c40ec5a80b24f34c1aab1f9e8da3283328db2f23f051ba75f8f823275931e401

Analysis

max time kernel
46s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kopx-Optimizer.exe
Size

4.4MB
MD5

227489b38c1df55295efd41adb763bfc
SHA1

01851d8247f31080f2b95ae86f829f386f405556
SHA256

c40ec5a80b24f34c1aab1f9e8da3283328db2f23f051ba75f8f823275931e401
SHA512

d7446593fdff54c3a699c61629ffaecc1d475ae7731032ea7c8a4ca20148debebfcd057bd04c4881e36651f9d07c1779056c459e84ad24830457e0b6e4e56842
SSDEEP

49152:vjFnhVMFnhVSr9JkzvkjXabRXFnhVyTTFBySg6etzcwp8fB0hXGErGn9lut4XrgA:vxrkzgXqurG8farRS

Score

9^/10

evasion ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 36 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5056	bcdedit.exe
2324	bcdedit.exe
1552	bcdedit.exe
4860	bcdedit.exe
3764	bcdedit.exe
1900	bcdedit.exe
4468	bcdedit.exe
2268	bcdedit.exe
3344	bcdedit.exe
2872	bcdedit.exe
60	bcdedit.exe
4568	bcdedit.exe
2184	bcdedit.exe
780	bcdedit.exe
3744	bcdedit.exe
1516	bcdedit.exe
964	bcdedit.exe
1920	bcdedit.exe
4380	bcdedit.exe
2132	bcdedit.exe
1460	bcdedit.exe
1908	bcdedit.exe
2664	bcdedit.exe
2464	bcdedit.exe
1064	bcdedit.exe
808	bcdedit.exe
2728	bcdedit.exe
964	bcdedit.exe
396	bcdedit.exe
4492	bcdedit.exe
3300	bcdedit.exe
3180	bcdedit.exe
1900	bcdedit.exe
1400	bcdedit.exe
1504	bcdedit.exe
2352	bcdedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Kopx-Optimizer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Kopx-Optimizer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Kopx-Optimizer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Kopx-Optimizer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0"	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 4228	3408	Kopx-Optimizer.exe	88
PID 3408 wrote to memory of 4228	3408	Kopx-Optimizer.exe	88
PID 4228 wrote to memory of 4852	4228	cmd.exe	90
PID 4228 wrote to memory of 4852	4228	cmd.exe	90
PID 3408 wrote to memory of 4948	3408	Kopx-Optimizer.exe	91
PID 3408 wrote to memory of 4948	3408	Kopx-Optimizer.exe	91
PID 4948 wrote to memory of 1984	4948	cmd.exe	93
PID 4948 wrote to memory of 1984	4948	cmd.exe	93
PID 3408 wrote to memory of 1400	3408	Kopx-Optimizer.exe	94
PID 3408 wrote to memory of 1400	3408	Kopx-Optimizer.exe	94
PID 1400 wrote to memory of 3272	1400	cmd.exe	96
PID 1400 wrote to memory of 3272	1400	cmd.exe	96
PID 3408 wrote to memory of 3744	3408	Kopx-Optimizer.exe	97
PID 3408 wrote to memory of 3744	3408	Kopx-Optimizer.exe	97
PID 3744 wrote to memory of 3340	3744	cmd.exe	99
PID 3744 wrote to memory of 3340	3744	cmd.exe	99
PID 3408 wrote to memory of 4444	3408	Kopx-Optimizer.exe	100
PID 3408 wrote to memory of 4444	3408	Kopx-Optimizer.exe	100
PID 4444 wrote to memory of 4832	4444	cmd.exe	102
PID 4444 wrote to memory of 4832	4444	cmd.exe	102
PID 3408 wrote to memory of 2352	3408	Kopx-Optimizer.exe	103
PID 3408 wrote to memory of 2352	3408	Kopx-Optimizer.exe	103
PID 2352 wrote to memory of 3664	2352	cmd.exe	105
PID 2352 wrote to memory of 3664	2352	cmd.exe	105
PID 3408 wrote to memory of 4812	3408	Kopx-Optimizer.exe	106
PID 3408 wrote to memory of 4812	3408	Kopx-Optimizer.exe	106
PID 4812 wrote to memory of 4904	4812	cmd.exe	108
PID 4812 wrote to memory of 4904	4812	cmd.exe	108
PID 3408 wrote to memory of 636	3408	Kopx-Optimizer.exe	109
PID 3408 wrote to memory of 636	3408	Kopx-Optimizer.exe	109
PID 636 wrote to memory of 4136	636	cmd.exe	111
PID 636 wrote to memory of 4136	636	cmd.exe	111
PID 3408 wrote to memory of 2268	3408	Kopx-Optimizer.exe	112
PID 3408 wrote to memory of 2268	3408	Kopx-Optimizer.exe	112
PID 2268 wrote to memory of 1192	2268	cmd.exe	114
PID 2268 wrote to memory of 1192	2268	cmd.exe	114
PID 3408 wrote to memory of 3260	3408	Kopx-Optimizer.exe	115
PID 3408 wrote to memory of 3260	3408	Kopx-Optimizer.exe	115
PID 3260 wrote to memory of 2456	3260	cmd.exe	117
PID 3260 wrote to memory of 2456	3260	cmd.exe	117
PID 3408 wrote to memory of 4676	3408	Kopx-Optimizer.exe	118
PID 3408 wrote to memory of 4676	3408	Kopx-Optimizer.exe	118
PID 4676 wrote to memory of 2468	4676	cmd.exe	120
PID 4676 wrote to memory of 2468	4676	cmd.exe	120
PID 3408 wrote to memory of 2312	3408	Kopx-Optimizer.exe	121
PID 3408 wrote to memory of 2312	3408	Kopx-Optimizer.exe	121
PID 2312 wrote to memory of 4448	2312	cmd.exe	123
PID 2312 wrote to memory of 4448	2312	cmd.exe	123
PID 3408 wrote to memory of 4440	3408	Kopx-Optimizer.exe	124
PID 3408 wrote to memory of 4440	3408	Kopx-Optimizer.exe	124
PID 4440 wrote to memory of 704	4440	cmd.exe	126
PID 4440 wrote to memory of 704	4440	cmd.exe	126
PID 3408 wrote to memory of 2440	3408	Kopx-Optimizer.exe	127
PID 3408 wrote to memory of 2440	3408	Kopx-Optimizer.exe	127
PID 2440 wrote to memory of 1728	2440	cmd.exe	129
PID 2440 wrote to memory of 1728	2440	cmd.exe	129
PID 3408 wrote to memory of 896	3408	Kopx-Optimizer.exe	130
PID 3408 wrote to memory of 896	3408	Kopx-Optimizer.exe	130
PID 896 wrote to memory of 4784	896	cmd.exe	132
PID 896 wrote to memory of 4784	896	cmd.exe	132
PID 3408 wrote to memory of 2564	3408	Kopx-Optimizer.exe	133
PID 3408 wrote to memory of 2564	3408	Kopx-Optimizer.exe	133
PID 2564 wrote to memory of 2484	2564	cmd.exe	135
PID 2564 wrote to memory of 2484	2564	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\Kopx-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Kopx-Optimizer.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:3408
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\system32\reg.exe
    Reg add "HKLM\SOFTWARE\Microsoft\FTH" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4852
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineCore" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineCore" /f
    3⤵
    PID:1984
