Analysis
-
max time kernel
95s -
max time network
202s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-11-2024 19:05
Static task
static1
Behavioral task
behavioral1
Sample
Windows11Tweaks.bat
Resource
win11-20241007-en
General
-
Target
Windows11Tweaks.bat
-
Size
216KB
-
MD5
149db85dfacdb06c6b24fc86c7034f43
-
SHA1
f30188b2827529ac26c5dc0688dcadc8beebe334
-
SHA256
2748a2564c1383d784490cdbf3540e050af89b82f6cbc0630d3823f1839a32e5
-
SHA512
abe4e3df171329684779e4620c0810f74d29ea78d03a5c5e67a436e4a854614b362ae9829531598627f67e24fa3dc57094748ab0ab0c57eaec81a8dfae269571
-
SSDEEP
1536:MiOYel4nqGguj+deUuLzjmGF0CTXCnYFi3NDVT6z:Bbgu6deUKjX0uXnFQNDkz
Malware Config
Signatures
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows Defender Security Center\Notifications reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications reg.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" reg.exe -
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" reg.exe -
Disables use of System Restore points 1 TTPs
-
Possible privilege escalation attempt 16 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4556 takeown.exe 2376 takeown.exe 2308 icacls.exe 3528 icacls.exe 3804 icacls.exe 1964 takeown.exe 3160 icacls.exe 240 takeown.exe 1836 icacls.exe 1176 takeown.exe 2072 takeown.exe 2600 icacls.exe 1744 takeown.exe 2276 icacls.exe 108 takeown.exe 5028 icacls.exe -
Boot or Logon Autostart Execution: LSASS Driver 2 TTPs 1 IoCs
Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\RunAsPPL = "0" reg.exe -
Modifies file permissions 1 TTPs 16 IoCs
Processes:
takeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exepid process 1964 takeown.exe 5028 icacls.exe 3528 icacls.exe 3804 icacls.exe 3160 icacls.exe 240 takeown.exe 2376 takeown.exe 2600 icacls.exe 2308 icacls.exe 1836 icacls.exe 1176 takeown.exe 108 takeown.exe 4556 takeown.exe 1744 takeown.exe 2072 takeown.exe 2276 icacls.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 1 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "1" reg.exe -
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4736 powercfg.exe 5104 powercfg.exe 4536 powercfg.exe 1776 powercfg.exe -
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exepid process 3220 sc.exe 1616 sc.exe 1736 sc.exe 3164 sc.exe 5016 sc.exe 4568 sc.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3412 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Kills process with taskkill 6 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2580 taskkill.exe 1036 taskkill.exe 3376 taskkill.exe 3880 taskkill.exe 480 taskkill.exe 780 taskkill.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\.Default reg.exe Key created \REGISTRY\USER\.DEFAULT\Microsoft reg.exe Key created \REGISTRY\USER\.DEFAULT\Microsoft\Windows Script reg.exe Key created \REGISTRY\USER\.DEFAULT\Microsoft\Windows Script\Settings reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Microsoft\Windows Script\Settings\JITDebug = "0" reg.exe Key created \REGISTRY\USER\.Default\Microsoft\Windows Script\Settings reg.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 788 WINWORD.EXE 788 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
takeown.exetaskkill.exepowercfg.exetakeown.exetaskkill.exetakeown.exetaskkill.exetakeown.exetaskkill.exetaskkill.exetakeown.exetaskkill.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeTakeOwnershipPrivilege 108 takeown.exe Token: SeDebugPrivilege 3880 taskkill.exe Token: SeShutdownPrivilege 5104 powercfg.exe Token: SeCreatePagefilePrivilege 5104 powercfg.exe Token: SeShutdownPrivilege 5104 powercfg.exe Token: SeCreatePagefilePrivilege 5104 powercfg.exe Token: SeTakeOwnershipPrivilege 1964 takeown.exe Token: SeDebugPrivilege 480 taskkill.exe Token: SeTakeOwnershipPrivilege 4556 takeown.exe Token: SeDebugPrivilege 780 taskkill.exe Token: SeTakeOwnershipPrivilege 2376 takeown.exe Token: SeDebugPrivilege 2580 taskkill.exe Token: SeDebugPrivilege 1036 taskkill.exe Token: SeTakeOwnershipPrivilege 1176 takeown.exe Token: SeDebugPrivilege 3376 taskkill.exe Token: SeShutdownPrivilege 4536 powercfg.exe Token: SeCreatePagefilePrivilege 4536 powercfg.exe Token: SeShutdownPrivilege 1776 powercfg.exe Token: SeCreatePagefilePrivilege 1776 powercfg.exe Token: SeShutdownPrivilege 4736 powercfg.exe Token: SeCreatePagefilePrivilege 4736 powercfg.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
WINWORD.EXEpid process 788 WINWORD.EXE 788 WINWORD.EXE 788 WINWORD.EXE 788 WINWORD.EXE 788 WINWORD.EXE 788 WINWORD.EXE 788 WINWORD.EXE 788 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 4728 wrote to memory of 1920 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1920 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3220 4728 cmd.exe sc.exe PID 4728 wrote to memory of 3220 4728 cmd.exe sc.exe PID 4728 wrote to memory of 1568 4728 cmd.exe net.exe PID 4728 wrote to memory of 1568 4728 cmd.exe net.exe PID 1568 wrote to memory of 1292 1568 net.exe net1.exe PID 1568 wrote to memory of 1292 1568 net.exe net1.exe PID 4728 wrote to memory of 3412 4728 cmd.exe timeout.exe PID 4728 wrote to memory of 3412 4728 cmd.exe timeout.exe PID 4728 wrote to memory of 5032 4728 cmd.exe reg.exe PID 4728 wrote to memory of 5032 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1340 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1340 4728 cmd.exe reg.exe PID 4728 wrote to memory of 4784 4728 cmd.exe reg.exe PID 4728 wrote to memory of 4784 4728 cmd.exe reg.exe PID 4728 wrote to memory of 4056 4728 cmd.exe reg.exe PID 4728 wrote to memory of 4056 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1624 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1624 4728 cmd.exe reg.exe PID 4728 wrote to memory of 444 4728 cmd.exe reg.exe PID 4728 wrote to memory of 444 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2864 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2864 4728 cmd.exe reg.exe PID 4728 wrote to memory of 5040 4728 cmd.exe reg.exe PID 