Analysis
-
max time kernel
92s -
max time network
92s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/11/2024, 21:35
Static task
static1
Behavioral task
behavioral1
Sample
ET-Optimizer.exe
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
ET-Optimizer.exe
Resource
win11-20241007-en
General
-
Target
ET-Optimizer.exe
-
Size
906KB
-
MD5
91e413bbe9eaa4ff71314a1d9ddee1c3
-
SHA1
23b1ecef9abdf288bc3c94e2bac8eaca1050646b
-
SHA256
123e7b087bbf51c4101e5b0ab032e86cddaa24cbb7d9fb001ff579025a1748e1
-
SHA512
32cfd676fb7a8081aaad3dcfdac8a9cfda2bc626b0c27264c6f8da8147d1f36102e5763dc23138e7f99dc765250e10cac6865f1747d9abdedfe08ae25bad924c
-
SSDEEP
3072:xqE/vJf/bcOK+si9h9u2DjgFS+CvU5x+R2EInDkMwY9JlvUKb+z2wInDkMwooJ:xqkJnbS0+CEx+R2EmwY9JlHb+z2wmwJ
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Modifies boot configuration data using bcdedit 5 IoCs
pid Process 3440 bcdedit.exe 4592 bcdedit.exe 2728 bcdedit.exe 2040 bcdedit.exe 1740 bcdedit.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" ie4uinit.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0" ie4uinit.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} ie4uinit.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" reg.exe -
Executes dropped EXE 3 IoCs
pid Process 480 dismhost.exe 3716 dismhost.exe 4872 dismhost.exe -
Loads dropped DLL 15 IoCs
pid Process 480 dismhost.exe 480 dismhost.exe 480 dismhost.exe 480 dismhost.exe 480 dismhost.exe 3716 dismhost.exe 3716 dismhost.exe 3716 dismhost.exe 3716 dismhost.exe 3716 dismhost.exe 4872 dismhost.exe 4872 dismhost.exe 4872 dismhost.exe 4872 dismhost.exe 4872 dismhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 4144 powershell.exe 4796 powershell.exe 4780 powershell.exe 3048 powershell.exe 1748 powershell.exe 4992 powershell.exe 2472 powershell.exe 4588 powershell.exe 1092 powershell.exe 4780 powershell.exe -
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: SearchIndexer.exe File opened (read-only) \??\P: SearchIndexer.exe File opened (read-only) \??\q: SearchIndexer.exe File opened (read-only) \??\U: SearchIndexer.exe File opened (read-only) \??\A: SearchIndexer.exe File opened (read-only) \??\G: SearchIndexer.exe File opened (read-only) \??\K: SearchIndexer.exe File opened (read-only) \??\m: SearchIndexer.exe File opened (read-only) \??\F: cleanmgr.exe File opened (read-only) \??\H: SearchIndexer.exe File opened (read-only) \??\N: SearchIndexer.exe File opened (read-only) \??\o: SearchIndexer.exe File opened (read-only) \??\s: SearchIndexer.exe File opened (read-only) \??\D: SearchIndexer.exe File opened (read-only) \??\e: SearchIndexer.exe File opened (read-only) \??\F: SearchIndexer.exe File opened (read-only) \??\h: SearchIndexer.exe File opened (read-only) \??\T: SearchIndexer.exe File opened (read-only) \??\u: SearchIndexer.exe File opened (read-only) \??\R: SearchIndexer.exe File opened (read-only) \??\v: SearchIndexer.exe File opened (read-only) \??\w: SearchIndexer.exe File opened (read-only) \??\x: SearchIndexer.exe File opened (read-only) \??\a: SearchIndexer.exe File opened (read-only) \??\b: SearchIndexer.exe File opened (read-only) \??\l: SearchIndexer.exe File opened (read-only) \??\n: SearchIndexer.exe File opened (read-only) \??\X: SearchIndexer.exe File opened (read-only) \??\Z: SearchIndexer.exe File opened (read-only) \??\B: SearchIndexer.exe File opened (read-only) \??\z: SearchIndexer.exe File opened (read-only) \??\E: SearchIndexer.exe File opened (read-only) \??\I: SearchIndexer.exe File opened (read-only) \??\V: SearchIndexer.exe File opened (read-only) \??\y: SearchIndexer.exe File opened (read-only) \??\i: SearchIndexer.exe File opened (read-only) \??\L: SearchIndexer.exe File opened (read-only) \??\t: SearchIndexer.exe File opened (read-only) \??\W: SearchIndexer.exe File opened (read-only) \??\j: SearchIndexer.exe File opened (read-only) \??\J: SearchIndexer.exe File opened (read-only) \??\Q: SearchIndexer.exe File opened (read-only) \??\r: SearchIndexer.exe File opened (read-only) \??\S: SearchIndexer.exe File opened (read-only) \??\Y: SearchIndexer.exe File opened (read-only) \??\g: SearchIndexer.exe File opened (read-only) \??\k: SearchIndexer.exe File opened (read-only) \??\M: SearchIndexer.exe File opened (read-only) \??\O: SearchIndexer.exe -
Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 1188 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Modifies Security services 2 TTPs 8 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" reg.exe -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2072 cmd.exe 1896 powercfg.exe 2840 cmd.exe 3528 cmd.exe 4288 powercfg.exe 3788 cmd.exe 3752 powercfg.exe 2356 powercfg.exe 1188 cmd.exe 972 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\LogFiles\setupcln\setuperr.log cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagerr.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\diagwrn.xml cleanmgr.exe File opened for modification C:\Windows\system32\LogFiles\setupcln\setupact.log cleanmgr.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log powershell.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log cleanmgr.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 4432 powershell.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4996 sc.exe 3060 sc.exe 1740 sc.exe 3380 sc.exe 3828 sc.exe 1176 sc.exe 1060 sc.exe 5072 sc.exe 3716 sc.exe 2328 sc.exe 4936 sc.exe 1092 sc.exe 2176 sc.exe 1736 sc.exe 2120 sc.exe 4796 sc.exe 1532 sc.exe 1992 sc.exe 796 sc.exe 1568 sc.exe 2276 sc.exe 4172 sc.exe 2952 sc.exe 3020 sc.exe 3348 sc.exe 2716 sc.exe 560 sc.exe 4068 sc.exe 1692 sc.exe 4592 sc.exe 3872 sc.exe 2628 sc.exe 1616 sc.exe 980 sc.exe 3452 sc.exe 3152 sc.exe 132 sc.exe 3916 sc.exe 1692 sc.exe 1852 sc.exe 3524 sc.exe 2360 sc.exe 3452 sc.exe 1240 sc.exe 3484 sc.exe 1184 sc.exe 4788 sc.exe 3448 sc.exe 5016 sc.exe 1624 sc.exe 4872 sc.exe 4684 sc.exe 4524 sc.exe 3692 sc.exe 3300 sc.exe 4676 sc.exe 3104 sc.exe 4624 sc.exe 3112 sc.exe 3396 sc.exe 1748 sc.exe 3980 sc.exe 4924 sc.exe 3776 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 cleanmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ cleanmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 cleanmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Main ie4uinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\BrowserEmulation ie4uinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" ie4uinit.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000403da12c5d31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb6cee2b5d31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bc2072d5d31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b425eb2c5d31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034dc7f2c5d31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe -
Modifies registry class 29 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394\DisplayName = "windows_ie_ac_001" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes\ShowSearchSuggestionsGlobal = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4084 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4144 powershell.exe 4144 powershell.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 3048 powershell.exe 3048 powershell.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 4424 ET-Optimizer.exe 1748 powershell.exe 1748 powershell.exe 4796 powershell.exe 4796 powershell.exe 4780 powershell.exe 4780 powershell.exe 4992 powershell.exe 4992 powershell.exe 2472 powershell.exe 2472 powershell.exe 2472 powershell.exe 4588 powershell.exe 4588 powershell.exe 4432 powershell.exe 4432 powershell.exe 4432 powershell.exe 1092 powershell.exe 1092 powershell.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4424 ET-Optimizer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4144 powershell.exe Token: SeShutdownPrivilege 3752 powercfg.exe Token: SeCreatePagefilePrivilege 3752 powercfg.exe Token: SeShutdownPrivilege 2356 powercfg.exe Token: SeCreatePagefilePrivilege 2356 powercfg.exe Token: SeShutdownPrivilege 972 powercfg.exe Token: SeCreatePagefilePrivilege 972 powercfg.exe Token: SeShutdownPrivilege 1896 powercfg.exe Token: SeCreatePagefilePrivilege 1896 powercfg.exe Token: SeShutdownPrivilege 4288 powercfg.exe Token: SeCreatePagefilePrivilege 4288 powercfg.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeBackupPrivilege 1748 powershell.exe Token: SeRestorePrivilege 1748 powershell.exe Token: SeBackupPrivilege 1748 powershell.exe Token: SeRestorePrivilege 1748 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 4780 powershell.exe Token: SeIncreaseQuotaPrivilege 4780 powershell.exe Token: SeSecurityPrivilege 4780 powershell.exe Token: SeTakeOwnershipPrivilege 4780 powershell.exe Token: SeLoadDriverPrivilege 4780 powershell.exe Token: SeSystemProfilePrivilege 4780 powershell.exe Token: SeSystemtimePrivilege 4780 powershell.exe Token: SeProfSingleProcessPrivilege 4780 powershell.exe Token: SeIncBasePriorityPrivilege 4780 powershell.exe Token: SeCreatePagefilePrivilege 4780 powershell.exe Token: SeBackupPrivilege 4780 powershell.exe Token: SeRestorePrivilege 4780 powershell.exe Token: SeShutdownPrivilege 4780 powershell.exe Token: SeDebugPrivilege 4780 powershell.exe Token: SeSystemEnvironmentPrivilege 4780 powershell.exe Token: SeRemoteShutdownPrivilege 4780 powershell.exe Token: SeUndockPrivilege 4780 powershell.exe Token: SeManageVolumePrivilege 4780 powershell.exe Token: 33 4780 powershell.exe Token: 34 4780 powershell.exe Token: 35 4780 powershell.exe Token: 36 4780 powershell.exe Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe Token: 33 1488 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1488 AUDIODG.EXE Token: SeDebugPrivilege 1092 taskmgr.exe Token: SeSystemProfilePrivilege 1092 taskmgr.exe Token: SeCreateGlobalPrivilege 1092 taskmgr.exe Token: 33 2512 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 2512 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 2512 SearchIndexer.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe Token: SeManageVolumePrivilege 3436 cleanmgr.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe 1092 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 4144 4424 ET-Optimizer.exe 80 PID 4424 wrote to memory of 4144 4424 ET-Optimizer.exe 80 PID 4144 wrote to memory of 1624 4144 powershell.exe 83 PID 4144 wrote to memory of 1624 4144 powershell.exe 83 PID 4424 wrote to memory of 2852 4424 ET-Optimizer.exe 84 PID 4424 wrote to memory of 2852 4424 ET-Optimizer.exe 84 PID 4424 wrote to memory of 2400 4424 ET-Optimizer.exe 86 PID 4424 wrote to memory of 2400 4424 ET-Optimizer.exe 86 PID 2400 wrote to memory of 3440 2400 cmd.exe 88 PID 2400 wrote to memory of 3440 2400 cmd.exe 88 PID 4424 wrote to memory of 976 4424 ET-Optimizer.exe 89 PID 4424 wrote to memory of 976 4424 ET-Optimizer.exe 89 PID 976 wrote to memory of 4592 976 cmd.exe 91 PID 976 wrote to memory of 4592 976 cmd.exe 91 PID 4424 wrote to memory of 4916 4424 ET-Optimizer.exe 94 PID 4424 wrote to memory of 4916 4424 ET-Optimizer.exe 94 PID 4916 wrote to memory of 2168 4916 cmd.exe 96 PID 4916 wrote to memory of 2168 4916 cmd.exe 96 PID 4424 wrote to memory of 3788 4424 ET-Optimizer.exe 97 PID 4424 wrote to memory of 3788 4424 ET-Optimizer.exe 97 PID 3788 wrote to memory of 3752 3788 cmd.exe 99 PID 3788 wrote to memory of 3752 3788 cmd.exe 99 PID 4424 wrote to memory of 2072 4424 ET-Optimizer.exe 100 PID 4424 wrote to memory of 2072 4424 ET-Optimizer.exe 100 PID 2072 wrote to memory of 2356 2072 cmd.exe 102 PID 2072 wrote to memory of 2356 2072 cmd.exe 102 PID 4424 wrote to memory of 1188 4424 ET-Optimizer.exe 103 PID 4424 wrote to memory of 1188 4424 ET-Optimizer.exe 103 PID 1188 wrote to memory of 972 1188 cmd.exe 105 PID 1188 wrote to memory of 972 1188 cmd.exe 105 PID 4424 wrote to memory of 3528 4424 ET-Optimizer.exe 106 PID 4424 wrote to memory of 3528 4424 ET-Optimizer.exe 106 PID 3528 wrote to memory of 1896 3528 cmd.exe 108 PID 3528 wrote to memory of 1896 3528 cmd.exe 108 PID 4424 wrote to memory of 2840 4424 ET-Optimizer.exe 109 PID 4424 wrote to memory of 2840 4424 ET-Optimizer.exe 109 PID 2840 wrote to memory of 4288 2840 cmd.exe 111 PID 2840 wrote to memory of 4288 2840 cmd.exe 111 PID 4424 wrote to memory of 4996 4424 ET-Optimizer.exe 112 PID 4424 wrote to memory of 4996 4424 ET-Optimizer.exe 112 PID 4996 wrote to memory of 2728 4996 cmd.exe 114 PID 4996 wrote to memory of 2728 4996 cmd.exe 114 PID 4424 wrote to memory of 4100 4424 ET-Optimizer.exe 115 PID 4424 wrote to memory of 4100 4424 ET-Optimizer.exe 115 PID 4100 wrote to memory of 2040 4100 cmd.exe 117 PID 4100 wrote to memory of 2040 4100 cmd.exe 117 PID 4424 wrote to memory of 5104 4424 ET-Optimizer.exe 118 PID 4424 wrote to memory of 5104 4424 ET-Optimizer.exe 118 PID 5104 wrote to memory of 1736 5104 cmd.exe 120 PID 5104 wrote to memory of 1736 5104 cmd.exe 120 PID 5104 wrote to memory of 3164 5104 cmd.exe 121 PID 5104 wrote to memory of 3164 5104 cmd.exe 121 PID 4424 wrote to memory of 5016 4424 ET-Optimizer.exe 122 PID 4424 wrote to memory of 5016 4424 ET-Optimizer.exe 122 PID 5016 wrote to memory of 3560 5016 cmd.exe 124 PID 5016 wrote to memory of 3560 5016 cmd.exe 124 PID 4424 wrote to memory of 796 4424 ET-Optimizer.exe 125 PID 4424 wrote to memory of 796 4424 ET-Optimizer.exe 125 PID 796 wrote to memory of 4872 796 cmd.exe 127 PID 796 wrote to memory of 4872 796 cmd.exe 127 PID 796 wrote to memory of 4924 796 cmd.exe 128 PID 796 wrote to memory of 4924 796 cmd.exe 128 PID 4424 wrote to memory of 3372 4424 ET-Optimizer.exe 129 PID 4424 wrote to memory of 3372 4424 ET-Optimizer.exe 129 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe"C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ProcessorType=Get-WMIObject win32_Processor | select Name | findstr /c:AMD /c:Intel; $ProcessorType = $ProcessorType.Replace('(R)','').Replace('(TM)','') > CPUL.txt2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" /c:AMD /c:Intel3⤵PID:1624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f /q CPUL.txt2⤵PID:2852
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot2⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\system32\bcdedit.exebcdedit /deletevalue {current} safeboot3⤵
- Modifies boot configuration data using bcdedit
PID:3440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot2⤵
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\system32\bcdedit.exebcdedit /deletevalue {current} safeboot3⤵
- Modifies boot configuration data using bcdedit
PID:4592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f3⤵PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -setactive scheme_min2⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_min3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb612⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\powercfg.exepowercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb613⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d2⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\system32\powercfg.exepowercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\system32\powercfg.exepowercfg /X standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\powercfg.exepowercfg /X standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set timeout 32⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\system32\bcdedit.exebcdedit /set timeout 33⤵
- Modifies boot configuration data using bcdedit
PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /timeout 32⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\system32\bcdedit.exebcdedit /timeout 33⤵
- Modifies boot configuration data using bcdedit
PID:2040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f && reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f3⤵PID:1736
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f3⤵PID:3164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f2⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f3⤵PID:3560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f3⤵PID:4872
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f3⤵PID:4924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f2⤵PID:3372
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f3⤵PID:4524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵PID:4688
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f3⤵PID:2644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f2⤵PID:772
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f3⤵PID:3104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f2⤵PID:2552
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f3⤵PID:1184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f2⤵PID:2864
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f3⤵PID:5096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f2⤵PID:4132
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f3⤵
- Modifies registry class
PID:3060
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f3⤵
- Modifies registry class
PID:4712
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f3⤵
- Modifies registry class
PID:5040
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f3⤵
- Modifies registry class
PID:2176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f2⤵PID:3804
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f3⤵PID:4684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f2⤵PID:4544
