 Stepping 2, AuthenticAMD "2⤵
-
-
C:\Windows\system32\find.exefind /I "Intel"2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\48df9d60-4f68-11dc-8314-0800200c9a66\07029cd8-4664-4698-95d8-43b2e9666596" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet001\Control\Power\PowerSettings\48df9d60-4f68-11dc-8314-0800200c9a66\07029cd8-4664-4698-95d8-43b2e9666596" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\ControlSet002\Control\Power\PowerSettings\48df9d60-4f68-11dc-8314-0800200c9a66\07029cd8-4664-4698-95d8-43b2e9666596" /v "ACSettingIndex" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFAUTONOMOUS 12⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFAUTONOMOUSWINDOW 10002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFEPP 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 12⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PERFBOOSTPOL 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_SLEEP UNATTENDSLEEP 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_IR DEEPSLEEP 02⤵
- Power Settings
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo AMD64 Family 6 Model 13 Stepping 2, AuthenticAMD "2⤵
-
-
C:\Windows\system32\find.exefind /I "Intel"2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_INTSTEER UNPARKTIME 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current SUB_INTSTEER PERPROCLOAD 100002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 1002⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor SHORTSCHEDPOLICY 22⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setacvalueindex scheme_current sub_processor SCHEDPOLICY 22⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /change standby-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /change monitor-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg /change hibernate-timeout-ac 02⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_current2⤵
- Power Settings
-
-
C:\Windows\system32\powercfg.exepowercfg -changename scheme_current "CoutX Ultimate Performance" "For CoutX Optimizer 2.1.1 (dsc.gg/CoutX) By UnLovedCookie"2⤵
- Power Settings
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableDeviceThrottling2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableDeviceThrottlingRan2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableMitigations2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableMitigationsgRan2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableGPUThrottling2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableGPUThrottlingRan2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableCPUThrottling2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v DisableCPUThrottlingRan2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v ExTweaks2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\reg.exeReg query HKCU\Software\CoutX /v ExTweaksRan2⤵
- Modifies registry key
-
-
C:\Windows\system32\find.exefind "0x1"2⤵
-
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im regedit.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im MinSudo.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im fsutil.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1LSASS Driver
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
2Active Setup
1LSASS Driver
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59636f428724c125014d71601fc6a2a16
SHA17246a2e8545eba3ba4fa35442f619a8901deb9dc
SHA2567266871f7142e94cbefef7cd60d05e78e9f056cc003bb9019c95cefc5632348c
SHA5125cd278b7e6077c7bda61395219ed53ef271179acd8521e87fd09a39de5edacf0700f04560a6748b1a66a42d089f48faca93311427ed9d76f046c32a50cfc2cdd
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
226KB
MD501e525c496173f774321711523aaa2fb
SHA11b2219bec858054aeb5a8e8590b125f3b8568f9f
SHA2567f6746fb0e55ff98f30f3dd294c4ef5ac10eb752d946e97764baf5bd51f97061
SHA5126e20317bfed7f46101b324395b64f8c100bcec22591b2b5dc7de99fb65f4ae2c32e71cd74b3f9da933c513e44ceaed052f240182b243c234e436473feeb63319
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
128KB