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineUA" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MicrosoftEdgeUpdateTaskMachineUA" /f
    3⤵
    PID:3272
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "StartupBoostEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3340
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "BackgroundModeEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4832
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "UseDpiScaling" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\DWM" /v "UseDpiScaling" /t REG_DWORD /d "0" /f
    3⤵
    PID:3664
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f
    3⤵
    PID:4904
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation" /v "DisableStartupSound" /t REG_DWORD /d "1" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\BootAnimation" /v "DisableStartupSound" /t REG_DWORD /d "1" /f
    3⤵
    PID:4136
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f
    3⤵
    PID:1192
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f
    3⤵
    PID:2456
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f
    3⤵
    PID:2468
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ctfmon" /t REG_SZ /d "C:\Windows\System32\ctfmon.exe" /f0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ctfmon" /t REG_SZ /d "C:\Windows\System32\ctfmon.exe" /f0
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\VideoSettings" /v "VideoQualityOnBattery" /t REG_DWORD /d "1" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\VideoSettings" /v "VideoQualityOnBattery" /t REG_DWORD /d "1" /f
    3⤵
    PID:704
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f
    3⤵
    PID:1728
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
    3⤵
    PID:4784
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
    3⤵
    PID:2484
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:4480
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
    3⤵
    PID:1460
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:808
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowDeviceNameInTelemetry" /t REG_DWORD /d "0" /f
    3⤵
    PID:1908
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:828
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
  2⤵
  PID:960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
    3⤵
    PID:2064
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:992
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
    3⤵
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
  2⤵
  PID:1436
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
    3⤵
    PID:5104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
  2⤵
  PID:4844
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
    3⤵
    PID:1884
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
    3⤵
    PID:4348
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
  2⤵
  PID:5052
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
  2⤵
  PID:4588
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
    3⤵
    PID:3192
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:4904
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:432
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
  2⤵
  PID:4136
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
    3⤵
    PID:4468
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings" /v "DownloadMode" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:2684
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2456
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3152
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:3200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
    3⤵
    PID:1528
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f
    3⤵
    PID:3316
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
  2⤵
  PID:1504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
    3⤵
    PID:2552
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
  2⤵
  PID:5004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
    3⤵
    PID:1408
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
    3⤵
    PID:4380
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
    3⤵
    PID:4728
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
    3⤵
    PID:624
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f
    3⤵
    PID:828
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4828
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2064
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3908
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2728
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4720
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:2236
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
    3⤵
    PID:4780
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:3252
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
    3⤵
    PID:1748
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4032
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:2476
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  PID:4168
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
    3⤵
    PID:1892
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f
  2⤵
  PID:4796
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v "DownloadMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:3656
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:4052
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
    3⤵
    PID:2960
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
  2⤵
  PID:3740
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
    3⤵
    PID:4108
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
