Analysis
-
max time kernel
91s -
max time network
95s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/10/2024, 13:32
Static task
static1
Behavioral task
behavioral1
Sample
Flux Tweaking Tool.bat
Resource
win11-20241007-en
General
-
Target
Flux Tweaking Tool.bat
-
Size
44KB
-
MD5
bf13135aeb51a50a0400db422fd7daa9
-
SHA1
5ef6d801e7b97128fcce8dcafa8aeb81d64fc2db
-
SHA256
5f02f68d5187cc53317a1139dfa2a5824e5eee2e7517a3b58cff82062086bd8f
-
SHA512
6367b7ec2fbae156c6061b3c2fe2781b60011f59b06aec3f465da15b57d0f5c1ad68e332e2c9572446b348232ad252ef9096219f1037fe92a31411497fc467e5
-
SSDEEP
384:mut4C7QIEkKx3mmoYHYWLNmGr1tslFvnnWNyMnerjo+Cozvy4UD+jjGs2pt3JNur:mut4C7QIXmoYHYWLNmGNPxO
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\DisableNX = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe\DisableNX = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\DisableNX = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe\DisableNX = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe\DisableNX = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\DisableNX = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\DisableNX = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe\DisableNX = "1" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe reg.exe -
pid Process 1836 powershell.exe 1108 powershell.exe 3536 powershell.exe 1976 powershell.exe 5104 powershell.exe 4416 powershell.exe 716 powershell.exe 3948 powershell.exe 4168 powershell.exe 2140 powershell.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 4 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" reg.exe -
Power Settings 1 TTPs 9 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2160 powercfg.exe 4996 powercfg.exe 4872 powercfg.exe 648 powercfg.exe 4612 powercfg.exe 960 powercfg.exe 2532 powercfg.exe 1108 powercfg.exe 1956 powercfg.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2140 powershell.exe 2348 powershell.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\Attributes reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport\InitialTimestamp reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk\CacheIsPowerProtected reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk\UserWriteCacheSetting reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ContainerID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk\UserWriteCacheSetting reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport\InitialTimestamp reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport\InitialTimestamp reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\MinimumIdleTimeoutInMS reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UINumber reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport\InitialTimestamp reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Address reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ContainerID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags reg.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ContainerID reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\DiskId reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk\UserWriteCacheSetting reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Driver reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\DefaultRequestFlags reg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs reg.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A reg.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport reg.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4168 powershell.exe 4168 powershell.exe 4168 powershell.exe 2140 powershell.exe 2140 powershell.exe 2348 powershell.exe 2348 powershell.exe 4416 powershell.exe 4416 powershell.exe 716 powershell.exe 716 powershell.exe 3948 powershell.exe 3948 powershell.exe 1836 powershell.exe 1836 powershell.exe 1108 powershell.exe 1108 powershell.exe 3536 powershell.exe 3536 powershell.exe 1976 powershell.exe 1976 powershell.exe 5104 powershell.exe 5104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeIncreaseQuotaPrivilege 2348 powershell.exe Token: SeSecurityPrivilege 2348 powershell.exe Token: SeTakeOwnershipPrivilege 2348 powershell.exe Token: SeLoadDriverPrivilege 2348 powershell.exe Token: SeSystemProfilePrivilege 2348 powershell.exe Token: SeSystemtimePrivilege 2348 powershell.exe Token: SeProfSingleProcessPrivilege 2348 powershell.exe Token: SeIncBasePriorityPrivilege 2348 powershell.exe Token: SeCreatePagefilePrivilege 2348 powershell.exe Token: SeBackupPrivilege 2348 powershell.exe Token: SeRestorePrivilege 2348 powershell.exe Token: SeShutdownPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeSystemEnvironmentPrivilege 2348 powershell.exe Token: SeRemoteShutdownPrivilege 2348 powershell.exe Token: SeUndockPrivilege 2348 powershell.exe Token: SeManageVolumePrivilege 2348 powershell.exe Token: 33 2348 powershell.exe Token: 34 2348 powershell.exe Token: 35 2348 powershell.exe Token: 36 2348 powershell.exe Token: SeShutdownPrivilege 2160 powercfg.exe Token: SeCreatePagefilePrivilege 2160 powercfg.exe Token: SeShutdownPrivilege 648 powercfg.exe Token: SeCreatePagefilePrivilege 648 powercfg.exe Token: SeShutdownPrivilege 4612 powercfg.exe Token: SeCreatePagefilePrivilege 4612 powercfg.exe Token: SeShutdownPrivilege 4996 powercfg.exe Token: SeCreatePagefilePrivilege 4996 powercfg.exe Token: SeShutdownPrivilege 4872 powercfg.exe Token: SeCreatePagefilePrivilege 4872 powercfg.exe Token: SeShutdownPrivilege 960 powercfg.exe Token: SeCreatePagefilePrivilege 960 powercfg.exe Token: SeShutdownPrivilege 2532 powercfg.exe Token: SeCreatePagefilePrivilege 2532 powercfg.exe Token: SeShutdownPrivilege 1108 powercfg.exe Token: SeCreatePagefilePrivilege 1108 powercfg.exe Token: SeShutdownPrivilege 1956 powercfg.exe Token: SeCreatePagefilePrivilege 1956 powercfg.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeIncreaseQuotaPrivilege 4416 powershell.exe Token: SeSecurityPrivilege 4416 powershell.exe Token: SeTakeOwnershipPrivilege 4416 powershell.exe Token: SeLoadDriverPrivilege 4416 powershell.exe Token: SeSystemProfilePrivilege 4416 powershell.exe Token: SeSystemtimePrivilege 4416 powershell.exe Token: SeProfSingleProcessPrivilege 4416 powershell.exe Token: SeIncBasePriorityPrivilege 4416 powershell.exe Token: SeCreatePagefilePrivilege 4416 powershell.exe Token: SeBackupPrivilege 4416 powershell.exe Token: SeRestorePrivilege 4416 powershell.exe Token: SeShutdownPrivilege 4416 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeSystemEnvironmentPrivilege 4416 powershell.exe Token: SeRemoteShutdownPrivilege 4416 powershell.exe Token: SeUndockPrivilege 4416 powershell.exe Token: SeManageVolumePrivilege 4416 powershell.exe Token: 33 4416 powershell.exe Token: 34 4416 powershell.exe Token: 35 4416 powershell.exe Token: 36 4416 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 4168 812 cmd.exe 80 PID 812 wrote to memory of 4168 812 cmd.exe 80 PID 812 wrote to memory of 2140 812 cmd.exe 81 PID 812 wrote to memory of 2140 812 cmd.exe 81 PID 812 wrote to memory of 2348 812 cmd.exe 82 PID 812 wrote to memory of 2348 812 cmd.exe 82 PID 812 wrote to memory of 4004 812 cmd.exe 84 PID 812 wrote to memory of 4004 812 cmd.exe 84 PID 812 wrote to memory of 4108 812 cmd.exe 85 PID 812 wrote to memory of 4108 812 cmd.exe 85 PID 812 wrote to memory of 3800 812 cmd.exe 86 PID 812 wrote to memory of 3800 812 cmd.exe 86 PID 812 wrote to memory of 4444 812 cmd.exe 87 PID 812 wrote to memory of 4444 812 cmd.exe 87 PID 812 wrote to memory of 1292 812 cmd.exe 88 PID 812 wrote to memory of 1292 812 cmd.exe 88 PID 812 wrote to memory of 3640 812 cmd.exe 89 PID 812 wrote to memory of 3640 812 cmd.exe 89 PID 812 wrote to memory of 5028 812 cmd.exe 90 PID 812 wrote to memory of 5028 812 cmd.exe 90 PID 812 wrote to memory of 3820 812 cmd.exe 91 PID 812 wrote to memory of 3820 812 cmd.exe 91 PID 812 wrote to memory of 4364 812 cmd.exe 92 PID 812 wrote to memory of 4364 812 cmd.exe 92 PID 812 wrote to memory of 4596 812 cmd.exe 93 PID 812 wrote to memory of 4596 812 cmd.exe 93 PID 812 wrote to memory of 3236 812 cmd.exe 94 PID 812 wrote to memory of 3236 812 cmd.exe 94 PID 812 wrote to memory of 3116 812 cmd.exe 95 PID 812 wrote to memory of 3116 812 cmd.exe 95 PID 812 wrote to memory of 716 812 cmd.exe 96 PID 812 wrote to memory of 716 812 cmd.exe 96 PID 812 wrote to memory of 4480 812 cmd.exe 97 PID 812 wrote to memory of 4480 812 cmd.exe 97 PID 812 wrote to memory of 3400 812 cmd.exe 98 PID 812 wrote to memory of 3400 812 cmd.exe 98 PID 812 wrote to memory of 2664 812 cmd.exe 99 PID 812 wrote to memory of 2664 812 cmd.exe 99 PID 812 wrote to memory of 3768 812 cmd.exe 100 PID 812 wrote to memory of 3768 812 cmd.exe 100 PID 812 wrote to memory of 2160 812 cmd.exe 101 PID 812 wrote to memory of 2160 812 cmd.exe 101 PID 812 wrote to memory of 648 812 cmd.exe 102 PID 812 wrote to memory of 648 812 cmd.exe 102 PID 812 wrote to memory of 868 812 cmd.exe 103 PID 812 wrote to memory of 868 812 cmd.exe 103 PID 812 wrote to memory of 2936 812 cmd.exe 104 PID 812 wrote to memory of 2936 812 cmd.exe 104 PID 812 wrote to memory of 4716 812 cmd.exe 105 PID 812 wrote to memory of 4716 812 cmd.exe 105 PID 812 wrote to memory of 3892 812 cmd.exe 106 PID 812 wrote to memory of 3892 812 cmd.exe 106 PID 812 wrote to memory of 3980 812 cmd.exe 107 PID 812 wrote to memory of 3980 812 cmd.exe 107 PID 812 wrote to memory of 1948 812 cmd.exe 108 PID 812 wrote to memory of 1948 812 cmd.exe 108 PID 812 wrote to memory of 1580 812 cmd.exe 109 PID 812 wrote to memory of 1580 812 cmd.exe 109 PID 812 wrote to memory of 1704 812 cmd.exe 110 PID 812 wrote to memory of 1704 812 cmd.exe 110 PID 812 wrote to memory of 2292 812 cmd.exe 111 PID 812 wrote to memory of 2292 812 cmd.exe 111 PID 812 wrote to memory of 4880 812 cmd.exe 112 PID 812 wrote to memory of 4880 812 cmd.exe 112
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Flux Tweaking Tool.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL "ForEach($v in (Get-Command -Name \"Set-ProcessMitigation\").Parameters[\"Disable\"].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOWERSHELL Disable-MMAgent -MemoryCompression -ApplicationPreLaunch -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4004
-
-
C:\Windows\system32\mode.commode con cols=80 lines=252⤵PID:4108
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMBandwidthFeature" /t REG_DWORD /d "1896072192" /f2⤵PID:3800
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMBandwidthFeature2" /t REG_DWORD /d "1" /f2⤵PID:4444
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0001" /v "RMBandwidthFeature" /t REG_DWORD /d "1896072192" /f2⤵PID:1292
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0001" /v "RMBandwidthFeature2" /t REG_DWORD /d "1" /f2⤵PID:3640
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMElcg" /t REG_DWORD /d "1431655765" /f2⤵PID:5028
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMBlcg" /t REG_DWORD /d "286331153" /f2⤵PID:3820
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMElpg" /t REG_DWORD /d "4095" /f2⤵PID:4364
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMSlcg" /t REG_DWORD /d "16383" /f2⤵PID:4596
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMFspg" /t REG_DWORD /d "15" /f2⤵PID:3236
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RmLogonRC" /t REG_DWORD /d "0" /f2⤵PID:3116
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMLpwrArch" /t REG_DWORD /d "1365" /f2⤵PID:716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RmLpwrCtrlGrRgParameters" /t REG_DWORD /d "349525" /f2⤵PID:4480
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMLpwrEiClient" /t REG_DWORD /d "1" /f2⤵PID:3400
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RmMIONoPowerOff" /t REG_DWORD /d "1" /f2⤵PID:2664
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\3\0000" /v "RMDeepL1EntryLatencyUsec" /t REG_DWORD /d "1" /f2⤵PID:3768
-
-
C:\Windows\system32\powercfg.exepowercfg -duplicatescheme e9a42b02-d5df-448d-aa00-03f14749eb61 11111111-1111-1111-1111-1111111111112⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\system32\powercfg.exepowercfg -changename 11111111-1111-1111-1111-111111111111 "iTouchPCs Tool" "Low Latency Good Frames Happy Games"2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:648
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\d3d55efd-c1ff-424e-9dc3-441be7833010" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\0012ee47-9041-4b5d-9b77-535fba8b1442\d639518a-e56d-4345-8af2-b9f32fb26109" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:2936
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\0853a681-27c8-4100-a2fd-82013e970683" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:4716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:3892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\06cadf0e-64ed-448a-8927-ce7bf90eb35d" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:3980
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\12a0ab44-fe28-4fa9-b3bd-4b64f44960a6" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:1948
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:1580
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\4b92d758-5a24-4851-a470-815d78aee119" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:1704
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\5d76a2ca-e8c0-402f-a133-2158492d58ad" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:2292
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\7b224883-b3cc-4d79-819f-8374152cbe7c" /v "Attributes" /t REG_DWORD /d "0" /f2⤵PID:4880
-
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex scheme_current 54533251-82be-4824-96c1-47b60b740d00 4d2b0152-7d5c-498b-88e2-34345392a2c5 50002⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\system32\powercfg.exepowercfg -setactive 11111111-1111-1111-1111-1111111111112⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\system32\powercfg.exepowercfg /setactive scheme_current2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
C:\Windows\system32\powercfg.exepowercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:960
-
-
C:\Windows\system32\powercfg.exepowercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\system32\powercfg.exepowercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\system32\powercfg.exepowercfg -delete e9a42b02-d5df-448d-aa00-03f14749eb612⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\Appinfo" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3560
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f2⤵PID:1088
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f2⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
PID:1584
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:2420
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:3656
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f2⤵PID:4692
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:4564
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "0" /f2⤵PID:4568
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f2⤵PID:3284
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:3564
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f2⤵PID:2504
-
-
C:\Windows\system32\choice.exechoice /c:12 /n2⤵PID:3312
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1788
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2132
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "BranchReadinessLevel" /t REG_SZ /d "CB" /f2⤵PID:3128
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferFeatureUpdates" /t REG_DWORD /d "1" /f2⤵PID:4056
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferQualityUpdates" /t REG_DWORD /d "0" /f2⤵PID:3644
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "ExcludeWUDrivers" /t REG_DWORD /d "1" /f2⤵PID:1092
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "FeatureUpdatesDeferralInDays" /t REG_DWORD /d "0" /f2⤵PID:4624
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsDeferralIsActive" /t REG_DWORD /d "1" /f2⤵PID:2408
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsWUfBConfigured" /t REG_DWORD /d "0" /f2⤵PID:436
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsWUfBDualScanActive" /t REG_DWORD /d "0" /f2⤵PID:1116
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "PolicySources" /t REG_DWORD /d "2" /f2⤵PID:4248
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "BranchReadinessLevel" /t REG_DWORD /d "16" /f2⤵PID:1084
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdates" /t REG_DWORD /d "1" /f2⤵PID:4676
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdatesPeriodInDays" /t REG_DWORD /d "0" /f2⤵PID:4820
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:3696
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ManagePreviewBuilds" /t REG_DWORD /d "1" /f2⤵PID:4556
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ManagePreviewBuildsPolicyValue" /t REG_DWORD /d "0" /f2⤵PID:1308
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesStartTime" /t REG_SZ /d "" /f2⤵PID:3592
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "DetectionFrequency" /t REG_DWORD /d "20" /f2⤵PID:4508
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "DetectionFrequencyEnabled" /t REG_DWORD /d "1" /f2⤵PID:2756
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "EnableFeaturedSoftware" /t REG_DWORD /d "1" /f2⤵PID:2900
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:1372
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:1112
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f2⤵PID:4420
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:724
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f2⤵PID:4524
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:3024
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2928
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:2120
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f2⤵PID:876
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:652
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:764
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f2⤵PID:2200
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f2⤵PID:1532
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "28" /f2⤵PID:1924
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "30" /f2⤵PID:1128
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f2⤵PID:3996
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f2⤵PID:1972
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f2⤵PID:4764
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f2⤵PID:4412
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f2⤵PID:3092
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f2⤵PID:1376
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender-Operational" /v Enable-OperationalChannel /t REG_DWORD /d 0 /f2⤵PID:4492
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:772
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:2592
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v DisableCEIP /t REG_DWORD /d 1 /f2⤵PID:1524
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\MinAppSession" /v fDenyTSApplications /t REG_DWORD /d 0 /f2⤵PID:4940
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\AppLocker" /v DisableNewDMADevicesWhenLocked /t REG_DWORD /d 1 /f2⤵PID:4020
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4108
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1836
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Defender\SystemGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f2⤵PID:1048
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v HideAllNotifications /t REG_DWORD /d 1 /f2⤵PID:1380
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband" /v HideSecurityCenter /t REG_DWORD /d 1 /f2⤵PID:1480
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationAuditOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:2636
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:4172
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0x00000000 /f2⤵PID:3832
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 0x1 /f2⤵PID:872
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x3 /f2⤵PID:1904
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x3 /f2⤵PID:4084
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v IOMMUFlags /t REG_DWORD /d 0x0 /f2⤵PID:988
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:4296
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Mouse Keys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:4976
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:3036
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\SoundSentry" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:4240
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 0 /f2⤵PID:3088
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -MemoryCompression"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -PageCombining"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:4716
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:1564
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:1948
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:1580
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3020
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:2292
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:4880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:4816
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:2812
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3112
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:4400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:2532
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵PID:668
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1968
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:2932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:1920
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:2640
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:3972
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:720
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4692
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:4352
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:1980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:2232
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:3664
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2504
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:2884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:2056
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵PID:4476
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1196
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:4348
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions" | findstr "HKEY"2⤵PID:2668
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"3⤵PID:3576
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4864
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{99a99d5f-0c1b-464a-828f-0d89d2ee3fda}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:2272
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{cc2952c2-31c2-453f-bbc6-c0e9ec243b2f}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:3144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"2⤵PID:4404
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"3⤵PID:4660
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2540
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f2⤵PID:4672
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"2⤵PID:244
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"3⤵PID:4212
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1180
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f2⤵PID:4748
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"2⤵PID:2344
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"3⤵PID:2072
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"2⤵PID:2620
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"3⤵
- Checks SCSI registry key(s)
PID:980
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:5108
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f2⤵PID:276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"2⤵PID:644
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"3⤵
- Checks SCSI registry key(s)
PID:1408
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4524
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f2⤵PID:1900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"2⤵PID:1624
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"3⤵PID:3064
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"2⤵PID:476
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"3⤵
- Checks SCSI registry key(s)
PID:3308
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2956
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnumerationRetryCount" /t REG_DWORD /d "0" /f2⤵PID:1924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"2⤵PID:572
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"3⤵
- Checks SCSI registry key(s)
PID:1128
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2828
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f2⤵PID:1972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"2⤵PID:4412
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"3⤵
- Checks SCSI registry key(s)
PID:3092
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"2⤵PID:4492
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"3⤵
- Checks SCSI registry key(s)
PID:3040
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"2⤵PID:1524
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"3⤵
- Checks SCSI registry key(s)
PID:4940
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3716
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2668&SUBSYS_11001AF4&REV_01\3&11583659&0&28\Device Parameters\WDF" /v "WdfDirectedPowerTransitionEnable" /t REG_DWORD /d "0" /f2⤵PID:4108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"2⤵PID:1836
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"3⤵
- Checks SCSI registry key(s)
PID:1048
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:232
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:3900
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"2⤵PID:4172
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"3⤵
- Checks SCSI registry key(s)
PID:3832
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4836
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f2⤵PID:1904
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f2⤵PID:4084
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f2⤵PID:988
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f2⤵PID:4296
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f2⤵PID:4976