4728 wrote to memory of 5040 4728 cmd.exe reg.exe PID 4728 wrote to memory of 108 4728 cmd.exe takeown.exe PID 4728 wrote to memory of 108 4728 cmd.exe takeown.exe PID 4728 wrote to memory of 3804 4728 cmd.exe icacls.exe PID 4728 wrote to memory of 3804 4728 cmd.exe icacls.exe PID 4728 wrote to memory of 3880 4728 cmd.exe taskkill.exe PID 4728 wrote to memory of 3880 4728 cmd.exe taskkill.exe PID 4728 wrote to memory of 2732 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2732 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2336 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2336 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2364 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2364 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3312 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3312 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2812 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2812 4728 cmd.exe reg.exe PID 4728 wrote to memory of 4232 4728 cmd.exe reg.exe PID 4728 wrote to memory of 4232 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2436 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2436 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2200 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2200 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1416 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1416 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3588 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3588 4728 cmd.exe reg.exe PID 4728 wrote to memory of 896 4728 cmd.exe reg.exe PID 4728 wrote to memory of 896 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3292 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3292 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1508 4728 cmd.exe reg.exe PID 4728 wrote to memory of 1508 4728 cmd.exe reg.exe PID 4728 wrote to memory of 684 4728 cmd.exe reg.exe PID 4728 wrote to memory of 684 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2148 4728 cmd.exe reg.exe PID 4728 wrote to memory of 2148 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3048 4728 cmd.exe reg.exe PID 4728 wrote to memory of 3048 4728 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Windows11Tweaks.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt" /v "Start" /t REG_DWORD /d "2" /f2⤵PID:1920
-
C:\Windows\system32\sc.exesc config winmgmt start= auto2⤵
- Launches sc.exe
PID:3220 -
C:\Windows\system32\net.exenet start winmgmt2⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start winmgmt3⤵PID:1292
-
C:\Windows\system32\timeout.exeTIMEOUT /T 52⤵
- Delays execution with timeout.exe
PID:3412 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:5032
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Edge\SmartScreenEnabled" /ve /t REG_DWORD /d "0" /f2⤵PID:1340
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled" /ve /t REG_DWORD /d "0" /f2⤵PID:4784
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f2⤵PID:4056
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t "REG_DWORD" /d "0" /f2⤵PID:1624
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_SZ /d "Anywhere" /f2⤵PID:444
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t "REG_DWORD" /d "0" /f2⤵PID:2864
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Edge" /v "SmartScreenDnsRequestsEnabled" /t REG_DWORD /d "0" /f2⤵PID:5040
-
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Windows\System32\smartscreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:108 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3804 -
C:\Windows\system32\taskkill.exetaskkill /im smartscreen.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3880 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d "1" /f2⤵PID:2732
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f2⤵
- Modifies visibility of file extensions in Explorer
PID:2336 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d "1" /f2⤵
- Modifies visiblity of hidden/system files in Explorer
PID:2364 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SeparateProcess" /t REG_DWORD /d "1" /f2⤵PID:3312
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f2⤵PID:2812
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SharingWizardOn" /t REG_DWORD /d "0" /f2⤵PID:4232
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "DesktopProcess" /t REG_DWORD /d "1" /f2⤵PID:2436
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d "No" /f2⤵PID:2200
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v "ConfirmationCheckBoxDoForAll" /t REG_DWORD /d "0" /f2⤵PID:1416
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v "EnthusiastMode" /t REG_DWORD /d "0" /f2⤵PID:3588
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "NoPreviousVersionsPage" /t REG_DWORD /d "1" /f2⤵PID:896
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ConfirmFileDelete" /t REG_DWORD /d "1" /f2⤵PID:3292
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\Explorer" /v "NoUseStoreOpenWith" /t REG_DWORD /d "1" /f2⤵PID:1508
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f2⤵PID:684
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "ForegroundFlashCount" /t REG_SZ /d "0" /f2⤵PID:2148
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "ForegroundLockTimeout" /t REG_DWORD /d "0" /f2⤵PID:3048
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "25000" /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "25000" /f2⤵PID:4640
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "25000" /f2⤵PID:4192
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f2⤵PID:864
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f2⤵PID:1676
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "AlwaysUnloadDLL" /t REG_DWORD /d "1" /f2⤵PID:1980
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d "0" /f2⤵PID:1352
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Dfrg\BootOptimizeFunction" /v "Enable" /t REG_SZ /d "n" /f2⤵PID:2092