  2⤵
  PID:4764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
    3⤵
    PID:1304
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:5080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
    3⤵
    PID:3232
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
  2⤵
  PID:516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
    3⤵
    PID:1916
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
  2⤵
  PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
    3⤵
    PID:2316
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set tscsyncpolicy legacy
  2⤵
  PID:3228
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set tscsyncpolicy legacy
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5056
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set hypervisorlaunchtype off
  2⤵
  PID:216
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2324
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set linearaddress57 OptOut
  2⤵
  PID:3356
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set linearaddress57 OptOut
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1552
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set increaseuserva 268435328
  2⤵
  PID:4972
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set increaseuserva 268435328
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4860
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set isolatedcontext No
  2⤵
  PID:3240
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set isolatedcontext No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3764
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set allowedinmemorysettings 0x0
  2⤵
  PID:4304
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set allowedinmemorysettings 0x0
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1900
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set vsmlaunchtype Off
  2⤵
  PID:2224
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set vsmlaunchtype Off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4468
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set vm No
  2⤵
  PID:2756
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set vm No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2268
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f
    3⤵
    PID:808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
  2⤵
  PID:992
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
    3⤵
    PID:4168
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set x2apicpolicy Enable
  2⤵
  PID:3852
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set x2apicpolicy Enable
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3344
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set uselegacyapicmode No
  2⤵
  PID:3752
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set uselegacyapicmode No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2872
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set configaccesspolicy Default
  2⤵
  PID:4352
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set configaccesspolicy Default
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:60
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set MSI Default
  2⤵
  PID:1172
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set MSI Default
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4568
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set usephysicaldestination No
  2⤵
  PID:640
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set usephysicaldestination No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2184
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set usefirmwarepcisettings No
  2⤵
  PID:2220
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set usefirmwarepcisettings No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:780
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:4640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
    3⤵
    PID:3916
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
  2⤵
  PID:5056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
    3⤵
    PID:1840
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
  2⤵
  PID:764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
    3⤵
    PID:2608
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:2716
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
    3⤵
    PID:2416
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
  2⤵
  PID:4348
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
    3⤵
    PID:1368
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
  2⤵
  PID:3476
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
    3⤵
    PID:4344
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set tscsyncpolicy legacy
  2⤵
  PID:3656
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set tscsyncpolicy legacy
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3744
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set hypervisorlaunchtype off
  2⤵
  PID:2236
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1516
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set linearaddress57 OptOut
  2⤵
  PID:2564
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set linearaddress57 OptOut
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set increaseuserva 268435328
  2⤵
  PID:4656
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set increaseuserva 268435328
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1920
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set isolatedcontext No
  2⤵
  PID:3984
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set isolatedcontext No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4380
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set allowedinmemorysettings 0x0
  2⤵
  PID:2328
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set allowedinmemorysettings 0x0
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2132
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set vsmlaunchtype Off
  2⤵
  PID:2484
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set vsmlaunchtype Off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1460
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set vm No
  2⤵
  PID:4092
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set vm No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1908
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f
  2⤵
  PID:2400
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f
    3⤵
    PID:1480
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
  2⤵
  PID:5096
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
    3⤵
    PID:3156
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
  2⤵
  PID:4332
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
    3⤵
    PID:2708
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set x2apicpolicy Enable
  2⤵
  PID:2332
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set x2apicpolicy Enable
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2664
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set uselegacyapicmode No
  2⤵
  PID:3448
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set uselegacyapicmode No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2464
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set configaccesspolicy Default
  2⤵
  PID:3972
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set configaccesspolicy Default
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1064
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set MSI Default
  2⤵
  PID:1892
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set MSI Default
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set usephysicaldestination No
  2⤵
  PID:2656
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set usephysicaldestination No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2728
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set usefirmwarepcisettings No
  2⤵
  PID:2312
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set usefirmwarepcisettings No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
    3⤵
    PID:3720
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
    3⤵
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
  2⤵
  PID:4912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "AGPConcur" /t REG_DWORD /d "1" /f
    3⤵
    PID:1116
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
  2⤵
  PID:2764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "CPUPriority" /t REG_DWORD /d "1" /f
    3⤵
    PID:2556
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "FastDRAM" /t REG_DWORD /d "1" /f
    3⤵
    PID:760
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
  2⤵
  PID:780
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\System\CurrentControlSet\Services\VxD\BIOS" /v "PCIConcur" /t REG_DWORD /d "1" /f
    3⤵
    PID:3156
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set tscsyncpolicy legacy
  2⤵
  PID:1468
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set tscsyncpolicy legacy
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:396
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set hypervisorlaunchtype off
  2⤵
  PID:3388
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set hypervisorlaunchtype off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4492
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set linearaddress57 OptOut
  2⤵
  PID:2592
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set linearaddress57 OptOut
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3300
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set increaseuserva 268435328
  2⤵
  PID:3484
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set increaseuserva 268435328
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3180
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set isolatedcontext No
  2⤵
  PID:4516
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set isolatedcontext No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1900
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set allowedinmemorysettings 0x0
  2⤵
  PID:808
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set allowedinmemorysettings 0x0
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1400
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set vsmlaunchtype Off
  2⤵
  PID:3148
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set vsmlaunchtype Off
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1504
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C bcdedit /set vm No
  2⤵
  PID:5000
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set vm No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2352
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f
  2⤵
  PID:4064
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f
    3⤵
    PID:3344
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
  2⤵
  PID:1920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
    3⤵
    PID:1408
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
  2⤵
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3408-0-0x00007FFF4303B000-0x00007FFF4303C000-memory.dmp

Filesize
4KB

Download
memory/3408-1-0x00007FFF4303B000-0x00007FFF4303C000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads