hxxps://tweakcentral[.]net/downloads/azurite

Resubmissions

05-09-2024 16:43

240905-t8j2xswbkf 3

05-09-2024 16:35

240905-t34jdawakf 9

05-09-2024 16:34

240905-t3hxnswajh 3

Analysis

max time kernel
192s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 16:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://tweakcentral.net/downloads/azurite

Score

9^/10

discovery evasion execution lateral_movement persistence privilege_escalation ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

5164 bcdedit.exe
5880 bcdedit.exe
5932 bcdedit.exe
5920 bcdedit.exe
6028 bcdedit.exe

pid	process
5164	bcdedit.exe
5880	bcdedit.exe
5932	bcdedit.exe
5920	bcdedit.exe
6028	bcdedit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Azurite.exeAzurite.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Azurite.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Azurite.exe

Executes dropped EXE 6 IoCs

Processes:

Azurite Setup 1.1.12.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exe

pid process

1688 Azurite Setup 1.1.12.exe
5044 Azurite.exe
3764 Azurite.exe
3472 Azurite.exe
4060 Azurite.exe
1828 Azurite.exe

Loads dropped DLL 22 IoCs

Processes:

Azurite Setup 1.1.12.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exe

pid	process
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
5044	Azurite.exe
3764	Azurite.exe
3472	Azurite.exe
4060	Azurite.exe
3764	Azurite.exe
3764	Azurite.exe
3764	Azurite.exe
1828	Azurite.exe
1828	Azurite.exe
1828	Azurite.exe
1828	Azurite.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1704 powershell.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

Azurite.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini Azurite.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

94 discord.com
95 discord.com

pid	process
1704	powershell.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-2392887640-1187051047-2909758433-1000\desktop.ini	Azurite.exe

flow	ioc
94	discord.com
95	discord.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe

Power Settings 1 TTPs 2 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exe

pid process

5432 powercfg.exe
2224 powercfg.exe
Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs
Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).
lateral_movement

SMB/Windows Admin Shares
T1021.002

Processes:

reg.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes reg.exe

pid	process
5432	powercfg.exe
2224	powercfg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Parameters\NullSessionPipes	reg.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 4 IoCs

Processes:

Azurite.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\domgmt.20240802_122808_115.etl	Azurite.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\domgmt.20240802_192704_380.etl	Azurite.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20240802_122755_943.etl	Azurite.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20240802_123137_200.etl	Azurite.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Azurite Setup 1.1.12.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Azurite Setup 1.1.12.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Azurite Setup 1.1.12.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2372	reg.exe
1040	reg.exe
4460	reg.exe
3412	reg.exe
5224	reg.exe
4756	reg.exe
3856	reg.exe
4852	reg.exe
4084	reg.exe
5940	reg.exe
1532	reg.exe
5732	reg.exe
5668	reg.exe
5188	reg.exe
5856	reg.exe
2840	reg.exe
5824	reg.exe
3096	reg.exe
2676	cmd.exe
5612	reg.exe
5828	reg.exe
4460	reg.exe
396	reg.exe
5960	reg.exe
5428	reg.exe
1848	reg.exe
2344	reg.exe
4756	reg.exe
5648	reg.exe
6064	reg.exe
5412	reg.exe
5888	reg.exe
5656	reg.exe
5908	reg.exe
5604	reg.exe
5636	reg.exe
2060	reg.exe
4736	reg.exe
5732	reg.exe
5748	reg.exe
2408	reg.exe
3496	reg.exe
3464	reg.exe
5596	reg.exe
6116	reg.exe
3496	reg.exe
2408	reg.exe
5752	reg.exe
4704	reg.exe
4116	reg.exe
1396	reg.exe
5844	reg.exe
5848	reg.exe
5164	reg.exe
1128	reg.exe
5804	reg.exe
6012	reg.exe
3412	reg.exe
2344	reg.exe
1828	reg.exe
440	reg.exe
1040	reg.exe
6076	reg.exe
2624	reg.exe

System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
discovery

System Time Discovery
T1124

Processes:

netsh.exe

pid process

5836 netsh.exe

pid	process
5836	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exevssvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\MinimumIdleTimeoutInMS	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\DefaultRequestFlags	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ClassGUID	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Address	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\PowerCycleCount	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumber	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	reg.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	reg.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

chrome.exeLogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700277710565621"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{36104DBE-6F64-4050-8F40-25E79789C508}	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2364	reg.exe
3952	reg.exe
1704	reg.exe
5648	reg.exe
4880	reg.exe
1532	reg.exe
6028	reg.exe
1696	reg.exe
5064	reg.exe
1320	reg.exe
5676	reg.exe
4852	reg.exe
5104	reg.exe
1040	reg.exe
1040	reg.exe
996	reg.exe
2408	reg.exe
4040	reg.exe
4460	reg.exe
4880	reg.exe
440	reg.exe
5064	reg.exe
3952	reg.exe
1704	reg.exe
3856	reg.exe
3412	reg.exe
5104	reg.exe
5532	reg.exe
6004	reg.exe
3720	reg.exe
4184	reg.exe
1780	reg.exe
4756	reg.exe
5888	reg.exe
408	reg.exe
4432	reg.exe
1780	reg.exe
3464	reg.exe
3796	reg.exe
4380	reg.exe
1704	reg.exe
5528	reg.exe
5252	reg.exe
5824	reg.exe
6096	reg.exe
220	reg.exe
840	reg.exe
1960	reg.exe
1040	reg.exe
6056	reg.exe
2840	reg.exe
3412	reg.exe
5368	reg.exe
2344	reg.exe
4312	reg.exe
3464	reg.exe
1752	reg.exe
2408	reg.exe
3856	reg.exe
5392	reg.exe
5828	reg.exe
4852	reg.exe
1828	reg.exe
1532	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Azurite.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Azurite.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Azurite.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Azurite.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1492 schtasks.exe

pid	process
1492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

chrome.exeAzurite Setup 1.1.12.exeAzurite.exeAzurite.exeAzurite.exepowershell.exechrome.exeAzurite.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4188	chrome.exe
4188	chrome.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
1688	Azurite Setup 1.1.12.exe
5044	Azurite.exe
5044	Azurite.exe
5044	Azurite.exe
5044	Azurite.exe
3472	Azurite.exe
3472	Azurite.exe
4060	Azurite.exe
4060	Azurite.exe
1704	powershell.exe
1704	powershell.exe
1704	powershell.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
2296	chrome.exe
1828	Azurite.exe
1828	Azurite.exe
1828	Azurite.exe
1828	Azurite.exe
5140	msedge.exe
5140	msedge.exe
2696	msedge.exe
2696	msedge.exe
5772	msedge.exe
5772	msedge.exe
208	identity_helper.exe
208	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exemsedge.exe

pid process

4188 chrome.exe
4188 chrome.exe
2696 msedge.exe
2696 msedge.exe
2696 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Azurite.exeAzurite.exeAzurite.exeAzurite.exeAzurite.exeLogonUI.exe

pid process

5044 Azurite.exe
3764 Azurite.exe
3472 Azurite.exe
4060 Azurite.exe
1828 Azurite.exe
5828 LogonUI.exe

pid	process
5044	Azurite.exe
3764	Azurite.exe
3472	Azurite.exe
4060	Azurite.exe
1828	Azurite.exe
5828	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4188 wrote to memory of 2360	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 2360	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 1980	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 2876	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 2876	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe
PID 4188 wrote to memory of 4652	4188	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tweakcentral.net/downloads/azurite
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed34ecc40,0x7ffed34ecc4c,0x7ffed34ecc58
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2180 /prefetch:3
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2324 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
2⤵
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4328 /prefetch:8
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5176,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5192 /prefetch:8
2⤵
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5140,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5228 /prefetch:8
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5316,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4040 /prefetch:8
2⤵
PID:2712