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\FTH" /v "Enabled" /t Reg_DWORD /d "0" /f2⤵PID:2356
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\OptimalLayout" /v "EnableAutoLayout" /t REG_DWORD /d "0" /f2⤵PID:1188
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /t REG_DWORD /d "0" /f2⤵PID:2964
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f2⤵PID:3960
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\ScheduledDiagnostics" /v "EnabledExecution" /t REG_DWORD /d "0" /f2⤵PID:752
-
C:\Windows\system32\fsutil.exefsutil behavior set disable8dot3 12⤵PID:1176
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\BitLocker" /v "PreventDeviceEncryption" /t REG_DWORD /d "1" /f2⤵PID:4252
-
C:\Windows\system32\fsutil.exefsutil behavior set disableencryption 12⤵PID:4172
-
C:\Windows\system32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4596
-
C:\Windows\system32\fsutil.exefsutil behavior set memoryusage 22⤵PID:1172
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d "2" /f2⤵PID:2952
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f2⤵PID:1912
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4736
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f2⤵PID:4936
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f2⤵PID:4356
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f2⤵PID:3056
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "0" /f2⤵PID:4064
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f2⤵PID:4876
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f2⤵PID:3980
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBootTrace" /t REG_DWORD /d "0" /f2⤵PID:1480
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "SfTracingState" /t REG_DWORD /d "0" /f2⤵PID:1488
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f2⤵PID:2040
-
C:\Windows\system32\powercfg.exepowercfg -h off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5104 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f2⤵PID:3904
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabledDefault" /t REG_DWORD /d "0" /f2⤵PID:4072
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f2⤵PID:3168
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:5088
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3156
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4084
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3076
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f2⤵PID:3560
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f2⤵PID:796
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows Script\Settings" /v "JITDebug" /t REG_DWORD /d "0" /f2⤵PID:464
-
C:\Windows\system32\reg.exereg add "HKU\.Default\Microsoft\Windows Script\Settings" /v "JITDebug" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:1448 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideIcons" /t REG_DWORD /d "0" /f2⤵PID:4872
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v "NoAddingComponents" /t REG_DWORD /d "1" /f2⤵PID:4820
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v "NoComponents" /t REG_DWORD /d "1" /f2⤵PID:1664
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ForceActiveDesktopOn" /t REG_DWORD /d "0" /f2⤵PID:2688
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoActiveDesktop" /t REG_DWORD /d "1" /f2⤵PID:4196
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoActiveDesktopChanges" /t REG_DWORD /d "1" /f2⤵PID:3036
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDesktop" /t REG_DWORD /d "0" /f2⤵PID:2476
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "AllowOnlineTips" /t REG_DWORD /d "0" /f2⤵PID:2388
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d "1" /f2⤵PID:4004
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Norecentdocsnethood" /t REG_DWORD /d "1" /f2⤵PID:4608
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableCursorSuppression" /t REG_DWORD /d "0" /f2⤵PID:2644
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "LocalAccountTokenFilterPolicy" /t REG_DWORD /d "0" /f2⤵PID:4332
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareServer" /t REG_DWORD /d "0" /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f2⤵PID:3052
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "RestrictNullSessAccess" /t REG_DWORD /d "0" /f2⤵PID:3136
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "CachedLogonsCount" /t REG_DWORD /d "0" /f2⤵PID:4676
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Internet Explorer\SQM" /v "DisableCustomerImprovementProgram" /t REG_DWORD /d "0" /f2⤵PID:5072
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Messenger\Client" /v "CEIP" /t REG_DWORD /d "2" /f2⤵PID:1452
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f2⤵PID:2648
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f2⤵PID:3916
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f2⤵PID:760
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisablePCA" /t REG_DWORD /d "1" /f2⤵PID:3448
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f2⤵PID:2552
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Steps-Recorder" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1048
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f2⤵PID:980
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f2⤵PID:2928
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f2⤵PID:4788
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "everyoneincludeanonymous" /t REG_DWORD /d "0" /f2⤵PID:536
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB1" /t REG_DWORD /d "0" /f2⤵PID:3220
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB2" /t REG_DWORD /d "0" /f2⤵PID:1308
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager" /v "EnablePeriodicBackup" /t REG_DWORD /d "1" /f2⤵PID:1568
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableDomainCreds" /t REG_DWORD /d "1" /f2⤵PID:756
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d "0" /f2⤵PID:2232