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:2732
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:2184
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:1104
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:4992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {current} numproc %NUMBER_OF_PROCESSORS%2⤵PID:692
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} numproc 23⤵
- Modifies boot configuration data using bcdedit
PID:1740
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-WmiObject win32_Processor | findstr /r "Intel" > NOLPi.txt2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" /r Intel3⤵PID:4732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f2⤵PID:4936
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f3⤵PID:3668
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f3⤵PID:2416
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f3⤵PID:2760
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f3⤵PID:2808
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f3⤵PID:3516
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f3⤵PID:1480
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f3⤵PID:4548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f /q NOLPi.txt && del /f /q NOLP.txt2⤵PID:2700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f2⤵PID:4776
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f3⤵PID:3164
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f2⤵PID:4084
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f3⤵PID:3160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f2⤵PID:3148
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f3⤵PID:800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f2⤵PID:1532
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f3⤵PID:3336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f2⤵PID:3372
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f3⤵PID:1068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C SET DEVMGR_SHOW_NONPRESENT_DEVICES=12⤵PID:2388
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:2924
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f3⤵PID:2108
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f3⤵PID:4472
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f3⤵PID:1420
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f3⤵PID:488
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f3⤵PID:3112
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f3⤵PID:1700
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f3⤵PID:2864
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f3⤵PID:1624
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f3⤵PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f2⤵PID:4712
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f3⤵PID:536
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command disable-windowsoptionalfeature -online -featureName Printing-XPSServices-Features -NoRestart; disable-windowsoptionalfeature -online -featureName Xps-Foundation-Xps-Viewer -NoRestart2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\dismhost.exeC:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\dismhost.exe {4AE7A26C-493F-430D-B1B5-59DC743EAA80}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:480
-
-
C:\Users\Admin\AppData\Local\Temp\1FE0D12B-5E96-4860-844D-E2F11A6CB56D\dismhost.exeC:\Users\Admin\AppData\Local\Temp\1FE0D12B-5E96-4860-844D-E2F11A6CB56D\dismhost.exe {712A0B27-990D-48AD-A3CF-5FEDFE86708E}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-ProcessMitigation -System -Disable CFG2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop DiagTrack2⤵PID:1888
-
C:\Windows\system32\sc.exesc stop DiagTrack3⤵
- Launches sc.exe
PID:3020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config DiagTrack start= disabled2⤵PID:1908
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled3⤵
- Launches sc.exe
PID:3300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop diagnosticshub.standardcollector.service2⤵PID:3904
-
C:\Windows\system32\sc.exesc stop diagnosticshub.standardcollector.service3⤵
- Launches sc.exe
PID:3452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config diagnosticshub.standardcollector.service start= disabled2⤵PID:656
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled3⤵
- Launches sc.exe
PID:3152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop dmwappushservice2⤵PID:324
-
C:\Windows\system32\sc.exesc stop dmwappushservice3⤵
- Launches sc.exe
PID:1532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config dmwappushservice start= disabled2⤵PID:1068
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled3⤵
- Launches sc.exe
PID:4676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop RemoteRegistry2⤵PID:3444
-
C:\Windows\system32\sc.exesc stop RemoteRegistry3⤵
- Launches sc.exe
PID:3104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config RemoteRegistry start= disabled2⤵PID:3372
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled3⤵
- Launches sc.exe
PID:4924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop RemoteAccess2⤵PID:3028
-
C:\Windows\system32\sc.exesc stop RemoteAccess3⤵
- Launches sc.exe
PID:3348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config RemoteAccess start= disabled2⤵PID:800
-
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled3⤵
- Launches sc.exe
PID:2360
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop SCardSvr2⤵PID:3128
-
C:\Windows\system32\sc.exesc stop SCardSvr3⤵
- Launches sc.exe
PID:3112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SCardSvr start= disabled2⤵PID:3144
-
C:\Windows\system32\sc.exesc config SCardSvr start= disabled3⤵
- Launches sc.exe
PID:3828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop SCPolicySvc2⤵PID:3404
-
C:\Windows\system32\sc.exesc stop SCPolicySvc3⤵
- Launches sc.exe
PID:132
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SCPolicySvc start= disabled2⤵PID:2628
-
C:\Windows\system32\sc.exesc config SCPolicySvc start= disabled3⤵
- Launches sc.exe
PID:4592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop fax2⤵PID:1740
-
C:\Windows\system32\sc.exesc stop fax3⤵
- Launches sc.exe
PID:3916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config fax start= disabled2⤵PID:3660
-
C:\Windows\system32\sc.exesc config fax start= disabled3⤵
- Launches sc.exe
PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop WerSvc2⤵PID:752
-
C:\Windows\system32\sc.exesc stop WerSvc3⤵
- Launches sc.exe
PID:2716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config WerSvc start= disabled2⤵PID:1248
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled3⤵
- Launches sc.exe
PID:1692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop NvTelemetryContainer2⤵PID:1744
-
C:\Windows\system32\sc.exesc stop NvTelemetryContainer3⤵
- Launches sc.exe
PID:3396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config NvTelemetryContainer start= disabled2⤵PID:1060
-
C:\Windows\system32\sc.exesc config NvTelemetryContainer start= disabled3⤵
- Launches sc.exe
PID:4684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop gadjservice2⤵PID:3220
-
C:\Windows\system32\sc.exesc stop gadjservice3⤵
- Launches sc.exe
PID:560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config gadjservice start= disabled2⤵PID:3048
-
C:\Windows\system32\sc.exesc config gadjservice start= disabled3⤵
- Launches sc.exe
PID:4996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop AdobeARMservice2⤵PID:1612
-
C:\Windows\system32\sc.exesc stop AdobeARMservice3⤵
- Launches sc.exe
PID:4936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config AdobeARMservice start= disabled2⤵PID:1776
-
C:\Windows\system32\sc.exesc config AdobeARMservice start= disabled3⤵
- Launches sc.exe
PID:1852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop PSI_SVC_22⤵PID:1488
-
C:\Windows\system32\sc.exesc stop PSI_SVC_23⤵
- Launches sc.exe
PID:3452
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config PSI_SVC_2 start= disabled2⤵PID:3988
-
C:\Windows\system32\sc.exesc config PSI_SVC_2 start= disabled3⤵
- Launches sc.exe
PID:1240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop lfsvc2⤵PID:5016
-
C:\Windows\system32\sc.exesc stop lfsvc3⤵
- Launches sc.exe
PID:3872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config lfsvc start= disabled2⤵PID:2724
-
C:\Windows\system32\sc.exesc config lfsvc start= disabled3⤵
- Launches sc.exe
PID:4524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop WalletService2⤵PID:3308
-
C:\Windows\system32\sc.exesc stop WalletService3⤵
- Launches sc.exe
PID:1992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config WalletService start= disabled2⤵PID:4940
-
