Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
1!!BEST TWE...he.exe
windows7-x64
1!!BEST TWE...he.exe
windows10-2004-x64
1!!BEST TWE...ng.bat
windows7-x64
1!!BEST TWE...ng.bat
windows10-2004-x64
1!!BEST TWE...SE.bat
windows7-x64
1!!BEST TWE...SE.bat
windows10-2004-x64
1!!BEST TWE...me.lnk
windows7-x64
3!!BEST TWE...me.lnk
windows10-2004-x64
7!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...rs.url
windows7-x64
1!!BEST TWE...rs.url
windows10-2004-x64
1!!BEST TWE...Us.cmd
windows7-x64
1!!BEST TWE...Us.cmd
windows10-2004-x64
4!!BEST TWE...ll.lnk
windows7-x64
3!!BEST TWE...ll.lnk
windows10-2004-x64
7!!BEST TWE...ps.lnk
windows7-x64
3!!BEST TWE...ps.lnk
windows10-2004-x64
3!!BEST TWE...er.ps1
windows7-x64
3!!BEST TWE...er.ps1
windows10-2004-x64
3!!BEST TWE...er.ps1
windows7-x64
3!!BEST TWE...er.ps1
windows10-2004-x64
3!!BEST TWE...ck.ps1
windows7-x64
3!!BEST TWE...ck.ps1
windows10-2004-x64
3!!BEST TWE...ts.ps1
windows7-x64
3!!BEST TWE...ts.ps1
windows10-2004-x64
3!!BEST TWE...or.ps1
windows7-x64
3!!BEST TWE...or.ps1
windows10-2004-x64
3!!BEST TWE...il.ps1
windows7-x64
3!!BEST TWE...il.ps1
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01/07/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
!!BEST TWEAKS/PC Cleanup/Clear Memory Cache.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
!!BEST TWEAKS/PC Cleanup/Clear Memory Cache.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
!!BEST TWEAKS/Registry _ Batch/Disable USB Powersaving.bat
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
!!BEST TWEAKS/Registry _ Batch/Disable USB Powersaving.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
!!BEST TWEAKS/Registry _ Batch/EnableFSE.bat
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
!!BEST TWEAKS/Registry _ Batch/EnableFSE.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/# Get Network Adapter Name.lnk
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/# Get Network Adapter Name.lnk
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Ethernet Drivers.url
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Ethernet Drivers.url
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Wifi Drivers.url
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Intel Wifi Drivers.url
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Realtek Ethernet Drivers.url
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/# Get Network Drivers/Realtek Ethernet Drivers.url
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/1 Disable WUs/2 Disable WUs.cmd
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Revert/PowerShell.lnk
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Revert/PowerShell.lnk
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Uninstall Apps.lnk
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/# Uninstall Apps.lnk
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Builder.ps1
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Builder.ps1
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Viewer - Mixed Reality Viewer.ps1
Resource
win7-20231129-en
Behavioral task
behavioral24
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall 3D Viewer - Mixed Reality Viewer.ps1
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Alarms and Clock.ps1
Resource
win7-20240611-en
Behavioral task
behavioral26
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Alarms and Clock.ps1
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Bing Sports.ps1
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Bing Sports.ps1
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calculator.ps1
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calculator.ps1
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calendar and Mail.ps1
Resource
win7-20240611-en
Behavioral task
behavioral32
Sample
!!BEST TWEAKS/Windows Post-Installation Pack/2 Debloat Windows/Safe Method/Uninstall Calendar and Mail.ps1
Resource
win10v2004-20240611-en
General
-
Target
!!BEST TWEAKS/Registry _ Batch/Disable USB Powersaving.bat
-
Size
518B
-
MD5
d8acddee643d3140daf6da682f37d120
-
SHA1
850731dec96cc29c2776f225cf286a65b5484cf3
-
SHA256
710fcbc4bd41fd8649b673d3d3b582246e44465e172eb6f148d0e0e01c34e25d
-
SHA512
95390224b68f68598e6a60782e2840fa981a8611b38577a4f06d67c1e38125923486155fb492bd9099adf993b68325ac958b13487a6d09dd10d0573719a15092