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdminOutboundCreds" /t REG_DWORD /d "1" /f2⤵PID:1340
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Lsa" /v "RunAsPPL" /t REG_DWORD /d "0" /f2⤵
- Boot or Logon Autostart Execution: LSASS Driver
- Access Token Manipulation: Create Process with Token
PID:3380 -
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "Negotiate" /t REG_DWORD /d "0" /f2⤵PID:4588
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest" /v "UseLogonCredential" /t REG_DWORD /d "0" /f2⤵PID:3444
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t REG_DWORD /d "1" /f2⤵
- UAC bypass
PID:2108 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorUser" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:1388 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableFullTrustStartupTasks" /t REG_DWORD /d "0" /f2⤵PID:132
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableInstallerDetection" /t REG_DWORD /d "1" /f2⤵
- Hijack Execution Flow: Executable Installer File Permissions Weakness
PID:424 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f2⤵
- UAC bypass
PID:2176 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableSecureUIAPaths" /t REG_DWORD /d "1" /f2⤵PID:3396
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUwpStartupTasks" /t REG_DWORD /d "0" /f2⤵PID:3880
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableUIADesktopToggle" /t REG_DWORD /d "0" /f2⤵PID:2732
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableVirtualization" /t REG_DWORD /d "0" /f2⤵PID:2336
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f2⤵PID:2364
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t REG_DWORD /d "1" /f2⤵
- UAC bypass
PID:3312 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "ValidateAdminCodeSignatures" /t REG_DWORD /d "1" /f2⤵PID:2812
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "VerboseStatus" /t REG_DWORD /d "0" /f2⤵PID:1704
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d "0" /f2⤵PID:2436
-
C:\Windows\system32\reg.exereg delete "HKCU\AppEvents\Schemes\Apps" /f2⤵PID:2200
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Multimedia\Audio" /v "UserDuckingPreference" /t REG_DWORD /d "3" /f2⤵PID:1416
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\EditionOverrides" /v "UserSetting_DisableStartupSound" /t REG_DWORD /d "1" /f2⤵PID:3588
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Input\Settings" /v "EnableHwkbTextPrediction" /t REG_DWORD /d "0" /f2⤵PID:896
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Input\Settings" /v "InsightsEnabled" /t REG_DWORD /d "0" /f2⤵PID:4880
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Input\Settings" /v "MultilingualEnabled" /t REG_DWORD /d "0" /f2⤵PID:3776
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableAutocorrection" /t REG_DWORD /d "0" /f2⤵PID:2076
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\TabletTip\1.7" /v "EnableSpellchecking" /t REG_DWORD /d "0" /f2⤵PID:1824
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵PID:2944
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵PID:2324
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f2⤵PID:4792
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Input" /v "IsInputAppPreloadEnabled" /t REG_DWORD /d "0" /f2⤵PID:3752
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Input\Settings" /v "VoiceTypingEnabled" /t REG_DWORD /d "0" /f2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4408 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:3660
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "RestartApps" /t REG_DWORD /d "0" /f2⤵PID:2088
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "AicEnabled" /t REG_SZ /d "Anywhere" /f2⤵PID:4964
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:912
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CDP" /v "RomeSdkChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:4796
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵PID:2508
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f2⤵PID:716
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f2⤵PID:972
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "SmoothScroll" /t REG_DWORD /d "0" /f2⤵PID:3528
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v "MouseTrails" /t REG_SZ /d "0" /f2⤵PID:3376
-
C:\Windows\system32\reg.exereg add "HKLM\Microsoft\Windows\CurrentVersion\DeviceSetup" /v "CostedNetworkPolicy" /t REG_DWORD /d "0" /f2⤵PID:4756
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Mobility" /v "OptedIn" /t REG_DWORD /d "0" /f2⤵PID:832
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:2840
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:2172
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:2824
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:3020
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "EchoCancellationEnabled" /t REG_DWORD /d "0" /f2⤵PID:4996
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:2416
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureOnBatteryAllowed" /t REG_DWORD /d "0" /f2⤵PID:3516
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureOnWirelessDisplayAllowed" /t REG_DWORD /d "0" /f2⤵PID:2808
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:2760
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:1876
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f2⤵PID:3024
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1888
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2028
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵
- Launches sc.exe
PID:1616 -
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵
- Launches sc.exe
PID:1736 -
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵
- Launches sc.exe
PID:3164 -
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵
- Launches sc.exe
PID:5016 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable2⤵PID:5080
-
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Windows\System32\GameBarPresenceWriter.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1964 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\GameBarPresenceWriter.exe" /inheritance:r /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3160 -
C:\Windows\system32\taskkill.exetaskkill /im GameBarPresenceWriter.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:480 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f2⤵PID:1532
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "62" /f2⤵PID:1536
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "126" /f2⤵PID:1240
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "26" /f2⤵PID:5108
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "58" /f2⤵PID:4524
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f2⤵PID:3372
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "LockScreenAutoLockActive" /t REG_SZ /d "0" /f2⤵PID:244
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Lock Screen" /v "SlideshowEnabled" /t REG_DWORD /d "0" /f2⤵PID:4388
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d "0" /f2⤵PID:2204
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f2⤵PID:4624
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f2⤵PID:4568
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableAcrylicBackgroundOnLogon" /t REG_DWORD /d "1" /f2⤵PID:3188
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d "0" /f2⤵PID:1420
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d "0" /f2⤵PID:3112
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAl" /t REG_DWORD /d "0" /f2⤵PID:3348
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d "0" /f2⤵PID:488
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\PolicyManager\default\NewsAndInterests\AllowNewsAndInterests" /v "value" /t REG_DWORD /d "0" /f2⤵PID:4604
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f2⤵PID:2940
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarFlashing" /t REG_DWORD /d "0" /f2⤵PID:3032
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f2⤵PID:5004
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSn" /t REG_DWORD /d "0" /f2⤵PID:3500
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarSd" /t REG_DWORD /d "0" /f2⤵PID:4132
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "0" /f2⤵PID:3060
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "EnableAutoTray" /t REG_DWORD /d "0" /f2⤵PID:4272
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f2⤵PID:3428
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Windows Search" /v "CortanaConsent" /t REG_DWORD /d "0" /f2⤵PID:1516
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d "1" /f2⤵PID:1932
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisableSearch" /t REG_DWORD /d "1" /f2⤵PID:396
-
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" /inheritance:r /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5028 -
C:\Windows\system32\taskkill.exetaskkill /im SearchHost.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:560
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.AccountsControl_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1624
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3380
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2180
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userAccountInformation" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2852
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1088
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3404
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2176
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appointments" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2208
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2184
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCallHistory" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1072
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4984
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1260
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1880
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\contacts" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3912
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3116
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\documentsLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1436
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\downloadsFolder" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2096
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\downloadsFolder" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4892
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3548
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\email" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:896
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4880
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\broadFileSystemAccess" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3776
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2076
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f2⤵PID:1824
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:2944
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f2⤵PID:2324
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f2⤵PID:4792
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f2⤵PID:3752
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4408
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1832
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2088
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\chat" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4964
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1188
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:912
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\musicLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2508
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\musicLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:716
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:972
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3528
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!chrome-extension://kkpalkknhlklpbflpcpkepmmbnmfailf/" /v "ShowInActionCenter" /t REG_DWORD /d "0" /f2⤵PID:3376
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!chrome-extension://kkpalkknhlklpbflpcpkepmmbnmfailf/" /v "Rank" /t REG_DWORD /d "1" /f2⤵PID:1180
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v "ShowInActionCenter" /t REG_DWORD /d "0" /f2⤵PID:2292
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v "Rank" /t REG_DWORD /d "1" /f2⤵PID:5100
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f2⤵
- Modifies Windows Defender notification settings
PID:1776 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f2⤵PID:1912
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:4936
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.StartupApp" /v "Enabled" /t REG_DWORD /d "1" /f2⤵PID:4804
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\bluetoothSync" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4948
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2728
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\phoneCall" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1224
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1904
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\picturesLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1204
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f2⤵PID:1852
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2040
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\radios" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1244
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureWithoutBorder" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:2396
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureWithoutBorder" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4776
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureWithoutBorder" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3324
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureProgrammatic" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:788
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureProgrammatic" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4756
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\graphicsCaptureProgrammatic\NonPackaged" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:5080
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsAADCloudSearchEnabled" /t REG_DWORD /d "0" /f2⤵PID:5076
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsDeviceSearchHistoryEnabled" /t REG_DWORD /d "0" /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "IsMSACloudSearchEnabled" /t REG_DWORD /d "0" /f2⤵PID:3084
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SearchSettings" /v "SafeSearchMode" /t REG_DWORD /d "0" /f2⤵PID:4900
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:324
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userDataTasks" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1536
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1240
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\videosLibrary" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:5108
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationEnabled" /t REG_DWORD /d "0" /f2⤵PID:4524
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps" /v "AgentActivationOnLockScreenEnabled" /t REG_DWORD /d "0" /f2⤵PID:3372
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:244
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SystemRestore\SR" /Disable2⤵PID:4388
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f2⤵PID:2204
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowFullControl" /t REG_DWORD /d "0" /f2⤵PID:4624
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled2⤵
- Launches sc.exe
PID:4568 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" /v "AllowRemoteShellAccess" /t REG_DWORD /d "0" /f2⤵PID:4332
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicited" /t REG_DWORD /d "0" /f2⤵PID:3052
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fAllowUnsolicitedFullControl" /t REG_DWORD /d "0" /f2⤵PID:3136
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "fDenyTSConnections" /t REG_DWORD /d "1" /f2⤵PID:1028
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSAppCompat" /t REG_DWORD /d "0" /f2⤵PID:4676
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSEnabled" /t REG_DWORD /d "0" /f2⤵PID:1656
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services" /v "TSUserEnabled" /t REG_DWORD /d "0" /f2⤵PID:2648
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowClipboardHistory" /t REG_DWORD /d "0" /f2⤵PID:5004
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "AllowCrossDeviceClipboard" /t REG_DWORD /d "0" /f2⤵PID:3448
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\SmartActionPlatform\SmartClipboard" /v "Disabled" /t REG_DWORD /d "1" /f2⤵PID:4132
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DITest" /t REG_DWORD /d "0" /f2⤵PID:2552
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableSnapAssistFlyout" /t REG_DWORD /d "0" /f2⤵PID:1052
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableSnapBar" /t REG_DWORD /d "0" /f2⤵PID:1740
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableTaskGroups" /t REG_DWORD /d "0" /f2⤵PID:3652
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f2⤵PID:4352
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f2⤵PID:3332
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵PID:1308
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d "0" /f2⤵PID:4136
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "AlwaysOn" /t REG_DWORD /d "1" /f2⤵PID:4156
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NoLazyMode" /t REG_DWORD /d "1" /f2⤵PID:4504
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f2⤵PID:4036