C:\Users\Admin\Downloads\Azurite Setup 1.1.12.exe
"C:\Users\Admin\Downloads\Azurite Setup 1.1.12.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3676,i,11641737189817612125,6565833474140605134,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5564 /prefetch:8
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2296

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:464

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=gpu-process --field-trial-handle=1676,2327000054604236307,3606209794342702757,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1684 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,2327000054604236307,3606209794342702757,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2100 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=renderer --field-trial-handle=1676,2327000054604236307,3606209794342702757,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --standard-schemes=app --secure-schemes=app --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\Azurite\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RmSvc
2⤵
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RmSvc /v Start
2⤵
PID:1556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RmSvc /v Start
2⤵
PID:1828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\xinputhid\Parameters
2⤵
- Modifies registry key
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\WUDFRd\Parameters
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\WpdUpFltr\Parameters
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vwififlt\Parameters
2⤵
PID:4904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vwififlt\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vdrvroot\Parameters
2⤵
PID:3252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\vdrvroot\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBXHCI\Parameters
2⤵
PID:5096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBXHCI\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBXHCI\Parameters /v DmaRemappingCompatible
2⤵
PID:5012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBHUB3\Parameters
2⤵
- Modifies registry key
PID:408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\USBHUB3\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\umbus\Parameters
2⤵
- Modifies registry key
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\umbus\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry key
PID:2408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\storahci\Parameters
2⤵
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\storahci\Parameters /v DmaRemappingCompatible
2⤵
PID:3252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\storahci\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry key
PID:2344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\stornvme\Parameters
2⤵
PID:4084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\stornvme\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\stornvme\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3496

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisVirtualBus\Parameters
2⤵
PID:3096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisVirtualBus\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry key
PID:3464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\msisadrv\Parameters
2⤵
PID:5096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\msisadrv\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\mouhid\Parameters
2⤵
PID:1848

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\mouhid\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3496

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\monitor\Parameters
2⤵
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\monitor\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\intelpep\Parameters
2⤵
PID:4420

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\intelpep\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\CompositeBus\Parameters
2⤵
- Modifies registry key
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\CompositeBus\Parameters /v DmaRemappingCompatible
2⤵
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicRender\Parameters
2⤵
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicRender\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicDisplay\Parameters
2⤵
- Modifies registry key
PID:4312

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\BasicDisplay\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\acpipagr\Parameters
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\acpi\Parameters
2⤵
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\acpi\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry key
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\partmgr\Parameters
2⤵
PID:4904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\partmgr\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\xinputhid\Parameters
2⤵
- Modifies registry key
PID:5104

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\pci\Parameters
2⤵
- Modifies registry key
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\pci\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\pci\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\HDAudBus\Parameters
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\HDAudBus\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisWan\Parameters
2⤵
PID:220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\NdisWan\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry key
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\kbhid\Parameters
2⤵
PID:3412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\kbdclass\Parameters
2⤵
PID:4756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\kbdclass\Parameters /v DmaRemappingCompatible
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\ControlSet001\Services\intellppm\Parameters
2⤵
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
2⤵
- Modifies registry key
PID:220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency
2⤵
PID:5064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency
2⤵
PID:3952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting"
2⤵
PID:3096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v DontSendAdditionalData
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting"
2⤵
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v LoggingDisabled
2⤵
PID:840

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent"
2⤵
PID:4964

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultOverrideBehavior
2⤵
PID:4904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent"
2⤵
PID:1128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultConsent
2⤵
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultConsent
2⤵
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main
2⤵
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\FindMyDevice
2⤵
- Modifies registry key
PID:4460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\FindMyDevice
2⤵
PID:4208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance"
2⤵
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v MaintenanceDisabled
2⤵
PID:3436

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v MaintenanceDisabled
2⤵
PID:396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
2⤵
PID:512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\GraphicsDrivers
2⤵
PID:2252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\GraphicsDrivers /v HwSchedMode
2⤵
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications
2⤵
PID:4824

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications /v GlobalUserDisabled
2⤵
PID:4004

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Search
2⤵
PID:396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Search /v BackgroundAppGlobalToggle
2⤵
PID:2344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack
2⤵
PID:4312

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v ShowedToastAtLevel
2⤵
PID:2252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v ShowedToastAtLevel
2⤵
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v AllowTelemetry
2⤵
PID:512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
2⤵
PID:220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v MaxTelemetryAllowed
2⤵
- Modifies registry key
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLowDiskSpaceChecks
2⤵
PID:1780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLowDiskSpaceChecks
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:1128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LinkResolveIgnoreLinkInfo
2⤵
- Modifies registry key
PID:840

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LinkResolveIgnoreLinkInfo
2⤵
PID:3464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:4432

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveSearch
2⤵
PID:5104

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveSearch
2⤵
PID:4116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:1696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveTrack
2⤵
PID:4388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveTrack
2⤵
PID:3464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInternetOpenWith
2⤵
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInternetOpenWith
2⤵
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
2⤵
PID:4824

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInstrumentation
2⤵
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications
2⤵
- Modifies registry key
PID:3464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\Power\PowerThrottling
2⤵
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
2⤵
PID:1688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced /v Start_TrackProgs
2⤵
PID:1696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced /v Start_TrackProgs
2⤵
- Modifies registry key
PID:3952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\International\User Profile"
2⤵
PID:5096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut
2⤵
PID:4460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Personalization
2⤵
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppCompat
2⤵
- Modifies registry key
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppCompat
2⤵
PID:1696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Speech
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\Explorer
2⤵
- Modifies registry key
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Policies\Microsoft\Windows\Explorer /v NoRemoteDestinations
2⤵
PID:5064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy
2⤵
PID:4116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy /v TailoredExperiencesWithDiagnosticDataEnabled
2⤵
PID:4012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy /v TailoredExperiencesWithDiagnosticDataEnabled
2⤵
PID:1696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Search
2⤵
PID:4904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\InputPersonalization
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\InputPersonalization
2⤵
PID:396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform"
2⤵
PID:840

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket
2⤵
PID:3496

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket
2⤵
PID:1556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo
2⤵
PID:4388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\DataCollection
2⤵
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\DataCollection /v LimitEnhancedDiagnosticDataWindowsAnalytics
2⤵
PID:4964

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Maps
2⤵
- Modifies registry key
PID:3796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Maps
2⤵
PID:512

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\TabletPC
2⤵
PID:1556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\TabletPC /v PreventHandwritingDataSharing
2⤵
PID:1848

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\TabletPC /v PreventHandwritingDataSharing
2⤵
- Modifies registry key
PID:2408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppCompat
2⤵
PID:3436

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search"
2⤵
PID:4432

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v ConnectedSearchUseWeb
2⤵
PID:4680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search"
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
2⤵
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v DoNotShowFeedbackNotifications
2⤵
PID:396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\PriorityControl
2⤵
- Modifies registry key
PID:1828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\PriorityControl /v Win32PrioritySeparation
2⤵
PID:4680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control\PriorityControl /v Win32PrioritySeparation
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\AppPrivacy
2⤵
- Modifies registry key
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel"
2⤵
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v DisableExceptionChainValidation
2⤵
PID:4420

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel"
2⤵
PID:3252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v KernelSEHOPEnabled
2⤵
PID:3208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile"
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex
2⤵
PID:3364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex
2⤵
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile"
2⤵
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness
2⤵
PID:3252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness
2⤵
PID:1128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile"
2⤵
PID:3436

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NoLazyMode
2⤵
PID:5012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games"
2⤵
PID:4904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v NoLazyMode
2⤵
PID:4680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM"
2⤵
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:4756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride
2⤵
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:1828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask
2⤵
PID:1320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:3952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableCfg
2⤵
PID:440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:4904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v DisablePageCombining
2⤵
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnablePrefetcher
2⤵
PID:1320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management"
2⤵
PID:2252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableSuperfetch
2⤵
PID:5104

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\FTH
2⤵
- Modifies registry key
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\FTH /v Enabled
2⤵
PID:3208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Microsoft\FTH /v Enabled
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AJRouter
2⤵
PID:3952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AJRouter /v Start
2⤵
PID:5064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AJRouter /v Start
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ALG
2⤵
PID:1780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ALG /v Start
2⤵
PID:3184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ALG /v Start
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppIDSvc
2⤵
- Modifies registry key
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppIDSvc /v Start
2⤵
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppIDSvc /v Start
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppMgmt
2⤵
PID:1780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppMgmt /v Start
2⤵
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppMgmt /v Start
2⤵
PID:440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppReadiness
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppReadiness /v Start
2⤵
PID:4004

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppReadiness /v Start
2⤵
PID:408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppVClient
2⤵
PID:4380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppVClient /v Start
2⤵
PID:3096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\AppVClient /v Start
2⤵
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\CertPropSvc
2⤵
PID:232

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\CertPropSvc /v Start
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\CertPropSvc /v Start
2⤵
PID:4388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\defragsvc
2⤵
- Modifies registry key
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\defragsvc /v Start
2⤵
- Modifies registry key
PID:4184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\defragsvc /v Start
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service
2⤵
PID:4420

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service /v Start
2⤵
- Modifies registry key
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service /v Start
2⤵
- Modifies registry key
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagsvc
2⤵
PID:2344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagsvc /v Start
2⤵
PID:1696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\diagsvc /v Start
2⤵
- Modifies registry key
PID:1780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\embeddedmode
2⤵
- Modifies registry key
PID:3412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\embeddedmode /v Start
2⤵
- Modifies registry key
PID:5104

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\embeddedmode /v Start
2⤵
PID:5064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\EntAppSvc
2⤵
PID:1688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\EntAppSvc /v Start
2⤵
- Modifies registry key
PID:3952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\EntAppSvc /v Start
2⤵
PID:4312

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache /v Start
2⤵
PID:4184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache /v Start
2⤵
PID:3364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0
2⤵
- Modifies registry key
PID:4432

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0 /v Start
2⤵
PID:1828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0 /v Start
2⤵
PID:3096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc
2⤵
- Modifies registry key
PID:996

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc /v Start
2⤵
PID:4756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc /v Start
2⤵
PID:4380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\LanmanServer
2⤵
PID:220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\LanmanServer /v Start
2⤵
- Modifies registry key
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\LanmanServer /v Start
2⤵
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\NaturalAuthentication
2⤵
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\NaturalAuthentication /v Start
2⤵
PID:1780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\NaturalAuthentication /v Start
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2pimsvc
2⤵
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2pimsvc /v Start
2⤵
PID:3096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2pimsvc /v Start
2⤵
PID:3796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2psvc
2⤵
PID:4824

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2psvc /v Start
2⤵
PID:3412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\p2psvc /v Start
2⤵
- Modifies registry key
PID:1780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\PcaSvc
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\PcaSvc /v Start
2⤵
PID:3184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\PcaSvc /v Start
2⤵
PID:3464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\QWAVE
2⤵
PID:4964

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\QWAVE /v Start
2⤵
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\QWAVE /v Start
2⤵
PID:4004

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteAccess
2⤵
PID:1688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteAccess /v Start
2⤵
PID:408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteAccess /v Start
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteRegistry
2⤵
- Modifies registry key
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteRegistry /v Start
2⤵
PID:4964

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RemoteRegistry /v Start
2⤵
PID:4004

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RpcLocator
2⤵
PID:4824

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RpcLocator /v Start
2⤵
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\RpcLocator /v Start
2⤵
PID:996

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SCardSvr
2⤵
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SCardSvr /v Start
2⤵
- Modifies registry key
PID:4380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SCardSvr /v Start
2⤵
PID:3184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ScDeviceEnum
2⤵
PID:3496

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ScDeviceEnum /v Start
2⤵
PID:4012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ScDeviceEnum /v Start
2⤵
- Modifies registry key
PID:5064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SEMgrSvc
2⤵
PID:3316

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SEMgrSvc /v Start
2⤵
PID:4312

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SEMgrSvc /v Start
2⤵
PID:1960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorDataService
2⤵
PID:1652

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorDataService /v Start
2⤵
PID:1556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorDataService /v Start
2⤵
PID:4380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorService
2⤵
- Modifies registry key
PID:440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorService /v Start
2⤵
PID:3856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensorService /v Start
2⤵
PID:2408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensrSvc
2⤵
- Modifies registry key
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensrSvc /v Start
2⤵
PID:4388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SensrSvc /v Start
2⤵
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SessionEnv
2⤵
PID:4052

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SessionEnv /v Start
2⤵
PID:4040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SessionEnv /v Start
2⤵
- Modifies registry key
PID:4756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SgrmBroker
2⤵
PID:4460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start
2⤵
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start
2⤵
PID:5012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SharedAccess
2⤵
PID:2344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SharedAccess /v Start
2⤵
PID:1396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\SharedAccess /v Start
2⤵
PID:232

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ShellHWDetection
2⤵
PID:4680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ShellHWDetection /v Start
2⤵
PID:1780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\ShellHWDetection /v Start
2⤵
PID:4904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\tzautoupdate
2⤵
PID:3720

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\tzautoupdate /v Start
2⤵
PID:3208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\tzautoupdate /v Start
2⤵
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control
2⤵
PID:3404

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control /v WaitToKillServiceTimeout
2⤵
PID:3952

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Control /v WaitToKillServiceTimeout
2⤵
PID:2252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\Desktop"
2⤵
PID:4432

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\Desktop" /v AutoEndTasks
2⤵
PID:440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\Control Panel\Desktop" /v AutoEndTasks
2⤵
PID:220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\DWM
2⤵
PID:3796

