Analysis
-
max time kernel
93s -
max time network
65s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
07/11/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
ET-Optimizer.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
ET-Optimizer.exe
Resource
win11-20241007-en
General
-
Target
ET-Optimizer.exe
-
Size
906KB
-
MD5
91e413bbe9eaa4ff71314a1d9ddee1c3
-
SHA1
23b1ecef9abdf288bc3c94e2bac8eaca1050646b
-
SHA256
123e7b087bbf51c4101e5b0ab032e86cddaa24cbb7d9fb001ff579025a1748e1
-
SHA512
32cfd676fb7a8081aaad3dcfdac8a9cfda2bc626b0c27264c6f8da8147d1f36102e5763dc23138e7f99dc765250e10cac6865f1747d9abdedfe08ae25bad924c
-
SSDEEP
3072:xqE/vJf/bcOK+si9h9u2DjgFS+CvU5x+R2EInDkMwY9JlvUKb+z2wInDkMwooJ:xqkJnbS0+CEx+R2EmwY9JlHb+z2wmwJ
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" ie4uinit.exe Set value (str) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,4474,19041,0" ie4uinit.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} ie4uinit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation ET-Optimizer.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 1 IoCs
pid Process 5588 dismhost.exe -
Loads dropped DLL 5 IoCs
pid Process 5588 dismhost.exe 5588 dismhost.exe 5588 dismhost.exe 5588 dismhost.exe 5588 dismhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 252 powershell.exe 3012 powershell.exe 5108 powershell.exe 2000 powershell.exe 5108 powershell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: cleanmgr.exe -
Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 2868 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Modifies boot configuration data using bcdedit 2 IoCs
pid Process 3944 bcdedit.exe 4012 bcdedit.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\LogFiles\setupcln\setupact.log cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\setuperr.log cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagerr.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagwrn.xml cleanmgr.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.EDB cmd.exe File opened for modification C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.JFM cmd.exe File opened for modification C:\Windows\SoftwareDistribution\DATAST~1\Logs\edb.log cmd.exe File opened for modification C:\Windows\SoftwareDistribution\REPORT~1.LOG cmd.exe File opened for modification C:\Windows\Logs\DISM\dism.log cleanmgr.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\BrowserEmulation ie4uinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Main ie4uinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "12" ie4uinit.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\EditFlags = "2" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\Content Type = "application/xhtml+xml" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\ContextMenuHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shellex\PropertySheetHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE,-17" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-913" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,2" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\Content Type = "message/rfc822" ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\EditFlags = "2" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,5" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\svgfile ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\ = "xhtmlfile" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-910" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "htmlfile" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\IE.AssocFile.HTM ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5732" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\shell\open\command ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\ddeexec\Application ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\DefaultIcon ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-904" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\CommandId = "IE.File" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.website\ = "Microsoft.Website" ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-905" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ = "Internet Shortcut" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-10046" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\mhtmlfile ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.website ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shellex ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-914" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\Content Type = "image/svg+xml" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\PropertyHandler ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell\open\command ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\EditFlags = "131074" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\"" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\URL Protocol ie4uinit.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3156 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2000 powershell.exe 2000 powershell.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 3968 ET-Optimizer.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 5108 powershell.exe 5108 powershell.exe 5108 powershell.exe 252 powershell.exe 252 powershell.exe 252 powershell.exe 1644 taskmgr.exe 3012 powershell.exe 3012 powershell.exe 3012 powershell.exe 3012 powershell.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3968 ET-Optimizer.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 2000 powershell.exe Token: SeDebugPrivilege 1644 taskmgr.exe Token: SeSystemProfilePrivilege 1644 taskmgr.exe Token: SeCreateGlobalPrivilege 1644 taskmgr.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeIncreaseQuotaPrivilege 5108 powershell.exe Token: SeSecurityPrivilege 5108 powershell.exe Token: SeTakeOwnershipPrivilege 5108 powershell.exe Token: SeLoadDriverPrivilege 5108 powershell.exe Token: SeSystemProfilePrivilege 5108 powershell.exe Token: SeSystemtimePrivilege 5108 powershell.exe Token: SeProfSingleProcessPrivilege 5108 powershell.exe Token: SeIncBasePriorityPrivilege 5108 powershell.exe Token: SeCreatePagefilePrivilege 5108 powershell.exe Token: SeBackupPrivilege 5108 powershell.exe Token: SeRestorePrivilege 5108 powershell.exe Token: SeShutdownPrivilege 5108 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeSystemEnvironmentPrivilege 5108 powershell.exe Token: SeRemoteShutdownPrivilege 5108 powershell.exe Token: SeUndockPrivilege 5108 powershell.exe Token: SeManageVolumePrivilege 5108 powershell.exe Token: 33 5108 powershell.exe Token: 34 5108 powershell.exe Token: 35 5108 powershell.exe Token: 36 5108 powershell.exe Token: SeDebugPrivilege 252 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: 33 3392 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3392 AUDIODG.EXE Token: SeSecurityPrivilege 2768 TiWorker.exe Token: SeRestorePrivilege 2768 TiWorker.exe Token: SeBackupPrivilege 2768 TiWorker.exe Token: SeBackupPrivilege 5588 dismhost.exe Token: SeRestorePrivilege 5588 dismhost.exe Token: SeTakeOwnershipPrivilege 5588 dismhost.exe Token: SeSecurityPrivilege 5588 dismhost.exe Token: SeBackupPrivilege 5452 cleanmgr.exe Token: SeRestorePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe Token: SeManageVolumePrivilege 5452 cleanmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 3968 ET-Optimizer.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe 1644 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3968 wrote to memory of 2000 3968 ET-Optimizer.exe 82 PID 3968 wrote to memory of 2000 3968 ET-Optimizer.exe 82 PID 2000 wrote to memory of 4108 2000 powershell.exe 85 PID 2000 wrote to memory of 4108 2000 powershell.exe 85 PID 3968 wrote to memory of 2504 3968 ET-Optimizer.exe 86 PID 3968 wrote to memory of 2504 3968 ET-Optimizer.exe 86 PID 3968 wrote to memory of 2596 3968 ET-Optimizer.exe 88 PID 3968 wrote to memory of 2596 3968 ET-Optimizer.exe 88 PID 2596 wrote to memory of 3944 2596 cmd.exe 90 PID 2596 wrote to memory of 3944 2596 cmd.exe 90 PID 3968 wrote to memory of 4988 3968 ET-Optimizer.exe 91 PID 3968 wrote to memory of 4988 3968 ET-Optimizer.exe 91 PID 4988 wrote to memory of 4012 4988 cmd.exe 93 PID 4988 wrote to memory of 4012 4988 cmd.exe 93 PID 3968 wrote to memory of 2868 3968 ET-Optimizer.exe 113 PID 3968 wrote to memory of 2868 3968 ET-Optimizer.exe 113 PID 2868 wrote to memory of 3972 2868 cmd.exe 115 PID 2868 wrote to memory of 3972 2868 cmd.exe 115 PID 3968 wrote to memory of 1956 3968 ET-Optimizer.exe 116 PID 3968 wrote to memory of 1956 3968 ET-Optimizer.exe 116 PID 3968 wrote to memory of 3828 3968 ET-Optimizer.exe 118 PID 3968 wrote to memory of 3828 3968 ET-Optimizer.exe 118 PID 3968 wrote to memory of 4904 3968 ET-Optimizer.exe 120 PID 3968 wrote to memory of 4904 3968 ET-Optimizer.exe 120 PID 4904 wrote to memory of 4552 4904 cmd.exe 122 PID 4904 wrote to memory of 4552 4904 cmd.exe 122 PID 3968 wrote to memory of 2732 3968 ET-Optimizer.exe 123 PID 3968 wrote to memory of 2732 3968 ET-Optimizer.exe 123 PID 2732 wrote to memory of 3352 2732 cmd.exe 125 PID 2732 wrote to memory of 3352 2732 cmd.exe 125 PID 2732 wrote to memory of 4928 2732 cmd.exe 126 PID 2732 wrote to memory of 4928 2732 cmd.exe 126 PID 2732 wrote to memory of 4572 2732 cmd.exe 127 PID 2732 wrote to memory of 4572 2732 cmd.exe 127 PID 2732 wrote to memory of 752 2732 cmd.exe 128 PID 2732 wrote to memory of 752 2732 cmd.exe 128 PID 2732 wrote to memory of 4412 2732 cmd.exe 129 PID 2732 wrote to memory of 4412 2732 cmd.exe 129 PID 3968 wrote to memory of 3868 3968 ET-Optimizer.exe 130 PID 3968 wrote to memory of 3868 3968 ET-Optimizer.exe 130 PID 3868 wrote to memory of 2516 3868 cmd.exe 132 PID 3868 wrote to memory of 2516 3868 cmd.exe 132 PID 3968 wrote to memory of 1876 3968 ET-Optimizer.exe 133 PID 3968 wrote to memory of 1876 3968 ET-Optimizer.exe 133 PID 1876 wrote to memory of 3156 1876 cmd.exe 135 PID 1876 wrote to memory of 3156 1876 cmd.exe 135 PID 3968 wrote to memory of 1264 3968 ET-Optimizer.exe 136 PID 3968 wrote to memory of 1264 3968 ET-Optimizer.exe 136 PID 1264 wrote to memory of 1692 1264 cmd.exe 138 PID 1264 wrote to memory of 1692 1264 cmd.exe 138 PID 1264 wrote to memory of 2664 1264 cmd.exe 139 PID 1264 wrote to memory of 2664 1264 cmd.exe 139 PID 1264 wrote to memory of 1196 1264 cmd.exe 140 PID 1264 wrote to memory of 1196 1264 cmd.exe 140 PID 1264 wrote to memory of 1204 1264 cmd.exe 141 PID 1264 wrote to memory of 1204 1264 cmd.exe 141 PID 3968 wrote to memory of 376 3968 ET-Optimizer.exe 142 PID 3968 wrote to memory of 376 3968 ET-Optimizer.exe 142 PID 376 wrote to memory of 1700 376 cmd.exe 144 PID 376 wrote to memory of 1700 376 cmd.exe 144 PID 3968 wrote to memory of 3284 3968 ET-Optimizer.exe 145 PID 3968 wrote to memory of 3284 3968 ET-Optimizer.exe 145 PID 3284 wrote to memory of 5060 3284 cmd.exe 147 PID 3284 wrote to memory of 5060 3284 cmd.exe 147 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe"C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ProcessorType=Get-WMIObject win32_Processor | select Name | findstr /c:AMD /c:Intel; $ProcessorType = $ProcessorType.Replace('(R)','').Replace('(TM)','') > CPUL.txt2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" /c:AMD /c:Intel3⤵PID:4108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f /q CPUL.txt2⤵PID:2504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot2⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\bcdedit.exebcdedit /deletevalue {current} safeboot3⤵
- Modifies boot configuration data using bcdedit
PID:3944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\system32\bcdedit.exebcdedit /deletevalue {current} safeboot3⤵
- Modifies boot configuration data using bcdedit
PID:4012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable && schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable && schtasks /Change /TN "Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvent" /Disable && schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable && schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable && schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable && schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable && schtasks /Change /TN "NIUpdateServiceStartupTask" /Disable && schtasks /Change /TN "CCleaner Update" /Disable && schtasks /Change /TN "CCleanerCrashReportings" /Disable && schtasks /Change /TN "CCleanerSkipUAC - $env:username" /Disable && schtasks /Change /TN "updater" /Disable && schtasks /Change /TN "Adobe Acrobat Update Task" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable && schtasks /Change /TN "MiniToolPartitionWizard" /Disable && schtasks /Change /TN "AMDLinkUpdate" /Disable && schtasks /Change /TN "Microsoft\Office\Office Automatic Updates 2.0" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates Logon" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineCore" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineUA" /Disable && schtasks /DELETE /TN "AMDInstallLauncher" /f && schtasks /DELETE /TN "AMDLinkUpdate" /f && schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f && schtasks /DELETE /TN "DUpdaterTask" /f && schtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵
- Indicator Removal: Clear Persistence
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable3⤵PID:3972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /q %temp%\NVIDIA Corporation\NV_Cache\* && del /q %programdata%\NVIDIA Corporation\NV_Cache\*2⤵PID:1956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f && REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v PreventHandwritingErrorReports /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowDeviceNameInTelemetry /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v HideRecentlyAddedApps /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v NoActiveHelp /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\StorageTelemetry" /v DeviceDumpEnabled /t REG_DWORD /d 0 /f && && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\17.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && sc stop VSStandardCollectorService150 && sc config VSStandardCollectorService150 start= disabled && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && cmd /c taskkill /f /im ccleaner.exe && cmd /c taskkill /f /im ccleaner64.exe && reg add "HKCU\Software\Piriform\CCleaner" /v "HomeScreen" /t REG_SZ /d 2 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f2⤵PID:3828
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C setx POWERSHELL_TELEMETRY_OPTOUT 12⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\system32\setx.exesetx POWERSHELL_TELEMETRY_OPTOUT 13⤵PID:4552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\Tracing\WPPMedia" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\WPPMedia" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f3⤵PID:3352
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f3⤵PID:4928
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f3⤵PID:4572
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\Tracing\WPPMedia" /f3⤵PID:752
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\WPPMedia" /f3⤵PID:4412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f3⤵PID:2516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f3⤵
- Modifies registry key
PID:3156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f3⤵PID:1692
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f3⤵PID:2664
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f3⤵PID:1196
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f3⤵PID:1204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f3⤵PID:1700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f3⤵PID:5060
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f3⤵PID:632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f2⤵PID:2408
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f3⤵PID:640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f2⤵PID:3344
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f3⤵PID:4004
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f2⤵PID:4480
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f3⤵PID:788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f2⤵PID:3944
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f3⤵PID:3808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵PID:4640
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:3368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f2⤵PID:3972
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f3⤵PID:4604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f2⤵PID:648
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f3⤵PID:3384
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f2⤵PID:2160
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f3⤵PID:4412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f2⤵PID:1464
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f3⤵
- Modifies visibility of file extensions in Explorer
PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f2⤵PID:2732
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵PID:788
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵PID:4764
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f && REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f && REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f2⤵PID:828
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f3⤵PID:4012
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f3⤵PID:3920
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f3⤵PID:5068
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:1444
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:2768
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:1180
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:1100
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:4604
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:1480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f2⤵PID:3972
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f3⤵PID:5060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f2⤵PID:2996
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f3⤵PID:4928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f2⤵PID:2160
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f3⤵PID:4224
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ram = (Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value $ram -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5108
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f2⤵PID:1508
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f3⤵PID:1032
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f3⤵PID:3808
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage *XboxGamingOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxGameOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:252
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /q "%temp%\NVIDIA Corporation\NV_Cache\*" && del /q "%programdata%\NVIDIA Corporation\NV_Cache\*"2⤵PID:4004
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /s /f /q "%userprofile%\Recent\*.*"2⤵PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command erase /f /s /q "%systemdrive%\Windows\SoftwareDistribution\*.*"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Windows\SoftwareDistribution"2⤵
- Drops file in Windows directory
PID:4640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Microsoft\Windows\WebCache /F /Q /S2⤵PID:2732
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\logs /F /Q /S2⤵PID:4812
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\webcache /F /Q /S2⤵PID:1924
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %appdata%\Microsoft\Teams\Cache /F /Q /S2⤵PID:3808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Yarn\Cache /F /Q /S2⤵PID:2996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem.Out /F /Q /S2⤵PID:3972
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem /F /Q /S2⤵PID:4644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSRemoteControl /F /Q /S2⤵PID:1700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackVSRTCLogs /F /Q /S2⤵PID:3344
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackPerfWatsonData /F /Q /S2⤵PID:2064
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFaultInfo /F /Q /S2⤵PID:4588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:252
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %ProgramData%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:1464
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:2868
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %AppData%stelemetry2⤵PID:4852
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del /S /F /Q %windir%\Prefetch2⤵PID:3352
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C %WinDir%\SysNative\ie4uinit.exe -show2⤵PID:3960
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C %WinDir%\System32\ie4uinit.exe -show2⤵PID:5336
-
C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -show3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
PID:5380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\IconCache.db /F /Q /S2⤵PID:5428
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\Explorer\iconcache_*.db" /F /Q /S2⤵PID:5480
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q2⤵PID:5504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q2⤵PID:5604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\.jrs" /F /Q2⤵PID:5704
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.log" /F /Q2⤵PID:5712
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.chk" /F /Q2⤵PID:5768
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\DISM" /F /Q2⤵PID:5784
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs" /F /Q2⤵PID:5792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\ScreenOn\*.etl" /F /Q2⤵PID:5808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\*.etl" /F /Q2⤵PID:5860
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\ScreenOn\*.etl" /F /Q2⤵PID:5956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\*.etl" /F /Q2⤵PID:5964
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\LogFiles\HTTPERR\*.*" /F /Q2⤵PID:5976
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\WindowsBackup\*.etl" /F /Q2⤵PID:6060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q2⤵PID:764
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q2⤵PID:4812
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\PerfLogs\System\Diagnostics\*.*" /F /Q2⤵PID:4728
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\debug\WIA\*.log" /F /Q2⤵PID:5136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.app.log" /F /Q2⤵PID:4644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.offline.log" /F /Q2⤵PID:3944
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FontCache3.0.0.02⤵PID:2436
-
C:\Windows\system32\net.exenet stop FontCache3.0.0.03⤵PID:2868
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FontCache3.0.0.04⤵PID:1704
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FontCache2⤵PID:2732
-
C:\Windows\system32\net.exenet stop FontCache3⤵PID:5208
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FontCache4⤵PID:5172
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\LocalService\AppData\Local\FontCache\*.dat" /F /Q /S2⤵PID:5196
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\FNTCACHE.DAT" /F /Q /S2⤵PID:4136
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\FNTCACHE.DAT" /F /Q /S2⤵PID:752
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start FontCache2⤵PID:3828
-
C:\Windows\system32\net.exenet start FontCache3⤵PID:5356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FontCache4⤵PID:5360
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start FontCache3.0.0.02⤵PID:5444
-
C:\Windows\system32\net.exenet start FontCache3.0.0.03⤵PID:5840
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FontCache3.0.0.04⤵PID:5888
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagwrn.xml" /F /Q2⤵PID:5468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagerr.xml" /F /Q2⤵PID:3924
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\repair\setup.log" /F /Q2⤵PID:5600
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\DDACLSys.log" /F /Q2⤵PID:5484
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\cbs.log" /F /Q2⤵PID:5548
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\WebCache\*.log" /F /Q2⤵PID:5632
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\*.log" /F /Q2⤵PID:5744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.log" /F /Q2⤵PID:5896
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DPX\*.log" /F /Q2⤵PID:5728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5860
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.lo_" /F /Q2⤵PID:5980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q2⤵PID:2192
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\APPLOG\*.*" /F /Q2⤵PID:6128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log.txt" /F /Q2⤵PID:6052
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DISM\*.log" /F /Q2⤵PID:5852
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\setuplog.txt" /F /Q2⤵PID:6060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\OEWABLog.txt" /F /Q2⤵PID:5168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q2⤵PID:5688
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.bak" /F /Q2⤵PID:4812
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.log" /F /Q2⤵PID:2064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.bak" /F /Q2⤵PID:5268
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\*.log" /F /Q2⤵PID:1032
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.log" /F /Q2⤵PID:5160
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.old" /F /Q2⤵PID:5288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log" /F /Q2⤵PID:5272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SchedLgU.txt" /F /Q2⤵PID:2732
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Directx.log" /F /Q2⤵PID:4612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\*.log" /F /Q2⤵PID:788
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start cleanmgr.exe /sagerun:52⤵PID:2436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5196
-
-
C:\Windows\system32\cleanmgr.execleanmgr.exe /sagerun:53⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5452 -
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\dismhost.exeC:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\dismhost.exe {14C4CB58-F164-4DE7-A822-D5B22054DFFD}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5588
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3828
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1644
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:5772
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x4881⤵
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2768
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
4Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
3KB
MD587c29700d926d094566f97a4ca94661f
SHA1edbc46e5510447273bbaae1a5d13e6984b003594
SHA256b254694891c8c9da1394c3c469cee50f145c72582e6d1cf0045cab4e72f48e7f
SHA5120c6ba3544daa14af98f338fa24d01624f9e93f9633b2bd6b4c031f7f1ecd4265dddde4469a8b96e81d802401ec8f3ba1d0120afe53ee6fa5345f9f3f7ab94290
-
Filesize
1KB
MD53aa6fa949fa12c686336d7556599afa7
SHA1f0d7925f5c5e3bda413cfc352691caa066e400bb
SHA25678a45ad95410e9f30edfc3458db0f49ff03bde3a44718addbf7ecab4d0ecb30b
SHA5120df469696594986b20a66260d19cecd8ce3ed320856daf395172e732e04bfbe2d438fb5591af1b828a44a311c196aebf052735662ed72c0669c0080c017276cc
-
Filesize
1KB
MD596d0b23764c399a15fcd9e9f24316495
SHA1b12c744e4144390e3e0145b3b4bc20a6f492f584
SHA256ae78ea50961c62b979c5e9899f559583d7887ca3ae427327bea7c89cf988e330
SHA512926909776861a0438153f5ad5f2d3e210647537e26a1b854e4f0ffbb4257ce8ba492bfea8ce3f61848d64af84721167b4aa632a3dbf4d0c0391427bdc0793715
-
Filesize
1KB
MD595df885cef3135391d49167f2f2e561c
SHA1400b04a60d8df1d66a4fbd9168d58856a98d7619
SHA2566dc9890d79e51d68a5f30b16b13aebbea7ed8ef13f1fdbcd262efc0cbc28df91
SHA5122e39b5f0312b1800a32d1b40ff58d1b6a71acaffeb2d246472372e53d229490adbbbdb8630865c8c04f143d41fe5c463e0eba2531d2ad3a82120602ea27f10b7
-
Filesize
918KB
MD557a9a702d5f51b625a869cb6ac0ede0f
SHA1e5db4003f5a82ea666bbd70083edcb9ca38446b4
SHA256b19a6d57b76593369e7e06cbcc5bcfd03e18adaa3934fd59c8705213fb5779ee
SHA512818420f8196f964a2998b1176e87399f3d473237112b877c4e5662b3f601f8492fec3ec2ecd39822bfa12134cc2dd85ddc9e1409ea15ae6b58d8021c69840a85
-
Filesize
187KB
MD535a07968ec37231249f3f072ae555e3a
SHA1a6b5be5daff384d24e68c7d3d540e9edd1e95ce8
SHA256e5f25e5a170cb3d165c3d143eae967b96ab80f88fb09176da8591b0b68c77e00
SHA5124806377c40eb0604410bf4760a3bf3ed99a1506af023977f6ad04090d790818034f8ffaeb6f51cf3a16a2109e0f567ddf5d182a50468481a2ed9adb2fe899261
-
Filesize
143KB
MD597cb1e2fcab378421c4b91df0c9f8310
SHA11227ce5f3a75bbbcba54708fcf73a131b0887a29
SHA256e36bcf02bc11f560761e943d0fad37417078f6cbb473f85c72fcbc89e2600c58
SHA5121b4668daacbebbe79bedc508f81f0e5ff0545c5823f05c7a403f4e8eb58bbf866f975b8e41a9148f6455243fe180c1afa32cd6b337f7d73ba0cbdf00f7e32de6
-
Filesize
256KB
MD5ab0dbc4f05b33eaaa447e31accab8d21
SHA17064962fbc7e1fdf0cbb13a44e587e28168cd299
SHA2566a3c3f07bddbc3079873f8799f2c19adddc59f15d6b2dba6e9314e5626bfd2a0
SHA512a4fea2a0d5a9da86cc1f3868882a4ac661581a77f57251ea073259e0421d6f047b9da7b19e3916a970d7ecda652b4d51d0e64c7ef5d59338eb209b580be85b24
-
Filesize
78KB
MD51176e91f4f663b03515b4d944dcdd72b
SHA1fa341a412720fd79fe1e1f6e11d850a4e103871d
SHA256a4ae8aac8660aaa255cc8318c7971273201e62954d6d36ac5d7ec738fb218258
SHA512c31f3bbff71ebc3f29813cf55754593262884fc71327db58622da62daa92062b1e8e2f6877a71ca832f40e7127c478d931661527485e801b74dcfdfaf6670874
-
Filesize
150KB
MD5684fca651758ba405144d5fcab6ab7fe
SHA1da595c60fbc4336fd2c61b45384dc0dbc3bf599a
SHA256ae9b66a6e0b1949890241c67037cef2c59d4f4faef84849789e0fee9184f41c6
SHA5124f8a9c524dd4e0f2a2f6f67a1ce42a7e9590fc5715f9538d8e0c7ff0c67d4bcbe10318bebd6328ee29c6c3b9842d0e176da7e663a88d9ecdec8c6404571c3756
-
Filesize
62B
MD56774e4aff4988a85dabfb01db173d0af
SHA12ec6df11ef82fb3c46ba9cf585a209c932ce46e7
SHA2565f93814289461ec38c845c77d35fd56a0ce9d08662099164570f1ecdef3f6e38
SHA512e6ef5c299bf5dd6fda1c45f35103306ec9410192457544859bf1643395ba145e8c700aa2596502c9061c88a3ac5015a62de928195dcb3a23f2835b89e3e8157b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13KB
MD5903b117c7620352dae25d878fc7a4e2c
SHA16c432ff0566a8d94021685f456af282f685563fd
SHA256967ef77a1134f4da6bc65435ed16f75e2213f9e647f617cdce9d4799b22a834b
SHA5128c12c0f4f974df5cd6a6043dfa5171f1974ddaf15520773b81bb07a97513e12460cb9f1bae237fe8efb2d4fed2ef596577fc3a4e86d55919715b4932035e2706
-
Filesize
29KB
MD529bf72b6067ecd15434f1746be1d1765
SHA10493f185c5f4780b215d6e465b333c5f17974735
SHA2560182695ad9f2e771f32043c90807af46f81d4583236c6417ad3fb27196c85051
SHA5128a78afe45924fc7ebafd2e70c1ccfb766ee88c1a51712306833e0dac4c6d9ac864a9b9c1b557e8e14a7c779b218de4a9ce6adce95d680898f8093785c38bfbe2
-
Filesize
9KB
MD520aa1246e4567b97a36c5c2864a4828f
SHA1da5a7f8e953da1827784ea5b55dccd21e944bd96
SHA256bae59481c331fb2bff4d43e80e5ccf8be3efc9e94acb4bd4aa8338435a785a6b
SHA512d717532e2259d6793acd6b829878ce29182b300588116a88b0740d9b5aafabd3793bfae57a9a6672a40e248ec095808041e0a4df413b26e8035bc3d26e7c0b40
-
Filesize
9KB
MD5692ca5ebc9e0cef0a8d0be4df7400cee
SHA1f63dada2e5f7a1d786c93bc3d757642d93b24b59
SHA256a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa
SHA512429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb
-
Filesize
14KB
MD5a77412bf46aec8f025b3f3733a8d7ad6
SHA18129ef829efe46afb4248e1fffb490279e5dc06f
SHA25623b8e0dbf22e13e5e8af8f6f76922cc6a0f92a1cf26593b18a6c2b12c86935ee
SHA5126ebf2835a2eea03fe0af5cbf80b036c59d61a6138823d49ddb222c56a5fb94a06608bbf7a2dc4faa5e0b0ffc7974450f43632a5ae7e4212b6f0b5e4a8dbded8f