C:\Windows\system32\sc.exesc config WalletService start= disabled3⤵
- Launches sc.exe
PID:3776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop RetailDemo2⤵PID:3268
-
C:\Windows\system32\sc.exesc stop RetailDemo3⤵
- Launches sc.exe
PID:796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config RetailDemo start= disabled2⤵PID:1980
-
C:\Windows\system32\sc.exesc config RetailDemo start= disabled3⤵
- Launches sc.exe
PID:1568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop SEMgrSvc2⤵PID:2180
-
C:\Windows\system32\sc.exesc stop SEMgrSvc3⤵
- Launches sc.exe
PID:1092
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SEMgrSvc start= disabled2⤵PID:968
-
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled3⤵
- Launches sc.exe
PID:3448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop diagsvc2⤵PID:1432
-
C:\Windows\system32\sc.exesc stop diagsvc3⤵
- Launches sc.exe
PID:1624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config diagsvc start= disabled2⤵PID:5072
-
C:\Windows\system32\sc.exesc config diagsvc start= disabled3⤵
- Launches sc.exe
PID:2176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop AJRouter2⤵PID:3692
-
C:\Windows\system32\sc.exesc stop AJRouter3⤵
- Launches sc.exe
PID:2628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config AJRouter start= disabled2⤵PID:1104
-
C:\Windows\system32\sc.exesc config AJRouter start= disabled3⤵
- Launches sc.exe
PID:980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop amdfendr2⤵PID:1740
-
C:\Windows\system32\sc.exesc stop amdfendr3⤵
- Launches sc.exe
PID:2276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config amdfendr start= disabled2⤵PID:2600
-
C:\Windows\system32\sc.exesc config amdfendr start= disabled3⤵
- Launches sc.exe
PID:4068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop amdfendrmgr2⤵PID:2964
-
C:\Windows\system32\sc.exesc stop amdfendrmgr3⤵
- Launches sc.exe
PID:4172
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config amdfendrmgr start= disabled2⤵PID:1676
-
C:\Windows\system32\sc.exesc config amdfendrmgr start= disabled3⤵
- Launches sc.exe
PID:1176
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config BITS start= demand2⤵PID:2092
-
C:\Windows\system32\sc.exesc config BITS start= demand3⤵
- Launches sc.exe
PID:1060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SamSs start= demand2⤵PID:4992
-
C:\Windows\system32\sc.exesc config SamSs start= demand3⤵
- Launches sc.exe
PID:1748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config TapiSrv start= demand2⤵PID:4804
-
C:\Windows\system32\sc.exesc config TapiSrv start= demand3⤵
- Launches sc.exe
PID:2952
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config seclogon start= demand2⤵PID:4736
-
C:\Windows\system32\sc.exesc config seclogon start= demand3⤵
- Launches sc.exe
PID:4796
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config wuauserv start= demand2⤵PID:1612
-
C:\Windows\system32\sc.exesc config wuauserv start= demand3⤵
- Launches sc.exe
PID:3980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config PhoneSvc start= demand2⤵PID:3516
-
C:\Windows\system32\sc.exesc config PhoneSvc start= demand3⤵
- Launches sc.exe
PID:1616
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config lmhosts start= demand2⤵PID:1244
-
C:\Windows\system32\sc.exesc config lmhosts start= demand3⤵
- Launches sc.exe
PID:1736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config iphlpsvc start= demand2⤵PID:3164
-
C:\Windows\system32\sc.exesc config iphlpsvc start= demand3⤵
- Launches sc.exe
PID:5016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config gupdate start= demand2⤵PID:3084
-
C:\Windows\system32\sc.exesc config gupdate start= demand3⤵
- Launches sc.exe
PID:4872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config gupdatem start= demand2⤵PID:1628
-
C:\Windows\system32\sc.exesc config gupdatem start= demand3⤵
- Launches sc.exe
PID:4624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config edgeupdate start= demand2⤵PID:4196
-
C:\Windows\system32\sc.exesc config edgeupdate start= demand3⤵
- Launches sc.exe
PID:3484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config edgeupdatem start= demand2⤵PID:3444
-
C:\Windows\system32\sc.exesc config edgeupdatem start= demand3⤵
- Launches sc.exe
PID:1184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config MapsBroker start= demand2⤵PID:1420
-
C:\Windows\system32\sc.exesc config MapsBroker start= demand3⤵
- Launches sc.exe
PID:3380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config PnkBstrA start= demand2⤵PID:5116
-
C:\Windows\system32\sc.exesc config PnkBstrA start= demand3⤵
- Launches sc.exe
PID:2120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config brave start= demand2⤵PID:2360
-
C:\Windows\system32\sc.exesc config brave start= demand3⤵
- Launches sc.exe
PID:3716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config bravem start= demand2⤵PID:1700
-
C:\Windows\system32\sc.exesc config bravem start= demand3⤵
- Launches sc.exe
PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config asus start= demand2⤵PID:3632
-
C:\Windows\system32\sc.exesc config asus start= demand3⤵
- Launches sc.exe
PID:5072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config asusm start= demand2⤵PID:3480
-
C:\Windows\system32\sc.exesc config asusm start= demand3⤵
- Launches sc.exe
PID:3692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config adobeupdateservice start= demand2⤵PID:5052
-
C:\Windows\system32\sc.exesc config adobeupdateservice start= demand3⤵
- Launches sc.exe
PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config adobeflashplayerupdatesvc start= demand2⤵PID:4728
-
C:\Windows\system32\sc.exesc config adobeflashplayerupdatesvc start= demand3⤵
- Launches sc.exe
PID:1740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config WSearch start= demand2⤵PID:3408
-
C:\Windows\system32\sc.exesc config WSearch start= demand3⤵
- Launches sc.exe
PID:3524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config CCleanerPerformanceOptimizerService start= demand2⤵PID:4732
-
C:\Windows\system32\sc.exesc config CCleanerPerformanceOptimizerService start= demand3⤵
- Launches sc.exe
PID:1692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable && schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable && schtasks /Change /TN "Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvent" /Disable && schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable && schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable && schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable && schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable && schtasks /Change /TN "NIUpdateServiceStartupTask" /Disable && schtasks /Change /TN "CCleaner Update" /Disable && schtasks /Change /TN "CCleanerCrashReportings" /Disable && schtasks /Change /TN "CCleanerSkipUAC - $env:username" /Disable && schtasks /Change /TN "updater" /Disable && schtasks /Change /TN "Adobe Acrobat Update Task" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable && schtasks /Change /TN "MiniToolPartitionWizard" /Disable && schtasks /Change /TN "AMDLinkUpdate" /Disable && schtasks /Change /TN "Microsoft\Office\Office Automatic Updates 2.0" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates Logon" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineCore" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineUA" /Disable && schtasks /DELETE /TN "AMDInstallLauncher" /f && schtasks /DELETE /TN "AMDLinkUpdate" /f && schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f && schtasks /DELETE /TN "DUpdaterTask" /f && schtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵
- Indicator Removal: Clear Persistence
PID:1188 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable3⤵PID:3396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /q %temp%\NVIDIA Corporation\NV_Cache\* && del /q %programdata%\NVIDIA Corporation\NV_Cache\*2⤵PID:4640
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f && REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v PreventHandwritingErrorReports /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowDeviceNameInTelemetry /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v HideRecentlyAddedApps /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v NoActiveHelp /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\StorageTelemetry" /v DeviceDumpEnabled /t REG_DWORD /d 0 /f && && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\17.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && sc stop VSStandardCollectorService150 && sc config VSStandardCollectorService150 start= disabled && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && cmd /c taskkill /f /im ccleaner.exe && cmd /c taskkill /f /im ccleaner64.exe && reg add "HKCU\Software\Piriform\CCleaner" /v "HomeScreen" /t REG_SZ /d 2 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f2⤵PID:4792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C setx POWERSHELL_TELEMETRY_OPTOUT 12⤵PID:4992
-
C:\Windows\system32\setx.exesetx POWERSHELL_TELEMETRY_OPTOUT 13⤵PID:4956
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\Tracing\WPPMedia" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\WPPMedia" /f2⤵PID:4804
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f3⤵PID:5100
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f3⤵PID:2824
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f3⤵PID:3316
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\Tracing\WPPMedia" /f3⤵PID:2532
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\WPPMedia" /f3⤵PID:3980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f2⤵PID:2820
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f3⤵PID:2028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f2⤵PID:3452
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f3⤵
- Modifies registry key
PID:4084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3156
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f3⤵PID:5056
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f3⤵PID:1532
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f3⤵PID:3900
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f3⤵PID:1008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f2⤵PID:464
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f3⤵PID:4004
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f3⤵PID:324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f2⤵PID:3796
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f3⤵PID:4940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f2⤵PID:4196
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f3⤵PID:3268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f2⤵PID:772
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f3⤵PID:4056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f2⤵PID:2860
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f3⤵PID:5116
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f2⤵PID:4588
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵PID:3804
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵PID:3448
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f && REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f && REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f2⤵PID:1624
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f3⤵PID:3404
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f3⤵PID:1028
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f3⤵PID:3692
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:4572
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:2512
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:4712
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:4344
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:4560
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:4016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f2⤵PID:2432
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f3⤵PID:3044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f2⤵PID:4068
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f3⤵PID:2716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ram = (Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value $ram -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f2⤵PID:2760
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f3⤵PID:4996
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f3⤵PID:4656
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage *XboxGamingOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxGameOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /q "%temp%\NVIDIA Corporation\NV_Cache\*" && del /q "%programdata%\NVIDIA Corporation\NV_Cache\*"2⤵PID:3184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /s /f /q "%userprofile%\Recent\*.*"2⤵PID:1488
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command erase /f /s /q "%systemdrive%\Windows\SoftwareDistribution\*.*"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Windows\SoftwareDistribution"2⤵PID:3144
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Microsoft\Windows\WebCache /F /Q /S2⤵PID:1532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\logs /F /Q /S2⤵PID:3872
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\webcache /F /Q /S2⤵PID:2996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %appdata%\Microsoft\Teams\Cache /F /Q /S2⤵PID:2260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Yarn\Cache /F /Q /S2⤵PID:2108
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem.Out /F /Q /S2⤵PID:248
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem /F /Q /S2⤵PID:3312
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSRemoteControl /F /Q /S2⤵PID:2180
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackVSRTCLogs /F /Q /S2⤵PID:396
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackPerfWatsonData /F /Q /S2⤵PID:3632
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFaultInfo /F /Q /S2⤵PID:4544
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:1644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %ProgramData%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:3440
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:3424
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %AppData%stelemetry2⤵PID:2168
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del /S /F /Q %windir%\Prefetch2⤵PID:3408
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C %WinDir%\SysNative\ie4uinit.exe -show2⤵PID:1036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C %WinDir%\System32\ie4uinit.exe -show2⤵PID:4088
-
C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -show3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
PID:2544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\IconCache.db /F /Q /S2⤵PID:2376
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\Explorer\iconcache_*.db" /F /Q /S2⤵PID:4656
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q2⤵PID:2000
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q2⤵PID:4780
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\.jrs" /F /Q2⤵PID:2824
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.log" /F /Q2⤵PID:3064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.chk" /F /Q2⤵PID:1888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\DISM" /F /Q2⤵PID:3652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs" /F /Q2⤵PID:3776
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\ScreenOn\*.etl" /F /Q2⤵PID:1876
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\*.etl" /F /Q2⤵PID:228
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\ScreenOn\*.etl" /F /Q2⤵PID:3148
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\*.etl" /F /Q2⤵PID:3332
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\LogFiles\HTTPERR\*.*" /F /Q2⤵PID:2388
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\WindowsBackup\*.etl" /F /Q2⤵PID:1260
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q2⤵PID:464
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q2⤵PID:4104
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\PerfLogs\System\Diagnostics\*.*" /F /Q2⤵PID:4676
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\debug\WIA\*.log" /F /Q2⤵PID:3916
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:396
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.app.log" /F /Q2⤵PID:4692
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4544
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.offline.log" /F /Q2⤵PID:132
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FontCache3.0.0.02⤵PID:2600
-
C:\Windows\system32\net.exenet stop FontCache3.0.0.03⤵PID:4756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FontCache3.0.0.04⤵PID:4608
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FontCache2⤵PID:4728
-
C:\Windows\system32\net.exenet stop FontCache3⤵PID:344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FontCache4⤵PID:3304
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\LocalService\AppData\Local\FontCache\*.dat" /F /Q /S2⤵PID:5080
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\FNTCACHE.DAT" /F /Q /S2⤵PID:2920
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\FNTCACHE.DAT" /F /Q /S2⤵PID:4172
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start FontCache2⤵PID:1748
-
C:\Windows\system32\net.exenet start FontCache3⤵PID:1904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FontCache4⤵PID:2376