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f2⤵PID:3036
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f2⤵PID:4240
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "40" /f2⤵PID:3088
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2364
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4596
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:3236
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:5028
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4036
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:3884
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4208
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1056
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\Appinfo" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2352
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f2⤵PID:3484
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f2⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
PID:3768
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:3920
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:792
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f2⤵PID:2936
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:1444
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "0" /f2⤵PID:1564
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f2⤵PID:3524
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:1704
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f2⤵PID:3120
-
-
C:\Windows\system32\choice.exechoice /c:12 /n2⤵PID:2996
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1736
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4924
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:4872
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "BranchReadinessLevel" /t REG_SZ /d "CB" /f2⤵PID:4936
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferFeatureUpdates" /t REG_DWORD /d "1" /f2⤵PID:2160
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferQualityUpdates" /t REG_DWORD /d "0" /f2⤵PID:2164
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "ExcludeWUDrivers" /t REG_DWORD /d "1" /f2⤵PID:1956
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "FeatureUpdatesDeferralInDays" /t REG_DWORD /d "0" /f2⤵PID:1988
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsDeferralIsActive" /t REG_DWORD /d "1" /f2⤵PID:1968
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsWUfBConfigured" /t REG_DWORD /d "0" /f2⤵PID:3328
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsWUfBDualScanActive" /t REG_DWORD /d "0" /f2⤵PID:4124
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "PolicySources" /t REG_DWORD /d "2" /f2⤵PID:956
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "BranchReadinessLevel" /t REG_DWORD /d "16" /f2⤵PID:1584
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdates" /t REG_DWORD /d "1" /f2⤵PID:3536
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdatesPeriodInDays" /t REG_DWORD /d "0" /f2⤵PID:4228
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:4692
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ManagePreviewBuilds" /t REG_DWORD /d "1" /f2⤵PID:3488
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ManagePreviewBuildsPolicyValue" /t REG_DWORD /d "0" /f2⤵PID:4496
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesStartTime" /t REG_SZ /d "" /f2⤵PID:3312
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "DetectionFrequency" /t REG_DWORD /d "20" /f2⤵PID:904
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "DetectionFrequencyEnabled" /t REG_DWORD /d "1" /f2⤵PID:2504
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "EnableFeaturedSoftware" /t REG_DWORD /d "1" /f2⤵PID:4856
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:3652
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:2760
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f2⤵PID:1196
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:4056
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f2⤵PID:396
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:4624
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1468
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:2840
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f2⤵PID:4580
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3432
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:2576
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f2⤵PID:1420
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f2⤵PID:3628
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "28" /f2⤵PID:3696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "30" /f2⤵PID:2248
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f2⤵PID:4604
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f2⤵PID:4220
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f2⤵PID:2756
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f2⤵PID:5060
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f2⤵PID:3592
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f2⤵PID:3272
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender-Operational" /v Enable-OperationalChannel /t REG_DWORD /d 0 /f2⤵PID:1112
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:5108
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:4372
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v DisableCEIP /t REG_DWORD /d 1 /f2⤵PID:1732
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\MinAppSession" /v fDenyTSApplications /t REG_DWORD /d 0 /f2⤵PID:1408
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\AppLocker" /v DisableNewDMADevicesWhenLocked /t REG_DWORD /d 1 /f2⤵PID:4664
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2928
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:5064
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Defender\SystemGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f2⤵PID:3064
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v HideAllNotifications /t REG_DWORD /d 1 /f2⤵PID:2120
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband" /v HideSecurityCenter /t REG_DWORD /d 1 /f2⤵PID:696
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationAuditOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:2520
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:2140
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0x00000000 /f2⤵PID:1532
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 0x1 /f2⤵PID:2956
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x3 /f2⤵PID:3264
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x3 /f2⤵PID:3960
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v IOMMUFlags /t REG_DWORD /d 0x0 /f2⤵PID:4764
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:2828
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Mouse Keys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:3348
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:2552
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\SoundSentry" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:4320
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 0 /f2⤵PID:1856
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:1796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -MemoryCompression"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -PageCombining"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:3080
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:1792
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:3036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:4240
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1292
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:2364
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:4596
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:3236
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:5028
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2708
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:3884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:4208
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵PID:1056
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:808
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:4116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:672
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:2704
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:2460
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:2184
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4592
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵
- Checks SCSI registry key(s)
PID:2284
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:2868
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:1580
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3032
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:4956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:3244