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\DWM /v Composition
2⤵
- Modifies registry key
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\DWM /v Composition
2⤵
PID:408

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games"
2⤵
PID:1828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive"
2⤵
PID:1128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games"
2⤵
PID:2344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only"
2⤵
PID:4964

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only"
2⤵
PID:2364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\mouclass\Parameters
2⤵
PID:4536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\kbdclass\Parameters
2⤵
PID:1848

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize
2⤵
- Modifies registry key
PID:1320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize
2⤵
PID:4756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\Software\Policies\Microsoft\Windows\Psched
2⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\System\CurrentControlSet\Services\Tcpip\QoS
2⤵
PID:440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient"
2⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'Before Azurite Optimization' -RestorePointType 'MODIFY_SETTINGS'""
2⤵
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command "Checkpoint-Computer -Description 'Before Azurite Optimization' -RestorePointType 'MODIFY_SETTINGS'"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RmSvc /v Start /t REG_DWORD /d 3 /f
2⤵
PID:5544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\xinputhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5596

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\WUDFRd\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5648

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\WpdUpFltr\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:5700

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\vwififlt\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:5752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\vdrvroot\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5804

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\USBXHCI\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5856

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\USBHUB3\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5908

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\umbus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\storahci\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\stornvme\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\NdisVirtualBus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\msisadrv\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry key
PID:2840

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\mouhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5224

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\monitor\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5428

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\intelpep\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\CompositeBus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\BasicRender\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\BasicDisplay\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4084

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\acpipagr\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:5576

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\acpi\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:5596

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\partmgr\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:5680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\xinputhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5732

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\pci\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\HDAudBus\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:5836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\NdisWan\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry key
PID:5888

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\kbhid\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:5948

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\kbdclass\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
PID:6000

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\ControlSet001\Services\intellppm\Parameters /v DmaRemappingCompatible /t REG_DWORD /d 0 /f
2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:6076

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
2⤵
PID:6128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v DontSendAdditionalData /t REG_DWORD /d 1 /f
2⤵
PID:3240

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting" /v LoggingDisabled /t REG_DWORD /d 1 /f
2⤵
PID:5148

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultOverrideBehavior /t REG_DWORD /d 1 /f
2⤵
PID:5508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows\Windows Error Reporting\Consent" /v DefaultConsent /t REG_DWORD /d 0 /f
2⤵
PID:5504

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main /v AllowPrelaunch /t REG_DWORD /d 0 /f
2⤵
PID:4420

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\FindMyDevice /v AllowFindMyDevice /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:5532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\FindMyDevice /v LocationSyncEnabled /t REG_DWORD /d 0 /f
2⤵
PID:5564

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo /v Enabled /t REG_DWORD /d 0 /f
2⤵
PID:5640

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v MaintenanceDisabled /t REG_DWORD /d 1 /f
2⤵
PID:5692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v Enabled /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:5648

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\GraphicsDrivers /v HwSchedMode /t REG_DWORD /d 2 /f
2⤵
PID:5820

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications /v GlobalUserDisabled /t REG_DWORD /d 1 /f
2⤵
PID:5876

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Search /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f
2⤵
PID:5928

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack /v ShowedToastAtLevel /t REG_DWORD /d 1 /f
2⤵
PID:5892

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v AllowTelemetry /t REG_DWORD /d 0 /f
2⤵
PID:5956

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v MaxTelemetryAllowed /t REG_DWORD /d 0 /f
2⤵
PID:6020

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLowDiskSpaceChecks /t REG_DWORD /d 1 /f
2⤵
PID:6100

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v LinkResolveIgnoreLinkInfo /t REG_DWORD /d 1 /f
2⤵
PID:220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveSearch /t REG_DWORD /d 1 /f
2⤵
PID:5228

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoResolveTrack /t REG_DWORD /d 1 /f
2⤵
PID:1008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInternetOpenWith /t REG_DWORD /d 1 /f
2⤵
PID:5444

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoInstrumentation /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:5528

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications /v NoTileApplicationNotification /t REG_DWORD /d 1 /f
2⤵
PID:5144

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\Power\PowerThrottling /v PowerThrottlingOff /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:3412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced /v Start_TrackProgs /t REG_DWORD /d 0 /f
2⤵
PID:5536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
2⤵
PID:5592

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Personalization /v NoLockScreenCamera /t REG_DWORD /d 1 /f
2⤵
PID:5604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /v DisableInventory /t REG_DWORD /d 1 /f
2⤵
- Modifies registry key
PID:5676

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /v DisableUAR /t REG_DWORD /d 1 /f
2⤵
PID:5844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Speech /v AllowSpeechModelUpdate /t REG_DWORD /d 0 /f
2⤵
PID:5820

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Policies\Microsoft\Windows\Explorer /v NoRemoteDestinations /t REG_DWORD /d 1 /f
2⤵
PID:5832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy /v TailoredExperiencesWithDiagnosticDataEnabled /t REG_DWORD /d 0 /f
2⤵
PID:5884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Search /v BingSearchEnabled /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:6056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\InputPersonalization /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f
2⤵
PID:5892

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\InputPersonalization /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
2⤵
PID:6080

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v NoGenTicket /t REG_DWORD /d 1 /f
2⤵
PID:1560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
2⤵
PID:468

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\DataCollection /v LimitEnhancedDiagnosticDataWindowsAnalytics /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:5392

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Maps /v AutoDownloadAndUpdateMapData /t REG_DWORD /d 0 /f
2⤵
- Modifies registry key
PID:5252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Maps /v AllowUntriggeredNetworkTrafficOnSettingsPage /t REG_DWORD /d 0 /f
2⤵
PID:5132

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\TabletPC /v PreventHandwritingDataSharing /t REG_DWORD /d 1 /f
2⤵
PID:5528

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppCompat /v AITEnable /t REG_DWORD /d 0 /f
2⤵
PID:4880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v ConnectedSearchUseWeb /t REG_DWORD /d 0 /f
2⤵
PID:1688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v DisableWebSearch /t REG_DWORD /d 1 /f
2⤵
PID:5564

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
2⤵
PID:5612

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control\PriorityControl /v Win32PrioritySeparation /t REG_DWORD /d 38 /f
2⤵
PID:5688

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\AppPrivacy /v LetAppsRunInBackground /t REG_DWORD /d 2 /f
2⤵
PID:5728

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v DisableExceptionChainValidation /t REG_DWORD /d 1 /f
2⤵
PID:5808

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v KernelSEHOPEnabled /t REG_DWORD /d 0 /f
2⤵
PID:5876

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 10 /f
2⤵
PID:5944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 10 /f
2⤵
PID:5972

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NoLazyMode /t REG_DWORD /d 1 /f
2⤵
PID:6036

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v NoLazyMode /t REG_DWORD /d 1 /f
2⤵
PID:6096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM" /v DisableCustomerImprovementProgram /t REG_DWORD /d 1 /f
2⤵
PID:5128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
2⤵
PID:1560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
2⤵
PID:1328

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableCfg /t REG_DWORD /d 0 /f
2⤵
PID:5392

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v DisablePageCombining /t REG_DWORD /d 1 /f
2⤵
PID:5252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnablePrefetcher /t REG_DWORD /d 0 /f
2⤵
PID:5416

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v EnableSuperfetch /t REG_DWORD /d 0 /f
2⤵
PID:5528

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Microsoft\FTH /v Enabled /t REG_DWORD /d 0 /f
2⤵
PID:1532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AJRouter /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5572

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\ALG /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5600

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppIDSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppMgmt /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:5824

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppReadiness /v Start /t REG_DWORD /d 3 /f
2⤵
PID:5860

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\AppVClient /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5156

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\CertPropSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5812

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\defragsvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5932

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\diagnosticshub.standardcollector.service /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:6004

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\diagsvc /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:6028

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\embeddedmode /v Start /t REG_DWORD /d 4 /f
2⤵
PID:6020

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\EntAppSvc /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:6096

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\FontCache /v Start /t REG_DWORD /d 4 /f
2⤵
PID:3044

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\FontCache3.0.0.0 /v Start /t REG_DWORD /d 4 /f
2⤵
PID:6128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\GraphicsPerfSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:468

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\LanmanServer /v Start /t REG_DWORD /d 4 /f
2⤵
PID:1008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\NaturalAuthentication /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:1696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\p2pimsvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:1040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\p2psvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\PcaSvc /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:5064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\QWAVE /v Start /t REG_DWORD /d 4 /f
2⤵
PID:2632

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RemoteAccess /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5600

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RemoteRegistry /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:5368

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\RpcLocator /v Start /t REG_DWORD /d 4 /f
2⤵
- Modifies registry key
PID:5828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SCardSvr /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5136

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\ScDeviceEnum /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SEMgrSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5816

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SensorDataService /v Start /t REG_DWORD /d 4 /f
2⤵
PID:6008

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SensorService /v Start /t REG_DWORD /d 4 /f
2⤵
PID:6024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SensrSvc /v Start /t REG_DWORD /d 4 /f
2⤵
PID:6012

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SessionEnv /v Start /t REG_DWORD /d 4 /f
2⤵
PID:6120

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\SharedAccess /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5388

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\ShellHWDetection /v Start /t REG_DWORD /d 4 /f
2⤵
PID:5228

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\tzautoupdate /v Start /t REG_DWORD /d 4 /f
2⤵
PID:4964

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Control /v WaitToKillServiceTimeout /t REG_SZ /d 2000 /f
2⤵
PID:5488

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
2⤵
PID:3208

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\DWM /v Composition /t REG_DWORD /d 0 /f
2⤵
PID:4932

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d True /f
2⤵
PID:5532

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d False /f
2⤵
PID:5564

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\mouclass\Parameters /v MouseDataQueueSize /t REG_DWORD /d 50 /f
2⤵
PID:5644

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\kbdclass\Parameters /v KeyboardDataQueueSize /t REG_DWORD /d 50 /f
2⤵
PID:5604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\Software\Policies\Microsoft\Windows\Psched /v TimerResolution /t REG_DWORD /d 1 /f
2⤵
PID:5852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKLM\System\CurrentControlSet\Services\Tcpip\QoS /v "Do not use NLA" /t REG_DWORD /d 1 /f
2⤵
PID:5608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast /t REG_DWORD /d 0 /f
2⤵
PID:5728

C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5164

C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock >nul 2>nul
2⤵
- Modifies boot configuration data using bcdedit
PID:5880

C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick Yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5932

C:\Windows\system32\bcdedit.exe
bcdedit /set hypervisorlaunchtype off
2⤵
- Modifies boot configuration data using bcdedit
PID:5920

C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy Legacy
2⤵
- Modifies boot configuration data using bcdedit
PID:6028

C:\Windows\system32\cmd.exe
cmd /C C:\Users\Admin\AppData\Local\Temp\d578b69c.bat
2⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /format:value
3⤵
PID:5380

C:\Windows\System32\Wbem\WMIC.exe
wmic os get TotalVisibleMemorySize /format:value
4⤵
PID:5012

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "5217772" /f
3⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"| findstr "StorPort"
3⤵
PID:4808

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum" /s /f "StorPort"
4⤵
- Checks SCSI registry key(s)
PID:1008

C:\Windows\system32\findstr.exe
findstr "StorPort"
4⤵
PID:5252

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
3⤵
PID:5516

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
3⤵
PID:3436

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\MsVhdHba\1&3030e83&0&01\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f
3⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic PATH Win32_PnPEntity GET DeviceID | findstr "USB\VID_"
3⤵
PID:3364

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_PnPEntity GET DeviceID
4⤵
PID:5132

C:\Windows\system32\findstr.exe
findstr "USB\VID_"
4⤵
PID:2252

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:4004

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f
3⤵
PID:1320

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "EnableSelectiveSuspend" /t REG_DWORD /d "0" /f
3⤵
PID:5544

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f
3⤵
PID:5576

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f
3⤵
PID:5536

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "SelectiveSuspendOn" /t REG_DWORD /d "0" /f
3⤵
PID:5564

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1 \Device Parameters" /v "D3ColdSupported" /t REG_DWORD /d "0" /f
3⤵
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
3⤵
PID:5652

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_networkadapter get GUID
4⤵
PID:5636

C:\Windows\system32\findstr.exe
findstr "{"
4⤵
PID:5644

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{29BFF5DC-AF21-4ACB-9991-B1467FC3049D}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
3⤵
PID:5788

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{29BFF5DC-AF21-4ACB-9991-B1467FC3049D}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
3⤵
PID:5676

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{29BFF5DC-AF21-4ACB-9991-B1467FC3049D}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
3⤵
PID:5760

C:\Windows\system32\netsh.exe
netsh int tcp set heuristics disabled
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5740

C:\Windows\system32\netsh.exe
netsh int tcp set supplemental Internet congestionprovider=ctcp
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:996

C:\Windows\system32\netsh.exe
netsh int tcp set global timestamps=disabled
3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Time Discovery
PID:5836

C:\Windows\system32\netsh.exe
netsh int tcp set global rsc=disabled
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f DmaRemappingCompatible | find /i "Services\"
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2676

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" /s /f DmaRemappingCompatible
4⤵
- Maps connected drives based on registry
- Remote Services: SMB/Windows Admin Shares
- System Network Configuration Discovery: Internet Connection Discovery
PID:5844

C:\Windows\system32\find.exe
find /i "Services\"
4⤵
PID:5904

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5668

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acpipagr\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5612

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BasicDisplay\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5604

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BasicRender\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5732

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CompositeBus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5636

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5656

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intellppm\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:5640

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelpep\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5748

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2624

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbhid\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1800

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\monitor\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:4492

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:3500

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msisadrv\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1848

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisVirtualBus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5848

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NdisWan\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5828

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\partmgr\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5824

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:1780

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:996

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
PID:5176

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\umbus\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5188

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2372

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3096

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdrvroot\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2060

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwififlt\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4704

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpdUpFltr\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5164

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WUDFRd\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5940

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xinputhid\Parameters" /v "DmaRemappingCompatible" /t REG_DWORD /d "0" /f
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4736

C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe
"C:\Users\Admin\AppData\Local\Programs\Azurite\Azurite.exe" --type=gpu-process --field-trial-handle=1676,2327000054604236307,3606209794342702757,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2024 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\system32\powercfg.exe
powercfg /import C:\Users\Admin\AppData\Local\Temp\7f87a45a.pow 33333333-3333-3333-3333-333333333333
2⤵
- Power Settings
PID:5432

C:\Windows\system32\powercfg.exe
powercfg /setactive 33333333-3333-3333-3333-333333333333
2⤵
- Power Settings
PID:2224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/tweakcentral
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffedad846f8,0x7ffedad84708,0x7ffedad84718
3⤵
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
3⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
3⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
3⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
3⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
3⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5560 /prefetch:8
3⤵
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5572 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
3⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,18320674402802016648,16586125361179260648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "whoami /USER /FO CSV /NH"
2⤵
PID:468

C:\Windows\system32\whoami.exe
whoami /USER /FO CSV /NH
3⤵
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "SchTasks /Create /TN "\Azurite\CompletedScreen" /XML "C:\Users\Admin\AppData\Local\Temp\a07fb995.xml""
2⤵
PID:1688

C:\Windows\system32\schtasks.exe
SchTasks /Create /TN "\Azurite\CompletedScreen" /XML "C:\Users\Admin\AppData\Local\Temp\a07fb995.xml"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\shutdown.exe
shutdown -r -t 0
2⤵
PID:2248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1128

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3f46855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Remote Services

T1021

SMB/Windows Admin Shares

T1021.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c6937178f1d02874645085a5310a031b

SHA1
ba8938f52124bfe27fddbec24214533556017026

SHA256
1375c497e8fce6ff89c6024de01ea9dfdfd0a9a2ab08313854b418093020b715

SHA512
37aad8c9d2dd68ccd95c74df15b5e2216ff050bd23b321a66b4225cc2d3e62ed944c1b6e484af94109a1b4aec2a570e37ec575d7f045610e10e9f603de11eac4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
95c6a40c23feb0ac0b90f3e19e0ece17

SHA1
b6f01b04756a0f16eb271359da5c08d7254a00bc

SHA256
9d31eb7c6b50fd273b69fbb362de32a9542a414d8025a0d3cc2b6488a8140cb1

SHA512
0529ec6b9f1ce16ca4cdbc3635bf24d2cf0637ab8114818a87615c39f2ae6f226e01864237f0d30f11e6720ab99991db048e1881647cec8b86f045bb9059c386

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a0ace605d25c54264f70d345949cd77c

SHA1
3d19646e8e9b1851737dd6701bb96ea1b5b5b440

SHA256
cd00fa87f32ee560acf6ebfafc54015ef24d294e26861819d14e063dd9eb76d3

SHA512
65a4b6219477ffa4887a66eb5f3e52911093073b2473f0138ee322ee182acee0793e42f0b83eeba0205d5aa58a82bb6da93c69cdafba69ef1c12a1b27ed810db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
88adf6273935d4dae11b9ba59945d90a

SHA1
773d4c1b189f5fac3f2c28907c9c3b0c5ae0af63

SHA256
7d7d67ad622c4a8a2a3c11cefab925399268c72cef19c0299ca704fc200dc4ac

SHA512
336de9ac3dc061b3fb9fbeb4f789e30ed583dd38e527505dfad2aba8fe89d4b838014b8705e7d54a27b4c10d11a7b1411e8e75c002e08102ea0605663da32ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
0919480d7b1c50f3f6b4345e5eb7dbc3

SHA1
24658f1fc37fcf12a7e4bc664d1cf081e77ea9e0

SHA256
94533e5f6c5043f0ed51c230343ae4e8d619d82a3ee8f9b75e5881fcb482e89d

SHA512
9070878c38cc7d3a44c9e8cdd331277a6e5de4c664c19abf4f6089bae1623a5fb6ae1b794b12d20c0f17a4e9ce7a4ad1e1a5bd40f0d1783b3bcd540acf3a8dff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
723625f901e77589010eafbb9191775d

SHA1
8dce02784e08a09277d055f99ddf744fe54e81e2

SHA256
2b2df1ce0309fde681d0e2921e460583596b82368b9a569ea8885ba783a7fbb0

SHA512
eeb09f692b083b304280adf3a967902d4a4b8ede883f82d15860742fd27b8efd8977752dc73295094802ad7a2f6b1f6023300ffb57af26949b73c5f5ba871f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1caa50ef795623743dce6cef58624073

SHA1
16c13d9989e7b9d250fd9fa1b96c584f6116d6bf

SHA256
0cfe0d13f858f606f5d54dd9e1d9b53dea896499baf2b25658fc316fd5edda4f

SHA512
a2a1c8b6c0c0fc4db4bddefc701efbf3a39db0629f373a1d0d0b1825ab7479e330f0f9205131d3b8df3ad8cbff386e0037c36642f668f978f065450768c07d1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
838778faab81cd83d6dd72768d4d3bf5

SHA1
d8af3e977e01a04ab3356fc0b96cedac21512af9

SHA256
b3b35846ebeb8248c2d86855fd0705d0b800c2e0fbec3fce86e1ff191ee16f53

SHA512
eaa98d1371cad7c672e0fcfe6516542b4132e736cca1f22a7a8d84f96901141f88b5db0d75417fad4d583697825bd608e35f529064b5df053cbdda6c92f2723d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46f85f3a4d90458dd5197af6e489e430

SHA1
a89b3a42d3715fb5966f8dc89e628d54d9e97569

SHA256
220a7649a32510756567f900a423291ffdf752d0a6db549cb10b0178abefc9ab

SHA512
be25df60e9b2507c07131119cb1730c4ad9dcc141844e64cbdecdf973163865c7bccdaa5e94bf1203e327dd8494c3237cd3c7fb6b6ea91ec95f5a87adb7bde63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e475f9eede1b95992196c388ea1c6870

SHA1
711331c9e1bd57edb108b30b99d8f4c685690775

SHA256
a052f1b40ab7da56040c7e56716c219989e3fa63f3aadbda06e490161eb173e2

SHA512
2f0791dd1372c790df4afc7539fdb7d44eace081ae0e88bfcdfbcf12f302529a2e016a0c04a4e943f1b1948562af5b5146260f280bc886759521d01f0404237c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ac5139f004e8cb4e7aa76e1172648539

SHA1
29348c716b21b1d2504027d6d6b8916879544acd

SHA256
38178d4ad1dbb434d2d0f4f55827d847db996115ced2091ef8f2b0eb0672f2b6

SHA512
b61170623da4aba7cb0856af8808120894200ff50a015281fd53bfd9b3921a34232c40b45b8dae27414bc4f0252291e81dafc4a94dc76870fa7cec414e4eca04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b69943442c6bb50bca911ad177c7da47

SHA1
8d65e27431195f84af8dbf5fde2268d901febee5

SHA256
2c999a452b4592c4786b28f99155a873aa622965fcfab7a5a7a2157586bba887

SHA512
3a5ed2eb7a5c01952d308ac05bd87ef50dc97bb1886d3bc0ec7b05c6db6fc8d2c95b60d677d993c087c1ed228a668202c31d587a95996ebbbfc8e4a96ab83e42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bfde02b5f3a7be4d95638752f4373e74

SHA1
84a4cccdda4594321aeb75c8820721b3111ee890

SHA256
c23d4712c45b1ffecd7c6761980c95e1b0ddaa5478be8c7614984da0ecd74c8b

SHA512
a26735515103fbd603a43dc8a74dcf8b936601913ef3425db1139d469c1bfa606cf7124613e293bf1d0acb37562b27d15d35103fe260e887aeb36fab22a1025a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff960ce1f68ffe81babbd7407a94953f

SHA1
c0ecdee1d80d785f9f91b3e957ba2eedbe4ce62b

SHA256
0c4c5c7ec0d2e560e704643a36a65f544d5d5744c1e3c40ea0301467319fdfc2

SHA512
97e225c4a863c4d4134df50a7791b5b8f93436022788a00f0fae7f93f890c6d1ea882674fd338919ccd1c62106856e31fedc3f359748bc8580514fed40a3282b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f05640536e389d788c43ae51ae620da

SHA1
ac911a8276b4661c19e5de7862324841d0491312

SHA256
d2a9b3a30b2e15340260e9e201325bce64928df898fed952b009d3285eb21429

SHA512
346df0e47538b5a017eb4093d9fb9a8e038e849b84a161bbf714ccc59178176e26278aee27e7aac1846b0d6b104d1f422c7dc1952bac43de0e3b04ef12b7611b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
74fa4603e719e234b1eaf9d514726371

SHA1
752f8f2092457dfded3b837366940a588bea4f69

SHA256
7cf74e622d3c6b9877825deeb9e613b644a285f11f40009ee91698ee10f74247

SHA512
1a062f57657b0784627a6f88af9efd27dd157e39318d9e5ca5b0ea5c070609ea435bd962c9361452e9a2c126269059376d0b0b78af13d50a0eb9c57a5283c8c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a380179872bf5beefc7c73c2c4be5cd2

SHA1
e3d34f61a6b9fe0a1c563d0f92ca9e36291ebd53

SHA256
812a3a99b49f3613f9e351bbcce273495d604d31685e947e0863e2564761e12f

SHA512
a274dbddcf16f8eba50bfeaf5dc32030292a0dfffbcf8e7906dd25af5e5022bf7fb44b7eb4039f1f83ab3df147e0e027d82d383c37b68c62fa9cebf0a4e118c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3ec17950914cdcd37b2ad4e0b2a2e34

SHA1
2f7b6ef9e00ee5f1de8039c785ec87c293926af8

SHA256
e756632041f8546f3d7aa99b05bc30b83dddb264cc07606a1d581491e06e634d

SHA512
80e738a4e341c1f2a4961654a559ad23c6bc2a85e786005265e74f8e887b0575b97fd0d07ff846d4f32fafbaab7ae3604b7f82da65f606bd5231782d4bfcf293

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
f809e89796f140475a475f0c0b8f653f

SHA1
8a4cd1bf592b0d5d290ba3acb656396a02efd4d5

SHA256
37f8b8aac34f8d7ec623019be63486accd78e2dabb4594d09def037eb4a5fa47

SHA512
2bf3a46c400ca8fbec0966287e37e395294843f548da9ac7e750b114b5abf143f1fe87108c01903f9a135ac5edd84738b7c35fd647b19baf68895f8459fd1966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a2d4e7c84c2df6dd31167f8476612eb3

SHA1
e460c068b1428c22e5fe6110e16793fbcbcf24bf

SHA256
3564ab4c9f8d787a21d3d3c1d90ce9deeee83d1f9c846582665123222f47a151

SHA512
5ff66f0d2511ca9b0411f199f9d87f2890d0c02987d0ff9528502fb5bf5713968011e37850bb94c1b3d22836a38a1d09e7b16ed19dcd3acb9382a4b5e3adcaa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
972fb536ee65aa77265448107e7f7159

SHA1
6425d51756074f0fbac37a984e5c4592cfac18e8

SHA256
82d69cad709fb7427c694ab34a8083cc4cc02e801fda9aa97016fc40997f484f

SHA512
e9676af2da68785bd50d829383d14c9bb3706e7830080e49b0a8ef6bfb65c17f6b139d5e28332b911b73aaa5b3eab0f5ef25c3b12595cefeee6c2855625e0927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9af1f32357170c35151b45a8e6fd2138

SHA1
57303aa5a1a5f1c8a9f34bcd1a5420c528051311

SHA256
607fbfe624c2e1a554e065e3e3b809936a474875117568ddc89e0cd8d0f4b741

SHA512
0233558c52ec4607ac841abb253f836690ea2c3effbce36606e994cee28d72f0849866844cd207019cc8e460084063b99596265d3f80ea30b94c3eae77605387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ceaba5a49460eaee7fa4aa3e8702a701

SHA1
1c1014abec6ad1c0a4991f15061b942559c49374

SHA256
392e532d598d1b2852c2ddb603c0049a84656c1f089eb71d15485436b51b2202

SHA512
d4dc1a613d8325a70b728f4a6aaeb5eae6103a6448bf1b0f7d6362dcb47c7431c62ea1e985161b33aba4f478e612fba9f2f247e5f21df82a3c08756e380c2ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e93618caa731b9dc7a57535e575ef701

SHA1
ef8bee16a4ebbb4c833e782c23cf296c5f14775d

SHA256
3b679f17931acf531f2228a611410f9a987bfbebc5ea00b49d518b92a136406e

SHA512
d56a3b5bce7839675397fe47cf907a02c5221825c74b3ae8ecf21f59ff058ae2091f745716b6e1712deb42f4f2072d59e258a7860e9fe7978a72e90d3ec7cddb

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\chrome_100_percent.pak

Filesize
138KB

MD5
03aaa4f8525ba4b3e30d2a02cb40ab7a

SHA1
dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

SHA256
c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

SHA512
c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\chrome_200_percent.pak

Filesize
202KB

MD5
7d4f330a5443eadf32e041c63e7e70ad

SHA1
26ce6fb98c0f28f508d7b88cf94a442b81e80c88

SHA256
b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

SHA512
f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\ffmpeg.dll

Filesize
2.6MB

MD5
af6d3e25c626882b0c6be5a1e662a88d

SHA1
a00b6b71d94ed200ffa44d730efe48cd63148153

SHA256
3615f62c7495308038c2659c266fb144c813fbd44a535111ce10ae47b0996ada

SHA512
54da008ccaf5646479f16a302e0e8d0346ef750ea39565b5b453f205e49ec10f91eb43fc1e826d278519ac48ead943925906e5015b817d235307a6c5a716274e

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\icudtl.dat

Filesize
9.9MB

MD5
80a7528515595d8b0bf99a477a7eff0d

SHA1
fde9a195fc5a6a23ec82b8594f958cfcf3159437

SHA256
6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b

SHA512
c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\locales\en-US.pak

Filesize
88KB

MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\resources.pak

Filesize
4.9MB

MD5
d22a5445f36b9ffaafc235e56ae90456

SHA1
c6acefdf31e440c71ff830eb9150efe69775ec63

SHA256
7b94d96c56df3635cd72eac4f970fe3b2df97749427a4e7986612d86aae4b6a8

SHA512
dec6c599ed1045c962a4bd52904eace69c0d323ee68e4ed67b56185ea36712fa4ccf138e7f9552f6483c9c62d5d63e98cbd61b1a0c84a4e6f5f625bc58463673