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f2⤵PID:4708
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "2710" /f2⤵PID:4028
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵PID:3948
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f2⤵PID:3696
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵PID:1748
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵PID:444
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵PID:3176
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f2⤵PID:2372
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "False" /f2⤵PID:108
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "2710" /f2⤵PID:3464
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵PID:2000
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f2⤵PID:4104
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵PID:3304
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵PID:2184
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵PID:1152
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f2⤵PID:1880
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "False" /f2⤵PID:3912
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "2710" /f2⤵PID:3116
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵PID:2436
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "6" /f2⤵PID:4628
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵PID:1672
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "High" /f2⤵PID:2836
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Latency Sensitive" /t REG_SZ /d "True" /f2⤵PID:4916
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f2⤵PID:4292
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f2⤵PID:4560
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Gaming.GameBar.PresenceServer.Internal.PresenceWriter" /v "ActivationType" /t REG_DWORD /d "0" /f2⤵PID:3064
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Dsh" /v "IsPrelaunchEnabled" /t REG_DWORD /d "0" /f2⤵PID:2168
-
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Program Files (x86)\Microsoft\Edge"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:240 -
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Program Files (x86)\Microsoft\EdgeCore"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1744 -
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Program Files (x86)\Microsoft\EdgeUpdate"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2376 -
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Program Files (x86)\Microsoft\EdgeWebView"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2072 -
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\Edge" /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2600 -
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeCore" /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2276 -
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeUpdate" /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2308 -
C:\Windows\system32\icacls.exeicacls "C:\Program Files (x86)\Microsoft\EdgeWebView" /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1836 -
C:\Windows\system32\taskkill.exetaskkill /im MicrosoftEdgeUpdate.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\system32\taskkill.exetaskkill /im EdgeUpdate.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\system32\takeown.exetakeown /s RPHBTALT /u Admin /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1176 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant:r Admin:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3528 -
C:\Windows\system32\taskkill.exetaskkill /im msedge.exe /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3376 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorUpdateInterval" /t REG_DWORD /d "1" /f2⤵PID:1172
-
C:\Windows\system32\powercfg.exepowercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4536 -
C:\Windows\system32\powercfg.exepowercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\system32\powercfg.exepowercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4736 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d "1" /f2⤵PID:3020
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolQuota" /t REG_DWORD /d "0" /f2⤵PID:2416
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "NonPagedPoolSize" /t REG_DWORD /d "0" /f2⤵PID:1996
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolQuota" /t REG_DWORD /d "0" /f2⤵PID:2808
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagedPoolSize" /t REG_DWORD /d "0" /f2⤵PID:2760
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionPoolSize" /t REG_DWORD /d "48" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SessionViewSize" /t REG_DWORD /d "96" /f2⤵PID:1876
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PoolUsageMaximum" /t REG_DWORD /d "40" /f2⤵PID:4548
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PhysicalAddressExtension" /t REG_DWORD /d "1" /f2⤵PID:1900
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SystemPages" /t REG_DWORD /d "0" /f2⤵PID:3988
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CopyTrace.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:788
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1LSASS Driver
1Create or Modify System Process
2Windows Service
2Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1LSASS Driver
1Create or Modify System Process
2Windows Service
2Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Access Token Manipulation
1Create Process with Token
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
2Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254B
MD5fab90e6d397466392fa7e87e78e43daa
SHA1c921e180965acb8a122b9f47cd258a761cbc3875
SHA2562b1669d5271774a0b525f2f46b06b0d1ef56f21c71846ff20412ec95fa835321
SHA5123370c46bfe4e049e14addc2fb7bee6ad92e6def7dc1b96d31e22716f399c0875ad5eb67c477a7faf39bbf307d9a1c5f379c62719445123b50e21b3b2677fca9b
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f