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵PID:1652
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2292
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:5020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions" | findstr "HKEY"2⤵PID:4704
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"3⤵PID:4816
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3112
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{99a99d5f-0c1b-464a-828f-0d89d2ee3fda}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:668
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{cc2952c2-31c2-453f-bbc6-c0e9ec243b2f}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:1432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"2⤵PID:960
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"3⤵PID:3560
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2932
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f2⤵PID:2420
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"2⤵PID:1920
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"3⤵
- Checks SCSI registry key(s)
PID:956
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3316
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f2⤵PID:3656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"2⤵PID:4568
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"3⤵PID:1980
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"2⤵PID:5008
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"3⤵
- Checks SCSI registry key(s)
PID:2688
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2232
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f2⤵PID:1252
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"2⤵PID:2004
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"3⤵PID:2132
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2760
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f2⤵PID:1092
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"2⤵PID:3644
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"3⤵
- Checks SCSI registry key(s)
PID:2412
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"2⤵PID:2272
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"3⤵
- Checks SCSI registry key(s)
PID:4660
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3432
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnumerationRetryCount" /t REG_DWORD /d "0" /f2⤵PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"2⤵PID:4672
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"3⤵
- Checks SCSI registry key(s)
PID:4212
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1180
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f2⤵PID:244
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"2⤵PID:3576
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"3⤵
- Checks SCSI registry key(s)
PID:240
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1308
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"2⤵PID:1460
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"3⤵PID:3272
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"2⤵PID:2620
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"3⤵
- Checks SCSI registry key(s)
PID:4372
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2308
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2668&SUBSYS_11001AF4&REV_01\3&11583659&0&28\Device Parameters\WDF" /v "WdfDirectedPowerTransitionEnable" /t REG_DWORD /d "0" /f2⤵PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"2⤵PID:4524
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"3⤵
- Checks SCSI registry key(s)
PID:228
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:5000
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:1012
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:2816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"2⤵PID:696
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"3⤵
- Checks SCSI registry key(s)
PID:3796
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2520
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f2⤵PID:236
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f2⤵PID:1588
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f2⤵PID:1924
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f2⤵PID:4632
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f2⤵PID:3996
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f2⤵PID:2828
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f2⤵PID:1972
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "40" /f2⤵PID:1376
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2348
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4396
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1796
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:3748
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:3784
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2368
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1084
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2180
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\Appinfo" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4940
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f2⤵PID:1740
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f2⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
PID:1516
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:800
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:4836
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f2⤵PID:3572
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:872
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "0" /f2⤵PID:3900
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f2⤵PID:4968
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:788
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f2⤵PID:4904
-
-
C:\Windows\system32\choice.exechoice /c:12 /n2⤵PID:4452
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f2⤵PID:4976
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "28" /f2⤵PID:2136
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "30" /f2⤵PID:3840
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f2⤵PID:3088
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f2⤵PID:920
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f2⤵PID:5024
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f2⤵PID:392
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f2⤵PID:4596
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f2⤵PID:4036
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender-Operational" /v Enable-OperationalChannel /t REG_DWORD /d 0 /f2⤵PID:3820
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:3640
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:4932
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v DisableCEIP /t REG_DWORD /d 1 /f2⤵PID:3728
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\MinAppSession" /v fDenyTSApplications /t REG_DWORD /d 0 /f2⤵PID:2260
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\AppLocker" /v DisableNewDMADevicesWhenLocked /t REG_DWORD /d 1 /f2⤵PID:1212
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3268
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2352
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Defender\SystemGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f2⤵PID:4116
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v HideAllNotifications /t REG_DWORD /d 1 /f2⤵PID:1020
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband" /v HideSecurityCenter /t REG_DWORD /d 1 /f2⤵PID:792
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationAuditOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:3472
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:880
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0x00000000 /f2⤵PID:3980
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 0x1 /f2⤵PID:1176
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x3 /f2⤵PID:1660
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x3 /f2⤵PID:3020
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v IOMMUFlags /t REG_DWORD /d 0x0 /f2⤵PID:4732
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:2692
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Mouse Keys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:4996
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:4924
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\SoundSentry" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:1948
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 0 /f2⤵PID:4916
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:2160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -MemoryCompression"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -PageCombining"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:2688
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:3468
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:4056
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:2132