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start FontCache3.0.0.02⤵PID:1544
-
C:\Windows\system32\net.exenet start FontCache3.0.0.03⤵PID:2148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FontCache3.0.0.04⤵PID:3708
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagwrn.xml" /F /Q2⤵PID:2760
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagerr.xml" /F /Q2⤵PID:2000
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\repair\setup.log" /F /Q2⤵PID:3316
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\DDACLSys.log" /F /Q2⤵PID:2416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\cbs.log" /F /Q2⤵PID:4924
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\WebCache\*.log" /F /Q2⤵PID:1008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\*.log" /F /Q2⤵PID:3484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.log" /F /Q2⤵PID:3516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DPX\*.log" /F /Q2⤵PID:1040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.lo_" /F /Q2⤵PID:4628
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q2⤵PID:1092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\APPLOG\*.*" /F /Q2⤵PID:3052
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log.txt" /F /Q2⤵PID:384
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DISM\*.log" /F /Q2⤵PID:3524
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\setuplog.txt" /F /Q2⤵PID:464
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\OEWABLog.txt" /F /Q2⤵PID:2184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q2⤵PID:3424
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.bak" /F /Q2⤵PID:2276
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.log" /F /Q2⤵PID:980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.bak" /F /Q2⤵PID:4756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\*.log" /F /Q2⤵PID:4332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.log" /F /Q2⤵PID:536
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.old" /F /Q2⤵PID:1992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log" /F /Q2⤵PID:4120
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SchedLgU.txt" /F /Q2⤵PID:2336
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Directx.log" /F /Q2⤵PID:3176
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\*.log" /F /Q2⤵PID:2376
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start cleanmgr.exe /sagerun:52⤵PID:4876
-
C:\Windows\system32\cleanmgr.execleanmgr.exe /sagerun:53⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\ABC988B9-03A2-415B-BC53-A2796D39566A\dismhost.exeC:\Users\Admin\AppData\Local\Temp\ABC988B9-03A2-415B-BC53-A2796D39566A\dismhost.exe {A38FEE0F-21ED-4667-B3C3-07144464A379}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:4872
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:2808
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f3⤵PID:3316
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f3⤵PID:3652
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:228
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3144
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3480
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:404
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2364
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3440
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:344
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:3220
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2276
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:4252
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3088
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:4984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:2184
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:4732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3156
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4756
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1060
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1624
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4192
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4736
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)2⤵PID:3980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f2⤵PID:1996
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:3168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f2⤵PID:3692
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f3⤵PID:3940
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:5004
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f3⤵PID:1028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f2⤵PID:3052
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f3⤵PID:4680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f2⤵PID:4728
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4628
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f3⤵PID:3872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:244
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵PID:5104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f2⤵PID:3372
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f3⤵PID:5100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f2⤵PID:2756
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3524
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f3⤵PID:3748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:2860
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f3⤵PID:4900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:2040
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:108
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:4784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:5052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3220
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:1676
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:4132
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4252
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:3432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:5088
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:4600
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:3752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:3160
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:3104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:3324
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:4768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2508
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:1260
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:3716
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:3652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f2⤵PID:4656
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:4592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:2176
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:3620
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1520
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:3312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3828
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:4680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3052
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:2916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3044
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:3144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3536
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:5100
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3372
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:3480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4676
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2756
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:4720
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2964
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:1888
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004F4 0x00000000000004F81⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1092
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1336
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2684 2612 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
PID:3296
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 828 2760 2756 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵
- Modifies data under HKEY_USERS
PID:3156
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
2Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD522e796539d05c5390c21787da1fb4c2b
SHA155320ebdedd3069b2aaf1a258462600d9ef53a58
SHA2567c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92
SHA512d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09
-
Filesize
1KB
MD521280c05ed05bd2e1368b2a52129a921
SHA172826c81e56772691db06a12fa19ded6ba4172cf
SHA256447ee7dc87bdc787efdb4117bfb6aa9b9ad87d8a5087b327bc38caedc8e72578
SHA512de35113b065a600743810eb5e2914f44eeafbeb9b6690a4d53221e19772bc0045e17a196b1a7c725d0e7ddeff7b39f135c557b85e1aaa10ec8691ed5b333878c
-
Filesize
1KB
MD5d968d0eb0c1489fe11c8a7c29808b571
SHA153b2e31d3c5665bce83ce3328093eca076b56d66
SHA256720167696f8edb616c0206275f2cee2bc4c395611db58a8a50d51e9a50c1080e
SHA512f80ab6a704db3d0a333c4e2823035d322ce2cb30ff69e94d790981b4da6e407ad8513bf71e7841ed53b29e8bcfa50ca2d26f1dd4000c7a96fe546c0eccabef43
-
Filesize
664KB
MD5a31cb807bf0ab4ddbbe2b6bb96ae6cd1
SHA1cf63765b41aee9cd7ae76c04dfbb6151e909b3c9
SHA25637f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47
SHA5126a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3
-
Filesize
136KB
MD5702f9c8fb68fd19514c106e749ec357d
SHA17c141106e4ae8f3a0e5f75d8277ec830fc79eccc
SHA25621ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358
SHA5122e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9
-
Filesize
1004KB
MD5f51151b2d8d84cddbedbeffebdc6ec6a
SHA1adc9c19aa0663e65997f54835228968e13532198
SHA2567fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884
SHA512802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3
-
Filesize
444KB
MD5c73ee8f61bce89d1edad64d16fedcdd6
SHA1e8fe02e68fd278fd4af501e350d412a5a91b269f
SHA256b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413
SHA5128a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25
-
Filesize
200KB
MD57f751738de9ac0f2544b2722f3a19eb0
SHA17187c57cd1bd378ef73ba9ad686a758b892c89dc
SHA256db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc
SHA5120891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb
-
Filesize
168KB
MD517275206102d1cf6f17346fd73300030
SHA1bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166
SHA256dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6
SHA512ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3
-
Filesize
436KB
MD5e54120aa50f14e0d3d257e77db46ece5
SHA1922203542962ec5f938dcb3c876f060ecf17f9dc
SHA256b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54
SHA512fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9
-
Filesize
200KB
MD5c22cc16103ee51ba59b765c6b449bddb
SHA1b0683f837e1e44c46c9a050e0a3753893ece24ad
SHA256eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b
SHA5122c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e
-
Filesize
680KB
MD5a41b0e08419de4d9874893b813dccb5c
SHA12390e00f2c2bc9779e99a669193666688064ea77
SHA25657ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3
SHA512bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a
-
Filesize
92KB
MD50e6d074c223b6706c29de2e9d6d9d05c
SHA1c4758d6e444b5f943c9ae8570c6d1945d7b2ab8f
SHA2563129bd336b26f9da626189a2386c362584204a5d24ec0733be3cf0c8f5d855e2
SHA512fa48aa14b7e66749a34a7195944966b670649935f1eef9d6f17cf7d9893dc83339fed4bcfeb5c5be0be8f4c0a250cf71e4e0bbc6456017890b8b5ef0ee2d885b
-
Filesize
172KB
MD520fb116831396d9477e352d42097741c
SHA17e063ac9bc173a81dc56dc5864f912041e2c725a
SHA2566a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4
SHA512851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a
-
Filesize
84KB
MD5f6b7301c18f651567a5f816c2eb7384d
SHA140cd6efc28aa7efe86b265af208b0e49bec09ae4
SHA2568f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61
SHA5124087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286
-
Filesize
248KB
MD54c6d681704e3070df2a9d3f42d3a58a2
SHA1a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81
SHA256f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137
SHA512daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86
-
Filesize
312KB
MD534035aed2021763bec1a7112d53732f1
SHA17132595f73755c3ae20a01b6863ac9518f7b75a4
SHA256aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731
SHA512ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d
-
Filesize
108KB
MD5c63f6b6d4498f2ec95de15645c48e086
SHA129f71180feed44f023da9b119ba112f2e23e6a10
SHA25656aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde
SHA5123a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc
-
Filesize
208KB
MD5eb171b7a41a7dd48940f7521da61feb0
SHA19f2a5ddac7b78615f5a7af753d835aaa41e788fc
SHA25656a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55
SHA5125917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12
-
Filesize
180KB
MD5e9833a54c1a1bfdab3e5189f3f740ff9
SHA1ffb999c781161d9a694a841728995fda5b6da6d3
SHA256ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85
SHA5120b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9
-
Filesize
213KB
MD53437087e6819614a8d54c9bc59a23139
SHA1ae84efe44b02bacdb9da876e18715100a18362be
SHA2568b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74
SHA512018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde
-
Filesize
800KB
MD52ef388f7769205ca319630dd328dcef1
SHA16dc9ed84e72af4d3e7793c07cfb244626470f3b6
SHA2564915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf
SHA512b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b
-
Filesize
944KB
MD507231bdae9d15bfca7d97f571de3a521
SHA104aec0f1afcf7732bc4cd1f7aab36e460c325ba6
SHA256be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935
SHA5122a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129
-
Filesize
192KB
MD53c9f121f5e3a6f1eafafdd8a1223a197
SHA15921441e91b96e05c7ecbb75224eaeeedc37fc56
SHA2569f86bdfd3ddb0e67820d7418334bc76b701dce9ad8414bb14480830e4656bbd8
SHA512cfe36a2035855ce94b6ecfa5b87f92c98f46f63ef5fe228d315244add9323f810b4c9244338974f88903d2817184c634a3133496b3a36ca2d3123c3a585f9603
-
Filesize
272KB
MD546e3e59dbf300ae56292dea398197837
SHA178636b25fdb32c8fcdf5fe73cac611213f13a8be
SHA2565a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339
SHA512e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c
-
Filesize
820KB
MD54dfa1eeec0822bfcfb95e4fa8ec6c143
SHA154251e697e289020a72e1fd412e34713f2e292cf
SHA256901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494
SHA5125f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4
-
Filesize
1.3MB
MD5c1c56a9c6ea636dbca49cfcc45a188c3
SHA1d852e49978a08e662804bf3d7ec93d8f6401a174
SHA256b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf
SHA512f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e
-
Filesize
256KB
MD57c61284580a6bc4a4c9c92a39bd9ea08
SHA14579294e3f3b6c03b03b15c249b9cac66e730d2a
SHA2563665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8
SHA512b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe
-
Filesize
596KB
MD58a655555544b2915b5d8676cbf3d77ab
SHA15a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2
SHA256d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27
SHA512c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93
-
Filesize
672KB
MD5bcf8735528bb89555fc687b1ed358844
SHA15ef5b24631d2f447c58b0973f61cb02118ae4adc
SHA25678b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c
SHA5128b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5
-
Filesize
292KB
MD52ac64cc617d144ae4f37677b5cdbb9b6
SHA113fe83d7489d302de9ccefbf02c7737e7f9442f9
SHA256006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44
SHA512acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7
-
Filesize
23KB
MD5f70750a86cda23a3ced4a7ecf03feebd
SHA11c2d9d79974338ce21561b916130e696236fbb48
SHA2568038c5177461aef977ac6e526ac0851bf7eff5928972462657176ff6b6d06050
SHA512cfb6b5cdb451b12e7aee6e69ab743b91bec8bd417d4d2384def03010851fef0d7f2a65ff6349c4e62e564b44e742597aeb108e71a962a48020b1988a6c6f1a9a
-
Filesize
8KB
MD53a26818c500fb74f13342f44c5213114
SHA1af1bfc2ca2a1dcbc7037f61f80a949b67a2c9602
SHA256421bbff0c63377b5fd85591530f4c28d0109bc1ff39162a42eb294f0d0e7c6bb
SHA512afa1d62788d24cd6d739ad78cff19e455b776a71904af1400a44e54e56b55b149eca456db9c686c3a0b515d7fd49d96dc77b217ec769e879b0937bedad53de7f
-
Filesize
53KB
MD58644aa200968ce8dfe182f775e1d65c4
SHA1060149f78e374f2983abde607066f2e07e9b0861
SHA25646b59cfae0ea50c722718cdb8c07b3f5d6f02174cc599cd19a157eb6016c6030
SHA51229b4299ae749587c4fc9fd4b9cf3bbe3e9677088b159a40506a2cbd5796808e7432e7af08f0a2eef6c26bacb39b23afa65d0143c72774f38d55dedaef36eba1d
-
Filesize
7KB
MD50a4338fdfb1adaa6592b8f1023ced5cf
SHA1b96bd2067f43e5142e19f9c66e4db7d317d9cd2e
SHA2560b6ac5a720dc9163dea36e565c82da1e375041688e6594de15d97652ab7aca80
SHA512cf8cbb592dc5f09a95892d897680d4ca4f59e74afaeea2701d7258ace84c4c1182e032e7dd76cbd52a77ea08c8d3858e9b5f900691a6d80c728f5e56701382db
-
Filesize
17KB
MD53b3ac59021e9dc8918647b454a1f5024
SHA1cf36a48398e2823f7d9b684d9aacf3a0a4d54d06
SHA256a5cd6429d6be85895c4589e08cb33075041a13d93fca69084ffeb4213bb0d4ff
SHA5124eeaaaf3d8a466c0b1723ae97e1ecd1c3f6b8751ddc1ec314a04192e088a38ee5f29f16541ef27a56f2f26c6d146c7f9fc581680ec69ff02843580be525a2b7f
-
Filesize
6KB
MD5305a69cdd335dcca15d48f044c89badd
SHA197db8ee824b8e5d2787cfa1004747b4e8a6ca9d9
SHA256a82cd208624572c3258795a4d097b48ec2dcf1bcbc817445025f059768719e65
SHA5123e13bd38ac4a8411391bd65791a9a82f191b699e857c02c6a86ca464c64f814a11f280f142c2cfb1231cadad0c160a933216b9623561942deaedaa9b6b03bb5e
-
Filesize
9KB
MD5445554611dc7e6011492db086ba6e64e
SHA1829493e8554113942ebe5035ea7d8a6e70c29041
SHA2568625973391145207eb8dcc0d9f8f7fb555808fa58d2a07237f68b1d9e08dfa11
SHA5126e69a532bb92d03a507e897130f3765049e1ec7893c7174c3a82332f575f78cfd301d1d502c3b124f8b9d915016fd94a50821a7dd295e125232bb3b064f34b0b
-
Filesize
2KB
MD5b6968d5f3d3cf05ad37edb013c929494
SHA166b4b6e47add2b5dff62efc9003782d0dd39b255
SHA2560e4f5bdc9ba2430ff266e89f6e44017604c14e72e5427cafcb6074c855169524
SHA512d566f1f017216a1259877c5c36bcc277197e2e61b6a05cae135023da2b07ecac96e3800c11fa60fdc6835bbe5620b3d967a1f9d3a9c4535a3f99996d09d1cb65
-
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\GenericProvider.dll.mui
Filesize5KB
MD59f2f931b1976909b88fb24e24334a4d2
SHA143a5bb922ec1ccd751405dd44cf2ee57706484ca
SHA25621eb6be50350e296f140c7a877923c7b8b6824d0ae983c899f3543a2fe26e681
SHA5129b60018330e1ec830e3c23ce49c1b0a4106dcd5251dd69a5ed8373f7f3341a120977efac37bc4644c59ae06733e5ebd97fe6d1198dd0ba711cecba1bec3c9613
-
Filesize
2KB
MD5fb17429f4d39fe142e5b682f180a9e7d
SHA1165e81224b64775364e8f5e4bfc952b65d5a5b56
SHA256a48e621724c5a977373d10de1420d7e5a8b902b2a3896d9b00b53ae8adffe071
SHA512374c6223cef75443fe35198d352e7b27b6958f69cc035e01a0b560085bacd19ad7f61ed890f6055c238f41cccbbb8f4a9b674c6903edcf347a1c26eab03ce00b
-
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\ImagingProvider.dll.mui
Filesize18KB
MD5b86f01d8b143161859fd34ccf7882530
SHA1ad843023f035b83fadf1caf305892d9e6d31500b
SHA256cb1a0d62b5b8368926833d4dceb594ecd20c661ed0d8ac111615699aa3fe2442
SHA512bb4f7f8012930d3e548f8d70f698c3e272b470055dd13a7f728a7fd8f732e891e559307ffa1f4e25091f8b73f8321906d3a773b21350324452ad0aeeb8b222f3
-
Filesize
27KB
MD560506e35e0d0b89a2a606634223e491a
SHA14f05b7eb26746dc50c0bda286d2c9cf213177cd2
SHA256a3458c824e987b2327a3853601206e21a66ac075e63c294e31277724fc0afa86
SHA5121b87dc05963c7fc6dd48453e86d7b230757e2de3c171fa489605317558bab7c1ecf515b2194fec7f6a322b26ad0d73965539bebeacf43082c27dc16c353db80d
-
Filesize
6KB
MD5a6886158d0b23f0198efb318211fd7d7
SHA186d859973a14599d5aa18afa24296c3668dea127
SHA256e7df3f5235b90541090811aa896596ee4e4dcd515adc79c83f0b6a7a84a97adb
SHA5127d5890947105db2fde29ab9b85ebd435b4576027479b440b09576c86b840e6484f86a4f29be859d04fc840dabb0c227d3e1f3f8bd8e37fee7d94631c3fe8f60e
-
Filesize
15KB
MD5cea3a44e41797d33cc2a834f7cc8a412
SHA1203f532d6b1874ca42936a7bfc197572bc51c6e5
SHA256572e5f8c5ce65404714f328d86a1386102995498d71538dc0db45a9d60cd692d
SHA51290f2b7a9ad08e7c01ea53e3b2501d28f864e4cce3ff082e1d021d8170d23625c44b7dfa371db38b47f63628d50231d06c848734c091e7c641b2a33fd2c93c58e
-
Filesize
3KB
MD51ee141f9431a2af3dd512b04055610c2
SHA1f8ef46dc21fec452cda8d73dad14c055613f28b1
SHA256b8573936e990b8e55290a943490dbfe94bc49f58a4d9de1836bd7ff7dffe7ff6
SHA51240eed3683efdb9f6528e11e80ab35a3103387d36033faaedc22024ac594fb5eab787a5e4a0825d092fc91c2f3ead73d3dd6f4629bd0baedd56b189d391c4a083
-
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\OfflineSetupProvider.dll.mui
Filesize2KB
MD5ae0676524e95d0e7e4370722efa3a773
SHA1f8205f04661335dab1e8fc23e24ea1cf96511737
SHA2569f93067d93529189ca6f64c44de2e813d30b0b8a20181a6e56180d4951c0bc61
SHA51283a754db5fa94471be16a660b9a2284f1a46de02a23f8c675d002ca64e365b5e9d52e3660a463bcfa0e430f98285fac451508a93b1a7cfded1e5b67d83f5a7c3
-
Filesize
4KB
MD5bc35aae56857c817097331a65d7769d1
SHA1cb992cb30dc75b93f547c13f8b9be1278e7394da
SHA2567fb6900ebb304df91cdc53d50687eed5269e74615cca7e76f4598721294022dc
SHA5125be9fb550f6cd8508d49ae6bde29b1fb6a951fefa16f5f8fc3a515f557d35f413dde71c9637292f5f8e282c66d9134b02f41267544874c976635f9b4e06e8c8d
-
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\SetupPlatformProvider.dll.mui
Filesize5KB
MD52e9a8c5abecfa6e5c412222df813cbc2
SHA17c5874ef08d9af001eabee9c70e32a2a7f375448
SHA256e708b5b5628f236cd1d41b864a3ef8ee401cb6f7b5f12c1cd8b76d2277c101f3
SHA512c03f0120386d7b3ca0bc93652bace096090d9f0e23e83a8345e390405a2a46bb75f07f2b1d8988b7820b74d3d01f9634e13405337dbb4623e16c7909675b071d
-
Filesize
2KB
MD5d316bf2ee142352ab8a66e634599d542
SHA1f1d94c822af18899a622400a14cef1cded21983a
SHA256631f0b431e7296a03ae309d573f1c1c09467d1c0badea7456b1bebe44cd2eae0
SHA512133b90143b40c19eec6ce1cf2d196391d159e0be040240d780abf8f090be32c9b39b879da11c2c605677bf01e6d88f7e97b1c92d7c6a27359a9e44988fcc5097
-
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\SysprepProvider.dll.mui
Filesize3KB
MD5a71ef2e202f70dfe443001aaa0eb4cde
SHA1bd3e1662696f413584ef4c704e98c99369724b24
SHA256e3d22713daa426992f2efffafda6dc59ee32502c4f10a0330770de2a3144d654
SHA512f39e2ee6b956b4a373fb22198b1cd0c248372c9d7e3ac2e4eb34b9a1e9417c02e323d369a889e37596c54050c871a4c437398138989ba0db3b6b76326ffa361b
-
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\TransmogProvider.dll.mui
Filesize16KB
MD577c25ed6331316ae69c991eaf48c61f5
SHA1aee136b521992cfe3dd37bfca3682b865404d86a
SHA256a1dd6b743961ddb20c3ff40f9227008d97ea7dc6e6ccde0918dc37f8bb79fe2d
SHA51276eee57583215ad4cbd9a2dffd15f8f4e2f3a36acb5c86b6f28f4cf3cec7fc6483a7a155c7b7e7cfe7f0a19e26c4b4bcfd5d20ad0fd81b8d47f1694eee51de68
-
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\UnattendProvider.dll.mui
Filesize5KB
MD5db3d73d9f037452586e7a78f72ecdb4d
SHA1655410a4034bcb4282e1620a666b31b9800786af
SHA2565a4b560084daa772aa9bec7aa7abe1d09ae25b17eb780ab07d34b68eb04787d0
SHA5120e77079a2deca0db320a6371774ac6989ea35dcba82fdd80146961381b12da7b2fe006636b6ead6d79651308d3fafb8afb99b660610ab2b4d97e898ee1b5d1c9
-
Filesize
7KB
MD5e191302bd04b4a25c7ea73b406ce009b
SHA107af4defdd810079f7a467f67671e1fc3cd679f5
SHA25606d9653c004a9e87ec34e759b43dfd7785ee82dc19644466f3d679f2f65de19b
SHA512453ffd89fdf2ee0046fe01da9cfbadbce6816dcfc40f1d2c81b39ba76a86d745d7773b2cbd4ace7f26af0e633a217a822800c99bae29c64aacc32dfd16506f5b
-
Filesize
27KB
MD5ef7effbb94bc74ede42ce85907a36a8c
SHA1786c63cfdc435af2ab2a76141d0fc275ff3635d5
SHA2563b2f633c55fbbb9c5e22cdbf43a8612ec7a7169a3a8bb97504744f2da2b88d21
SHA51215d954a426dfff1aae1932bcde911d009613cd9eddb4c7322a43f46804c53771ec7770911ea8c9de359f99b7668e5610f77716d45871b14abe4d23f14635114a
-
Filesize
2KB
MD5bff1ff3b5a6dba20ce82214fd626dc2b
SHA1affa7a6f6f1bec42dafe0ca868463eddffcc17e0
SHA256f307033265151affded4af3dbc2527bc16479468af740ea913f84a2a3a557c46
SHA51220dfc62f92fc8ab8c7f757a078103414c4e359b744a603f8b655dcd2340677fa7d5fd2acf3c544a3409d31194df788e764c262ea7c625019276e1d00d3f6de19
-
Filesize
62B
MD56774e4aff4988a85dabfb01db173d0af
SHA12ec6df11ef82fb3c46ba9cf585a209c932ce46e7
SHA2565f93814289461ec38c845c77d35fd56a0ce9d08662099164570f1ecdef3f6e38
SHA512e6ef5c299bf5dd6fda1c45f35103306ec9410192457544859bf1643395ba145e8c700aa2596502c9061c88a3ac5015a62de928195dcb3a23f2835b89e3e8157b
-
Filesize
302B
MD571a9108cbbc23c52cf95143706a66310
SHA1863dbfdc85863ec1808b9a2274f30a4dbe4c83c6
SHA2564f19737f9b12c3b1097f515ceeeff5b45d5542ca54b513f12eedd3e6f9c02032
SHA512f2f198cd7ff7cc8351ddf35820224287c7cf1c723309339496fe91cfb90589391499921f283cda38670fb18fc73e0d9defb4ab3b1539112cf3eaf3a0997a6662
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
9KB
MD58605a8aa55e3e9aee78f040010ac622f
SHA1b16b21ddd6cbf65a4bcff1f4c48d81bd326b6a51
SHA25624c45be667804f995107435504c39cad116cf569020664742a1bc4c27b5d9451
SHA51262808545375a9f87964494b01f00f9b0115902b09d946fb4b85563799bc44d1c0bc3b0208e75cc5aaabb6e92b3140c57fc7c843583c1c0e1ef810c243b22b750
-
Filesize
267KB
MD5fbc18ea4a3485747b4b58820950af051
SHA110e2f35a1201c8c0c80d8ddc48370eb978a0e48b
SHA2567621d31dbf5fe6ef8475d03f38fa9b00ba12f083d1f22d0411e4fde719fb9f69
SHA512e909124cd8299217a061472570f111b8ad0356ee8ea8d7ab67c1568f0232d19fdd2211f17332daefb2a107787d7588115190514ddec68f205f6a42792860225e
-
Filesize
9KB
MD50d0cfe44e35efc35d8f909d46d777daa
SHA1ee9688ac92fc98ff3585455ed5efb9562eeb572d
SHA2561d1a8f744d9ab87301f1ceab751659d961fabb8eb67230010d529c17a9b7b6b4
SHA512fb9589a54f3c60ab6b7b89354b59b7e3c7cfb5f5431ab9f62ee4f5378f76b3d59d2b5e9b3f2498e8731eec2b227bbc4857259a30eef614abcc1308dae69317ad
-
Filesize
9KB
MD5692ca5ebc9e0cef0a8d0be4df7400cee
SHA1f63dada2e5f7a1d786c93bc3d757642d93b24b59
SHA256a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa
SHA512429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb
-
Filesize
13KB
MD59b7f61e2245664d4667e55f416c25868
SHA19207a101c32dffc42c66448a2cd7bf63ad29ca4a
SHA2562aadecacb713a076171a387d7a10a87bcb25a1476436a30e4d96b48e67ae3240
SHA512ddd6aa7fba336c19f2759be85f62a4ae46107ff8b5da54ea28a6153f04d95dc074db57c8dad056e07571d07d20cec910dd56473d9905bafd516a6afbb0290d1a