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 52 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 1960 3004 cmd.exe 29 PID 3004 wrote to memory of 1960 3004 cmd.exe 29 PID 3004 wrote to memory of 1960 3004 cmd.exe 29 PID 1960 wrote to memory of 3024 1960 cmd.exe 30 PID 1960 wrote to memory of 3024 1960 cmd.exe 30 PID 1960 wrote to memory of 3024 1960 cmd.exe 30 PID 1960 wrote to memory of 2612 1960 cmd.exe 31 PID 1960 wrote to memory of 2612 1960 cmd.exe 31 PID 1960 wrote to memory of 2612 1960 cmd.exe 31 PID 3004 wrote to memory of 2576 3004 cmd.exe 32 PID 3004 wrote to memory of 2576 3004 cmd.exe 32 PID 3004 wrote to memory of 2576 3004 cmd.exe 32 PID 2576 wrote to memory of 2620 2576 cmd.exe 33 PID 2576 wrote to memory of 2620 2576 cmd.exe 33 PID 2576 wrote to memory of 2620 2576 cmd.exe 33 PID 2576 wrote to memory of 2676 2576 cmd.exe 34 PID 2576 wrote to memory of 2676 2576 cmd.exe 34 PID 2576 wrote to memory of 2676 2576 cmd.exe 34 PID 3004 wrote to memory of 2680 3004 cmd.exe 35 PID 3004 wrote to memory of 2680 3004 cmd.exe 35 PID 3004 wrote to memory of 2680 3004 cmd.exe 35 PID 2680 wrote to memory of 2696 2680 cmd.exe 36 PID 2680 wrote to memory of 2696 2680 cmd.exe 36 PID 2680 wrote to memory of 2696 2680 cmd.exe 36 PID 2680 wrote to memory of 2768 2680 cmd.exe 37 PID 2680 wrote to memory of 2768 2680 cmd.exe 37 PID 2680 wrote to memory of 2768 2680 cmd.exe 37 PID 3004 wrote to memory of 2852 3004 cmd.exe 38 PID 3004 wrote to memory of 2852 3004 cmd.exe 38 PID 3004 wrote to memory of 2852 3004 cmd.exe 38 PID 2852 wrote to memory of 2672 2852 cmd.exe 39 PID 2852 wrote to memory of 2672 2852 cmd.exe 39 PID 2852 wrote to memory of 2672 2852 cmd.exe 39 PID 2852 wrote to memory of 2628 2852 cmd.exe 40 PID 2852 wrote to memory of 2628 2852 cmd.exe 40 PID 2852 wrote to memory of 2628 2852 cmd.exe 40 PID 3004 wrote to memory of 2708 3004 cmd.exe 41 PID 3004 wrote to memory of 2708 3004 cmd.exe 41 PID 3004 wrote to memory of 2708 3004 cmd.exe 41 PID 3004 wrote to memory of 2652 3004 cmd.exe 42 PID 3004 wrote to memory of 2652 3004 cmd.exe 42 PID 3004 wrote to memory of 2652 3004 cmd.exe 42 PID 2652 wrote to memory of 2604 2652 cmd.exe 43 PID 2652 wrote to memory of 2604 2652 cmd.exe 43 PID 2652 wrote to memory of 2604 2652 cmd.exe 43 PID 2652 wrote to memory of 2476 2652 cmd.exe 44 PID 2652 wrote to memory of 2476 2652 cmd.exe 44 PID 2652 wrote to memory of 2476 2652 cmd.exe 44 PID 3004 wrote to memory of 2328 3004 cmd.exe 45 PID 3004 wrote to memory of 2328 3004 cmd.exe 45 PID 3004 wrote to memory of 2328 3004 cmd.exe 45 PID 2328 wrote to memory of 2840 2328 cmd.exe 46 PID 2328 wrote to memory of 2840 2328 cmd.exe 46 PID 2328 wrote to memory of 2840 2328 cmd.exe 46 PID 2328 wrote to memory of 2632 2328 cmd.exe 47 PID 2328 wrote to memory of 2632 2328 cmd.exe 47 PID 2328 wrote to memory of 2632 2328 cmd.exe 47 PID 3004 wrote to memory of 2504 3004 cmd.exe 48 PID 3004 wrote to memory of 2504 3004 cmd.exe 48 PID 3004 wrote to memory of 2504 3004 cmd.exe 48 PID 2504 wrote to memory of 2728 2504 cmd.exe 49 PID 2504 wrote to memory of 2728 2504 cmd.exe 49 PID 2504 wrote to memory of 2728 2504 cmd.exe 49 PID 2504 wrote to memory of 2560 2504 cmd.exe 50
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\!!BEST TWEAKS\Registry _ Batch\Disable USB Powersaving.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"2⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"3⤵
- Checks SCSI registry key(s)
PID:3024
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"2⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"3⤵
- Checks SCSI registry key(s)
PID:2620
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"3⤵
- Checks SCSI registry key(s)
PID:2696
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"2⤵
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"3⤵
- Checks SCSI registry key(s)
PID:2672
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2628
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f2⤵PID:2708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"2⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"3⤵
- Checks SCSI registry key(s)
PID:2604
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"3⤵
- Checks SCSI registry key(s)
PID:2840
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"3⤵
- Checks SCSI registry key(s)
PID:2728
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"2⤵PID:2812
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"3⤵
- Checks SCSI registry key(s)
PID:2808
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2704
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f2⤵PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"2⤵PID:2644
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"3⤵
- Checks SCSI registry key(s)
PID:2636
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"2⤵PID:2532
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"3⤵
- Checks SCSI registry key(s)
PID:2468
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"2⤵PID:2484
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"3⤵
- Checks SCSI registry key(s)
PID:2500
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"2⤵PID:2544
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"3⤵
- Checks SCSI registry key(s)
PID:2364
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"2⤵PID:2980
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"3⤵
- Checks SCSI registry key(s)
PID:2528
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2320
-
-