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2328
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:1428
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:436
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:2840
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1008
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:1116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:3676
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵PID:3144
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1420
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:4728
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:4820
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:3628
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:3152
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:5060
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2072
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:2900
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:980
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:2388
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:5108
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:2308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:724
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵PID:5064
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:876
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:5000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions" | findstr "HKEY"2⤵PID:1624
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"3⤵PID:3368
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2816
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{99a99d5f-0c1b-464a-828f-0d89d2ee3fda}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:3556
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{cc2952c2-31c2-453f-bbc6-c0e9ec243b2f}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:2120
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"2⤵PID:764
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"3⤵PID:2956
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3264
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f2⤵PID:3960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"2⤵PID:1456
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"3⤵PID:4764
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3348
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f2⤵PID:2552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"2⤵PID:1136
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"3⤵PID:2592
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"2⤵PID:3748
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"3⤵
- Checks SCSI registry key(s)
PID:3784
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4492
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f2⤵PID:1084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"2⤵PID:2180
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"3⤵
- Checks SCSI registry key(s)
PID:4940
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1048
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f2⤵PID:1516
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"2⤵PID:800
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"3⤵
- Checks SCSI registry key(s)
PID:4836
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"2⤵PID:1952
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"3⤵
- Checks SCSI registry key(s)
PID:4084
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4968
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnumerationRetryCount" /t REG_DWORD /d "0" /f2⤵PID:1480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"2⤵PID:4800
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"3⤵
- Checks SCSI registry key(s)
PID:1792
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4976
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f2⤵PID:4628
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"2⤵PID:3260
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"3⤵
- Checks SCSI registry key(s)
PID:5056
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"2⤵PID:4480
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"3⤵
- Checks SCSI registry key(s)
PID:4888
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"2⤵PID:4076
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"3⤵
- Checks SCSI registry key(s)
PID:3116
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3640
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2668&SUBSYS_11001AF4&REV_01\3&11583659&0&28\Device Parameters\WDF" /v "WdfDirectedPowerTransitionEnable" /t REG_DWORD /d "0" /f2⤵PID:1056
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"2⤵PID:2472
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"3⤵
- Checks SCSI registry key(s)
PID:4208
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2264
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:2664
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:3484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"2⤵PID:860
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"3⤵PID:2936
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:716
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f2⤵PID:1444
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f2⤵PID:3492
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f2⤵PID:2284
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f2⤵PID:1704
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f2⤵PID:4716
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f2⤵PID:3600
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f2⤵PID:4956
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "40" /f2⤵PID:1736
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2292
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4828
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:5020
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4816
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2296
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:492
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1968
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1548
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\Appinfo" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3112
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f2⤵PID:1432
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "0" /f2⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
PID:5052
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:3648
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:1108
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "0" /f2⤵PID:3656
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:2316
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "0" /f2⤵PID:3344
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f2⤵PID:4564
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:3908
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "0" /f2⤵PID:1088
-
-
C:\Windows\system32\choice.exechoice /c:12 /n2⤵PID:4344
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:3868
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:4472
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f2⤵PID:3652
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "BranchReadinessLevel" /t REG_SZ /d "CB" /f2⤵PID:3616
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferFeatureUpdates" /t REG_DWORD /d "1" /f2⤵PID:2056
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "DeferQualityUpdates" /t REG_DWORD /d "0" /f2⤵PID:2760
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "ExcludeWUDrivers" /t REG_DWORD /d "1" /f2⤵PID:4348
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "FeatureUpdatesDeferralInDays" /t REG_DWORD /d "0" /f2⤵PID:3964
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsDeferralIsActive" /t REG_DWORD /d "1" /f2⤵PID:3292
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsWUfBConfigured" /t REG_DWORD /d "0" /f2⤵PID:4624
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "IsWUfBDualScanActive" /t REG_DWORD /d "0" /f2⤵PID:3644
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState" /v "PolicySources" /t REG_DWORD /d "2" /f2⤵PID:2408
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "BranchReadinessLevel" /t REG_DWORD /d "16" /f2⤵PID:4660
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdates" /t REG_DWORD /d "1" /f2⤵PID:2024
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferFeatureUpdatesPeriodInDays" /t REG_DWORD /d "0" /f2⤵PID:3696
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:3676
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ManagePreviewBuilds" /t REG_DWORD /d "1" /f2⤵PID:4212
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "ManagePreviewBuildsPolicyValue" /t REG_DWORD /d "0" /f2⤵PID:2888
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "PauseFeatureUpdatesStartTime" /t REG_SZ /d "" /f2⤵PID:2756
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "DetectionFrequency" /t REG_DWORD /d "20" /f2⤵PID:1352
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "DetectionFrequencyEnabled" /t REG_DWORD /d "1" /f2⤵PID:4220
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "EnableFeaturedSoftware" /t REG_DWORD /d "1" /f2⤵PID:1112
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\current\device\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:4744
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\Update" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:3272
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate" /v "value" /t REG_DWORD /d "1" /f2⤵PID:2852
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "1" /f2⤵PID:1648
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t REG_DWORD /d "0" /f2⤵PID:4112
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1460
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2620
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:1700
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f2⤵PID:228
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:644
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:4524
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f2⤵PID:3376
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f2⤵PID:2200
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\kbdclass\Parameters" /v "KeyboardDataQueueSize" /t REG_DWORD /d "28" /f2⤵PID:248
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mouclass\Parameters" /v "MouseDataQueueSize" /t REG_DWORD /d "30" /f2⤵PID:2520
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold1" /t REG_SZ /d "0" /f2⤵PID:4528
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseThreshold2" /t REG_SZ /d "0" /f2⤵PID:1128
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseSpeed" /t REG_SZ /d "0" /f2⤵PID:4972
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_SZ /d "0" /f2⤵PID:236
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f2⤵PID:572
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f2⤵PID:416
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender-Operational" /v Enable-OperationalChannel /t REG_DWORD /d 0 /f2⤵PID:3092
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:3996
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:1376
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v DisableCEIP /t REG_DWORD /d 1 /f2⤵PID:3716
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\MinAppSession" /v fDenyTSApplications /t REG_DWORD /d 0 /f2⤵PID:1524
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\AppLocker" /v DisableNewDMADevicesWhenLocked /t REG_DWORD /d 1 /f2⤵PID:772
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hh.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4104
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v DisableNX /t REG_DWORD /d 1 /f2⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:4004
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Defender\SystemGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f2⤵PID:4108
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v HideAllNotifications /t REG_DWORD /d 1 /f2⤵PID:3100
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband" /v HideSecurityCenter /t REG_DWORD /d 1 /f2⤵PID:1380
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationAuditOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:4640
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\MitigationOptions" /v AuditSystemPolicy /t REG_DWORD /d 22222222 /f2⤵PID:3904
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0x00000000 /f2⤵PID:4636
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 0x1 /f2⤵PID:988
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0x3 /f2⤵PID:4836
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 0x3 /f2⤵PID:840
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v IOMMUFlags /t REG_DWORD /d 0x0 /f2⤵PID:1260
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:4084
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Mouse Keys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:3900
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:3448
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\SoundSentry" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:2244
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 0 /f2⤵PID:1792
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v Flags /t REG_DWORD /d 0x0 /f2⤵PID:1836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -MemoryCompression"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "Disable-MMAgent -PageCombining"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:868
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:3472
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:716
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:880
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:3004
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1564
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:2284
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:1704
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:4716
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:2868
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4880
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:1652
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:1896
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵
- Checks SCSI registry key(s)
PID:2812
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2164
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "CacheIsPowerProtected" /t REG_DWORD /d "1" /f2⤵PID:2980
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"| findstr "HKEY"2⤵PID:1476
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum\SCSI"3⤵PID:2640
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"| findstr "HKEY"2⤵PID:4512
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM"3⤵PID:4776
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2532
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:2420
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:4876
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"| findstr "HKEY"2⤵PID:4496
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM"3⤵PID:3312
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3488
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:956
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"| findstr "HKEY"2⤵PID:3316
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A"3⤵
- Checks SCSI registry key(s)
PID:3952
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3908
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Disk" /v "UserWriteCacheSetting" /t REG_DWORD /d "1" /f2⤵PID:4856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions" | findstr "HKEY"2⤵PID:3536
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" /s /f "NetbiosOptions"3⤵PID:1252
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:5008
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{99a99d5f-0c1b-464a-828f-0d89d2ee3fda}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:2688
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{cc2952c2-31c2-453f-bbc6-c0e9ec243b2f}" /v "NetbiosOptions" /t REG_DWORD /d "2" /f2⤵PID:2004
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled" | findstr "HKEY"2⤵PID:2328
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnhancedPowerManagementEnabled"3⤵PID:1092
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4056
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnhancedPowerManagementEnabled" /t REG_DWORD /d "0" /f2⤵PID:2064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3" | findstr "HKEY"2⤵PID:2540
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "AllowIdleIrpInD3"3⤵
- Checks SCSI registry key(s)
PID:1008
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:432
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "AllowIdleIrpInD3" /t REG_DWORD /d "0" /f2⤵PID:2272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend" | findstr "HKEY"2⤵PID:2248
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableSelectiveSuspend"3⤵
- Checks SCSI registry key(s)
PID:3432
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4580
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended" | findstr "HKEY"2⤵PID:4728
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "DeviceSelectiveSuspended"3⤵PID:3628
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2888
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "DeviceSelectiveSuspended" /t REG_DWORD /d "0" /f2⤵PID:1308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled" | findstr "HKEY"2⤵PID:4508
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendEnabled"3⤵
- Checks SCSI registry key(s)
PID:2344
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1112
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "SelectiveSuspendEnabled" /t REG_DWORD /d "0" /f2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn" | findstr "HKEY"2⤵PID:4540
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "SelectiveSuspendOn"3⤵
- Checks SCSI registry key(s)
PID:2388
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount" | findstr "HKEY"2⤵PID:980
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnumerationRetryCount"3⤵PID:3632
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4736
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "EnumerationRetryCount" /t REG_DWORD /d "0" /f2⤵PID:3024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore" | findstr "HKEY"2⤵PID:1900
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "ExtPropDescSemaphore"3⤵PID:5000
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3796
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0627&PID_0001\28754-0000:00:04.0-1\Device Parameters" /v "ExtPropDescSemaphore" /t REG_DWORD /d "0" /f2⤵PID:1012
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled" | findstr "HKEY"2⤵PID:1448
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WaitWakeEnabled"3⤵PID:2520
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported" | findstr "HKEY"2⤵PID:1924
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "D3ColdSupported"3⤵
- Checks SCSI registry key(s)
PID:4972
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable" | findstr "HKEY"2⤵PID:3444
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "WdfDirectedPowerTransitionEnable"3⤵PID:3672
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:2880
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2668&SUBSYS_11001AF4&REV_01\3&11583659&0&28\Device Parameters\WDF" /v "WdfDirectedPowerTransitionEnable" /t REG_DWORD /d "0" /f2⤵PID:4412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement" | findstr "HKEY"2⤵PID:2552
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "EnableIdlePowerManagement"3⤵PID:4396
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1856
-
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&10\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:2084
-
-
C:\Windows\system32\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_8086&DEV_2922&SUBSYS_11001AF4&REV_02\3&11583659&0&FA\Device Parameters\StorPort" /v "EnableIdlePowerManagement" /t REG_DWORD /d "0" /f2⤵PID:3784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState" | findstr "HKEY"2⤵PID:3580
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Enum" /s /f "IdleInWorkingState"3⤵
- Checks SCSI registry key(s)
PID:4108
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1740
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f2⤵PID:1380
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f2⤵PID:4504
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f2⤵PID:3832
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f2⤵PID:4636
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f2⤵PID:3572
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "10" /f2⤵PID:4288
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f2⤵PID:4172
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "40" /f2⤵PID:1904
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:1348
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:3496
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4912
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2244
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2136
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:4452
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:2364
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f2⤵PID:480
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMBandwidthFeature" /t REG_DWORD /d "1896072192" /f2⤵PID:920
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMBandwidthFeature2" /t REG_DWORD /d "1" /f2⤵PID:4364
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0001" /v "RMBandwidthFeature" /t REG_DWORD /d "1896072192" /f2⤵PID:392
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0001" /v "RMBandwidthFeature2" /t REG_DWORD /d "1" /f2⤵PID:3236
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMElcg" /t REG_DWORD /d "1431655765" /f2⤵PID:5056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMBlcg" /t REG_DWORD /d "286331153" /f2⤵PID:1976
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMElpg" /t REG_DWORD /d "4095" /f2⤵PID:1212
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMSlcg" /t REG_DWORD /d "16383" /f2⤵PID:3768
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMFspg" /t REG_DWORD /d "15" /f2⤵PID:2208
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RmLogonRC" /t REG_DWORD /d "0" /f2⤵PID:1400
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMLpwrArch" /t REG_DWORD /d "1365" /f2⤵PID:1056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RmLpwrCtrlGrRgParameters" /t REG_DWORD /d "349525" /f2⤵PID:3584
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMLpwrEiClient" /t REG_DWORD /d "1" /f2⤵PID:1664
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RmMIONoPowerOff" /t REG_DWORD /d "1" /f2⤵PID:4000
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\9\0000" /v "RMDeepL1EntryLatencyUsec" /t REG_DWORD /d "1" /f2⤵PID:672
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Image File Execution Options Injection
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Image File Execution Options Injection
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Ignore Process Interrupts
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD54ef3b165311abe48029443c0a529747f
SHA1ad65cc913ed3805d813bc16337c7f6d2a97b55d9
SHA256c2c563dddc3df7fda0e246d9988718b315a9704335312d5ddfb1768efa1655ff
SHA512696e3deb942e4f6d3980a831668bfd40a8bee586cca3e4ca5a85aeae482af5c8c5ae21e319b4483345c582b7a61d51220c8ccce0072497a8ee53e1e87ac5e99a
-
Filesize
1KB
MD52ac613f412b68377d46d32dcdba368d4
SHA1a3675affffb61f846f0b265a66f12351a29c9f52
SHA2563c4157e10a04ae1cc04c1c172793e76e4f11c886ce5a6c379ee00ec831a470cd
SHA512438db4a5c93df6128321ac52399a7a22f1332b6a5142c331a34c0459c6b6aa1e58a5e6f383bbe5a34ee34d9b5dbf41dc2b2a0fe143754767f6616481f00b6721
-
Filesize
1KB
MD5404b95130ee095ed4a70e9f199cdc2bb
SHA1b3175cfcdaa04b9a242f1ceb6db1b679d956c1b2
SHA2569a334a414d1876f7675da98f0b2415e5908715a099374ab769f35656b2698320
SHA5120781235af6ac5735793188111dab30fe1c59544496a78323e43e6d41a5c30379896cc7bf467fea4c22410de4dd891a66b1fb36f124880909ac62bca965ba4481
-
Filesize
1KB
MD56eff26fdf93a3fc4957cfb3e21ea1431
SHA1f6e4fa49e7218f264c729bd0ff517cb913537b0b
SHA256215fb2d1fe3c7f74b88347e8eb81701bfd5f957f76895adfef005325f4cdf936
SHA51238564a4b87dda7e9fcb4429ad8873eff2a384fb49671006e263a89a4f31a5f8d28db1ae433eb35b6195024aa3a3a7dbe230302683a068cbd5195812e16e3b431
-
Filesize
64B
MD55caad758326454b5788ec35315c4c304
SHA13aef8dba8042662a7fcf97e51047dc636b4d4724
SHA25683e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA5124e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693
-
Filesize
1KB
MD5c4d37cea964ce213b800892c8992507a
SHA179824d723a02e592480cadaf2da6fad0e2e09f3a
SHA256cc50e5661dc11e24f5df8321dde2f258be2d2c5d51f5ee1634d82ff8ae028fc9
SHA51262fbe4e88f0b740faca7c699e619d84cb4129d9c43f03ba1a948c1c3c44cb8f03e826022037532beca5c63f860cc95d12f964044cdd8e936f01c864a805e2337
-
Filesize
1KB
MD59fcf8d1c789ad595ca9e79fe5c7bbb54
SHA1a7e60e7c51369f7c4a4d91042357f1665bbf93f3
SHA256db7bc06253f88259b7115c819ffa247a234b6120f46e1d65bfee21ee337170a1
SHA51246b4bf62ebc3496243cb0d6a775b0b14a2df982ed97a5f12fd3eeca204c508ad35a9a55d88af18e87d8b5b925a67e0ff050cb038ce7a4d894378efdabd00f999
-
Filesize
1KB
MD543f56c0e8fd520e0a429f4c5f6a59adf
SHA17f8cd1f2a7b3656e8dc516ce2525561d92fb97d9
SHA2560ce7850c5824d71bf3d4fe8e5f10bbac2778d4567880c73af9364b28cb3f3dca
SHA5128c803ec3377dd6aa108eb76052df32f858771a494be55fc6cda3a7cb43d5e6744a05af8768f092365eaea34b8b2249eb4e549273510943cf9bf636a0c7df8dbe
-
Filesize
1KB
MD53692552b88049d97152f7c0925457849
SHA109a8e6f458070254803dd66f6dadc7a76845f25f
SHA256cc8b732588daf4233f01e54d9033d24e7635d1109bf0462ecf83acca5353d01f
SHA512cef1596ed8a395154dd1cd2d77aad3e9ae792609f7dd90f7bdb25d29e49ae37f695c2ef8ca984c71fe056df7626363e4de017cf2ee2e9dd98575fb2af5fa612b
-
Filesize
1KB
MD51e8a9ae457e043e6835f6d2ec3e2896e
SHA12c5d6d8bf03c99d1b7e34da2a0ea2c95b171e081
SHA256abfe82d80244af1843c8cb909d705d29b21ee5d5ec1a8de3515fecc712199b37
SHA5123ff97afac223cc58461b5853b4ac5f8b147af915d6efc6d208c7c2948b0deca6bd941dd9df53d2870eece06c3282cf321160386f49131e8826960fbbcc4dd7ca
-
Filesize
1KB
MD54a748b119591f2c3da88cdead438ee62
SHA13dcc5c6b6f94d9751021c201b2727a5f20b61695
SHA25683304dd0f2a8987d7ea2e37b7cfd2cb9037819ff2b47b62575e7d9b3d743d16f
SHA512dd9c3c8f08412db29ab337c36def1aa43338ff1d93994f70a39f792f5a43c1d3b16480c348d65d597c7fd4acd1ef5dcb96bdb4d8e41617bbca172512655b862a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82