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\resources\app-update.yml

Filesize
131B

MD5
a454c573d0c72b4122d074a4048f8a22

SHA1
ce06018b60adf940f42401c8e311fc5d27619d90

SHA256
d82261f6161e06ac8b48bfd619acc1a0eaefc63270d4e4a1155a255d2b0e6eff

SHA512
56a06b34547a19be4d569c780770eb43d19f5a2ef55c62f98a00d372e7c02865265ccb35a1c5f5a82b48c279516c55c07b0b4b6ea2d858be7f131391dd76d495

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\resources\app.asar

Filesize
4.9MB

MD5
f0283a70e4e77c72999016a2cc033172

SHA1
48f2207f9363faf63d3a6f2ac16ed2cf8022f8ab

SHA256
e0f0acdba0caa085dac0c2432a97670f88c4deaeded715e2e9452b03400d592f

SHA512
5f73110a134f02e71c84d6d8da4c9aa5c572adec5bbe40255b30b9a37d2818064261c8a57b76c8da7efbfbced061066d53437a66197c9caaa0dcd90c1b60bddc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\swiftshader\libEGL.dll

Filesize
448KB

MD5
08d67d57bdb9efa1c6652bab4f68a7fb

SHA1
9b8f156a069f4f40e0fdded92aa1c6f3606101b3

SHA256
33adfdf885f4a64e5792d591bb35ddf5f8b15feeacbcf1539c50a614d168abf5

SHA512
b9972e81eb5a7b4dba758686d6d2962639ad0e7b0c3c6df328f0eb5d1e4b06f4fcf0135c01908bf2d583be4606cdd028485977853c62285e216f07e695e601e9

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\swiftshader\libGLESv2.dll

Filesize
3.1MB

MD5
9089a52d103849175b1ed9b5a469a782

SHA1
90eb9c2536f801920551c4b2c70fd318223308d1

SHA256
47092d9bfd855fcfb613741580ac742ce521567509929daab5574a71f83a2801

SHA512
553d85f8ffbccd10c324d58d1b3f5479f039cb50cfda49a891f35c13462a59160c29c96a43aa48725c6e5fa6773f84fa684f9e4add4d250fd14c09d451ff19fa

Download Submit
C:\Users\Admin\AppData\Local\Programs\Azurite\v8_context_snapshot.bin

Filesize
161KB

MD5
e082a9ffd52e98b00e501e934a7e9d8d

SHA1
21746f70466633f881581d9bee651619d8b4b109

SHA256
08058ff9086099965041d0e85e8847704c624baf689ec3bb6a041e7776332520

SHA512
5b6a6f58a9037c260b1b76bb7605746c251641e20153b5e75d99f4b4afb1367a7a44ba255034c9090e7c48748402a6e0bad13da2c4c3e8b7b88bd1d80898fd3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\14f82417-da66-40bf-92f6-7cf70c7078c2.tmp

Filesize
69KB

MD5
45af88a466bf725ea58063fe506ac85e

SHA1
60e7359497f6b6082fcfe9edfc5ba6b5a89c7ad1

SHA256
1350a224027ba8b9e5c1200bc46c04b0497d95558af3fbddb3adc30ea1b2cf4d

SHA512
98b942002a7d594c949e2d839ee91db0cde50e6d014c5664e394866a6ce19068b5f4cea370e23aa880547cb7f915d9b4769b35e08d142816cd67c270a2782a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_psgaqqu4.n2x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5923ba7-8782-4619-a42b-157f1df648db.tmp.pow

Filesize
24KB

MD5
f81191582f273b07e50ea9ac1818dfdd

SHA1
e9d762bed0cfe1219854c2b1d5948f050458d426

SHA256
15828be7fca345b210fe3cde9eded3a2e12238580335e927952f85bae480db28

SHA512
954eb770bb4425cea2e24b56ced7acd70d5df7b219d5597ee101630f071fbc9a976b30e9ef8bcc375f2306dea7ad441dd5f4e15f450ddd313e6561963ac68271

Download Submit
C:\Users\Admin\AppData\Local\Temp\d578b69c.bat

Filesize
2KB

MD5
b96aac30465cba9e3cc089c3ef5c7df6

SHA1
6858ce127c45a1eddb6ccbffcb290b6c650016a8

SHA256
1afa7f9a0ea79a193e10a096f5eafffb687e07ecbe5cabdc716b700ff6c97b63

SHA512
56d7d549394cbcfe4edefa914e99c457346737b96e63659271e95ac73b75a00fb9bb6352f335c79ea0c220583dc65c49249e236b646458397108fd2c36eb1202

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF195.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF195.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF195.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF195.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF195.tmp\nsDialogs.dll

Filesize
9KB

MD5
466179e1c8ee8a1ff5e4427dbb6c4a01

SHA1
eb607467009074278e4bd50c7eab400e95ae48f7

SHA256
1e40211af65923c2f4fd02ce021458a7745d28e2f383835e3015e96575632172

SHA512
7508a29c722d45297bfb090c8eb49bd1560ef7d4b35413f16a8aed62d3b1030a93d001a09de98c2b9fea9acf062dc99a7278786f4ece222e7436b261d14ca817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF195.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF195.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Network Persistent State

Filesize
183B

MD5
529f66a7edc36ae980c6f714dcbf5942

SHA1
88dee8c1e4ef93cd45372461b091d0f89687bb11

SHA256
18bd7a16f541035715e427465e0be82e3622ef0f51360e6ef084da2535a4f7cc

SHA512
c9ea591230f4b48e98539eb473f80c171420bf578df806114752e333ea08b82c02c1b7059e83a35ff4b01400912d39704e32895716616db1a440d6e8a64652e5

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Network Persistent State~RFe592fff.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\Preferences~RFe58467a.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\azurite\logs\main.log

Filesize
6KB

MD5
a5275883d7d3a7837549057359c62bbb

SHA1
ac1bd427ef46d5679adabc37077f8db02d329dfc

SHA256
5a3d516b0f008b6f0332271a901ccfdae8b3d002e63755b69396dff6aa1be84c

SHA512
2641268828759396077e9219de2913915efbc48e070f8d31f8830efa9cabab5b85f196617e91b9881f8cc702c81df756b24e299e15541094aca47e86bde86c62

Download Submit
C:\Users\Admin\Desktop\Azurite.lnk

Filesize
2KB

MD5
78a771cd4d379e03e582499be4418107

SHA1
7f4a30de4836b4946e09a37f1fd94f04bf5e2a13

SHA256
1762e68b89aaf7e44ce19c81ef545e2024c3767f6b77181f04d3d266781f6a45

SHA512
5240beaa7c75b591009294d100d5cf42d1267670bd79f474a5b1b782f9c7e135aa9d2a8047fd9c1f4f518d8d8a96f6dd06b40be9fdda7604bf2b2511bb09dd41

Download Submit
\??\pipe\crashpad_4188_LDRAJQQIVWCRJWMK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1704-810-0x000001EBB1D70000-0x000001EBB1D92000-memory.dmp

Filesize
136KB

Download
memory/3764-350-0x00007FFEE06A0000-0x00007FFEE06A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads