Analysis
-
max time kernel
281s -
max time network
272s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 08:56
Static task
static1
Behavioral task
behavioral1
Sample
Oneclick-V6.7.bat
Resource
win11-20241007-en
General
-
Target
Oneclick-V6.7.bat
-
Size
202KB
-
MD5
4acd7d1e7294d4ab4e9db8977d5135e4
-
SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284
-
SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
-
SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
-
SSDEEP
1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
OOSU10.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3816 powershell.exe 4816 powershell.exe 4800 5492 1368 5052 powershell.exe 2516 powershell.exe 4356 powershell.exe 2148 powershell.exe 1132 2404 powershell.exe 336 powershell.exe 3452 powershell.exe 776 1240 powershell.exe 3264 powershell.exe 4808 powershell.exe 900 3748 2092 3548 powershell.exe 1200 1772 3844 powershell.exe 5064 powershell.exe 3944 powershell.exe 1200 powershell.exe 3044 powershell.exe 3556 powershell.exe 1780 powershell.exe 3720 768 powershell.exe 4644 4756 powershell.exe 4732 powershell.exe 4360 powershell.exe 4588 powershell.exe 4664 powershell.exe 4868 powershell.exe 996 4800 powershell.exe 5908 3640 powershell.exe 868 powershell.exe 3640 powershell.exe 5748 2516 powershell.exe 2920 5936 5048 powershell.exe 2836 5148 2920 powershell.exe 1700 powershell.exe 4576 powershell.exe 4732 3888 5536 3592 powershell.exe 2628 powershell.exe 5200 5356 4236 powershell.exe 3116 powershell.exe -
Downloads MZ/PE file
-
Possible privilege escalation attempt 21 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 704 icacls.exe 5064 icacls.exe 3780 icacls.exe 4856 takeown.exe 3088 icacls.exe 848 icacls.exe 2652 takeown.exe 2156 takeown.exe 1912 icacls.exe 4756 takeown.exe 1200 takeown.exe 2320 icacls.exe 4628 takeown.exe 5052 icacls.exe 4008 takeown.exe 3004 icacls.exe 4584 takeown.exe 2724 icacls.exe 2764 takeown.exe 1236 takeown.exe 4848 icacls.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 6 IoCs
Processes:
OOSU10.exeNSudoLG.exeNSudoLG.exeOpenShellSetup_4_4_191.exeStartMenu.exepid process 408 OOSU10.exe 2264 NSudoLG.exe 4272 NSudoLG.exe 3004 OpenShellSetup_4_4_191.exe 4060 StartMenu.exe 6084 -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeStartMenu.exeexplorer.exepid process 3080 MsiExec.exe 4784 MsiExec.exe 3404 MsiExec.exe 4488 MsiExec.exe 4060 StartMenu.exe 252 explorer.exe 5308 -
Modifies file permissions 1 TTPs 21 IoCs
Processes:
takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 2156 takeown.exe 1912 icacls.exe 5064 icacls.exe 4856 takeown.exe 2320 icacls.exe 2724 icacls.exe 704 icacls.exe 4756 takeown.exe 3004 icacls.exe 4584 takeown.exe 848 icacls.exe 2652 takeown.exe 3780 icacls.exe 1200 takeown.exe 3088 icacls.exe 5052 icacls.exe 2764 takeown.exe 1236 takeown.exe 4008 takeown.exe 4848 icacls.exe 4628 takeown.exe -
Modifies system executable filetype association 2 TTPs 10 IoCs
Processes:
MsiExec.exeMsiExec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt MsiExec.exe -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exemsiexec.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\yjdn8r reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun" msiexec.exe Key deleted \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console" -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exeexplorer.exemsiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
MsiExec.exeMsiExec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} MsiExec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 9 raw.githubusercontent.com 18 drive.google.com 22 drive.google.com 40 raw.githubusercontent.com 64 raw.githubusercontent.com 65 drive.google.com -
Power Settings 1 TTPs 24 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepid process 4520 5352 1664 3976 2332 5596 5148 2404 5416 1872 3760 5044 3376 4280 468 5504 3272 5648 3068 powercfg.exe 2680 5348 1684 5544 5600 -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exemsiexec.exedescription ioc process File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{cebc7bee-657a-4db8-a2c6-3ab5ebb24c84}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3973800497-2716210218-310192997-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File created C:\Windows\SysWOW64\StartMenuHelper32.dll msiexec.exe File created C:\Windows\system32\StartMenuHelper64.dll msiexec.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{cebc7bee-657a-4db8-a2c6-3ab5ebb24c84}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3973800497-2716210218-310192997-1000_UserData.bin svchost.exe -
Drops file in Program Files directory 41 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\Open-Shell\ClassicExplorer32.dll msiexec.exe File created C:\Program Files\Open-Shell\Skins\Immersive.skin msiexec.exe File created C:\Program Files\Open-Shell\PolicyDefinitions.zip msiexec.exe File created C:\Program Files\Open-Shell\StartMenuHelperL10N.ini msiexec.exe File created C:\Program Files\Open-Shell\Skins\Windows 8.skin msiexec.exe File created C:\Program Files\Open-Shell\ClassicExplorer64.dll msiexec.exe File created C:\Program Files\Open-Shell\~tart Screen.tmp msiexec.exe File created C:\Program Files\Open-Shell\ClassicExplorerSettings.exe msiexec.exe File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin7 msiexec.exe File created C:\Program Files\Open-Shell\Skins\Windows Basic.skin msiexec.exe File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe59f052.TMP msiexec.exe File created C:\Program Files\Open-Shell\Skins\Full Glass.skin msiexec.exe File created C:\Program Files\Open-Shell\Skins\Metallic.skin7 msiexec.exe File created C:\Program Files\Open-Shell\Update.exe msiexec.exe File created C:\Program Files\Open-Shell\~tart Menu Settings.tmp msiexec.exe File created C:\Program Files\Open-Shell\Skins\Immersive.skin7 msiexec.exe File created C:\Program Files\Open-Shell\Skins\Smoked Glass.skin msiexec.exe File created C:\Program Files\Open-Shell\StartMenuL10N.ini msiexec.exe File created C:\Program Files\Open-Shell\Skins\Windows 8.skin7 msiexec.exe File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin msiexec.exe File created C:\Program Files\Open-Shell\StartMenu.exe msiexec.exe File created C:\Program Files\Open-Shell\StartMenuDLL.dll msiexec.exe File opened for modification C:\Program Files\Open-Shell\Start Menu Settings.lnk msiexec.exe File created C:\Program Files\Open-Shell\DesktopToasts.dll msiexec.exe File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe59f071.TMP msiexec.exe File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin7 msiexec.exe File created C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin msiexec.exe File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe59f042.TMP msiexec.exe File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin msiexec.exe File created C:\Program Files\Open-Shell\OpenShell.chm msiexec.exe File created C:\Program Files\Open-Shell\Start Menu Settings.lnk msiexec.exe File opened for modification C:\Program Files\Open-Shell\~tart Menu Settings.tmp msiexec.exe File created C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe59f003.TMP msiexec.exe File created C:\Program Files\Open-Shell\Start Screen.lnk msiexec.exe File opened for modification C:\Program Files\Open-Shell\Start Screen.lnk msiexec.exe File opened for modification C:\Program Files\Open-Shell\~tart Screen.tmp msiexec.exe File created C:\Program Files\Open-Shell\ExplorerL10N.ini msiexec.exe File created C:\Program Files\Open-Shell\Skins\Metro.skin msiexec.exe File created C:\Program Files\Open-Shell\Skins\Metro.skin7 msiexec.exe File created C:\Program Files\Open-Shell\Skins\Midnight.skin7 msiexec.exe File created C:\Program Files\Open-Shell\OpenShellReadme.rtf msiexec.exe -
Drops file in Windows directory 19 IoCs
Processes:
msiexec.exeTiWorker.exedescription ioc process File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe msiexec.exe File opened for modification C:\Windows\SystemTemp File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File created C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEC98.tmp msiexec.exe File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe msiexec.exe File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico msiexec.exe File created C:\Windows\SystemTemp\~DF0AF171C30DC5C693.TMP msiexec.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e59eb81.msi msiexec.exe File created C:\Windows\SystemTemp\~DF39E8DDB67F44872E.TMP msiexec.exe File created C:\Windows\Installer\e59eb7f.msi msiexec.exe File created C:\Windows\SystemTemp\~DFC782BDA269CEE238.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFDEDD39FA4B2901B1.TMP msiexec.exe File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico msiexec.exe File opened for modification C:\Windows\Installer\e59eb7f.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
Processes:
powershell.exepowershell.exepowershell.exepid process 4184 powershell.exe 1364 powershell.exe 2340 powershell.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1500 sc.exe 604 sc.exe 1700 sc.exe 3096 sc.exe 844 sc.exe 1740 sc.exe 8 sc.exe 2660 sc.exe 1564 sc.exe 3828 sc.exe 4972 sc.exe 4704 sc.exe 5056 sc.exe 3124 sc.exe 2992 sc.exe 1952 sc.exe 3964 sc.exe 1344 sc.exe 4552 sc.exe 488 sc.exe 3628 sc.exe 4052 sc.exe 1448 sc.exe 4852 sc.exe 4336 sc.exe 2664 sc.exe 4816 sc.exe 2392 sc.exe 2820 sc.exe 2660 sc.exe 3536 sc.exe 4664 sc.exe 1084 sc.exe 4388 sc.exe 2888 sc.exe 3380 sc.exe 2840 sc.exe 2976 sc.exe 2720 sc.exe 4284 sc.exe 1560 sc.exe 4196 sc.exe 3804 sc.exe 4144 sc.exe 1188 sc.exe 4000 sc.exe 3400 sc.exe 3060 sc.exe 1808 sc.exe 4512 sc.exe 4408 sc.exe 1188 sc.exe 3952 sc.exe 2056 sc.exe 4056 sc.exe 4900 sc.exe 2668 sc.exe 4416 sc.exe 3456 sc.exe 4660 sc.exe 4144 sc.exe 2228 sc.exe 3804 sc.exe 2060 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exeDllHost.exeOpenShellSetup_4_4_191.exemsiexec.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OpenShellSetup_4_4_191.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exevssvc.exeTaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 64 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1216 timeout.exe 2324 timeout.exe 4464 timeout.exe 5284 3160 timeout.exe 2664 timeout.exe 4652 timeout.exe 3116 5828 2680 timeout.exe 3084 timeout.exe 4624 timeout.exe 3740 timeout.exe 2764 timeout.exe 3736 timeout.exe 1564 timeout.exe 1092 timeout.exe 1780 timeout.exe 2124 timeout.exe 2536 timeout.exe 1220 timeout.exe 5392 2764 timeout.exe 2352 timeout.exe 4716 timeout.exe 808 timeout.exe 4388 timeout.exe 4776 timeout.exe 648 timeout.exe 1564 timeout.exe 2132 timeout.exe 3948 timeout.exe 3756 timeout.exe 4940 timeout.exe 5736 5112 timeout.exe 2032 timeout.exe 1944 timeout.exe 808 timeout.exe 3452 timeout.exe 3096 3500 2972 timeout.exe 3040 timeout.exe 996 timeout.exe 4428 timeout.exe 5080 timeout.exe 4600 timeout.exe 5200 408 timeout.exe 4884 timeout.exe 3500 timeout.exe 812 timeout.exe 1464 timeout.exe 4704 timeout.exe 6004 4552 244 timeout.exe 2840 timeout.exe 4304 5044 timeout.exe 1000 timeout.exe 4036 timeout.exe 3580 timeout.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4824 taskkill.exe 2652 taskkill.exe 4772 taskkill.exe 2092 taskkill.exe 1972 taskkill.exe 4248 taskkill.exe 5816 3808 taskkill.exe 4540 taskkill.exe 5688 5704 5592 5624 -
Modifies Control Panel 1 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" OOSU10.exe -
Processes:
MsiExec.exeMsiExec.exeSearchHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100001003500000001000000010700005e010000060000000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b7913855d5a02645be18d3ce461d6310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar -
Modifies data under HKEY_USERS 7 IoCs
Processes:
msiexec.exereg.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755299663177873" Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" reg.exe -
Modifies registry class 64 IoCs
Processes:
powershell.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exemsiexec.exereg.exeSearchHost.exeOOSU10.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ClassicExplorer.DLL\AppID = "{65843E27-A491-429F-84A0-30A947E20F92}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer\ = "ClassicExplorer.ExplorerBHO.1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ = "ExplorerBHO Class" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ProgID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\Version = "67371199" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\CLSID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID\ = "ClassicExplorer.ExplorerBand.1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBand" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "967" SearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ = "IClassicCopyExt" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\StartMenu = "OpenShell" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ = "ShareOverlay Class" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\CLSID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{65843E27-A491-429F-84A0-30A947E20F92}\ = "ClassicExplorer" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer\ = "ClassicExplorer.ShareOverlay.1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer\ = "ClassicExplorer.ShareOverlay.1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}" MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\Version = "1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\ = "ExplorerBHO Class" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBHO" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}\ = "StartMenuHelper" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no" OOSU10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ProgID\ = "ClassicExplorer.ShareOverlay.1" MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\StartMenuExt MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\ProductName = "Open-Shell" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\TypeLib MsiExec.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
pid process 5308 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTaskmgr.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exeNSudoLG.exeNSudoLG.exepowershell.exeexplorer.exepowershell.exepowershell.exepowershell.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2272 powershell.exe 2272 powershell.exe 4184 powershell.exe 4184 powershell.exe 1320 powershell.exe 1320 powershell.exe 4052 powershell.exe 4052 powershell.exe 4012 powershell.exe 4012 powershell.exe 2764 powershell.exe 2764 powershell.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 2144 svchost.exe 2144 svchost.exe 2144 svchost.exe 2144 svchost.exe 1364 powershell.exe 1364 powershell.exe 564 powershell.exe 564 powershell.exe 1176 powershell.exe 1176 powershell.exe 2340 powershell.exe 2340 powershell.exe 2264 NSudoLG.exe 2264 NSudoLG.exe 4272 NSudoLG.exe 4272 NSudoLG.exe 752 powershell.exe 752 powershell.exe 252 explorer.exe 252 explorer.exe 4644 powershell.exe 4644 powershell.exe 4644 powershell.exe 3844 powershell.exe 3844 powershell.exe 1240 powershell.exe 1240 powershell.exe 3668 msiexec.exe 3668 msiexec.exe 1872 powershell.exe 1872 powershell.exe 1872 powershell.exe 5052 powershell.exe 5052 powershell.exe 5052 powershell.exe 768 powershell.exe 768 powershell.exe 768 powershell.exe 3116 powershell.exe 3116 powershell.exe 3116 powershell.exe 868 powershell.exe 868 powershell.exe 868 powershell.exe 4800 powershell.exe 4800 powershell.exe 4800 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 252 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
pid process 2504 2504 2504 2504 2504 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exedescription pid process Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeBackupPrivilege 5052 TiWorker.exe Token: SeRestorePrivilege 5052 TiWorker.exe Token: SeSecurityPrivilege 5052 TiWorker.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 4184 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 4052 powershell.exe Token: SeShutdownPrivilege 3068 powercfg.exe Token: SeCreatePagefilePrivilege 3068 powercfg.exe Token: SeShutdownPrivilege 3068 powercfg.exe Token: SeCreatePagefilePrivilege 3068 powercfg.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeIncreaseQuotaPrivilege 4012 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Taskmgr.exeexplorer.exemsiexec.exepid process 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 4916 msiexec.exe 4916 msiexec.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exeexplorer.exepid process 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 1860 Taskmgr.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
explorer.exeSearchHost.exeStartMenuExperienceHost.exeStartMenu.exepid process 252 explorer.exe 4056 SearchHost.exe 1000 StartMenuExperienceHost.exe 252 explorer.exe 4060 StartMenu.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 252 explorer.exe 5308 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 1300 wrote to memory of 4620 1300 cmd.exe fltMC.exe PID 1300 wrote to memory of 4620 1300 cmd.exe fltMC.exe PID 1300 wrote to memory of 1008 1300 cmd.exe sc.exe PID 1300 wrote to memory of 1008 1300 cmd.exe sc.exe PID 1300 wrote to memory of 1136 1300 cmd.exe find.exe PID 1300 wrote to memory of 1136 1300 cmd.exe find.exe PID 1300 wrote to memory of 1012 1300 cmd.exe find.exe PID 1300 wrote to memory of 1012 1300 cmd.exe find.exe PID 1300 wrote to memory of 984 1300 cmd.exe sc.exe PID 1300 wrote to memory of 984 1300 cmd.exe sc.exe PID 1300 wrote to memory of 4104 1300 cmd.exe find.exe PID 1300 wrote to memory of 4104 1300 cmd.exe find.exe PID 1300 wrote to memory of 4588 1300 cmd.exe find.exe PID 1300 wrote to memory of 4588 1300 cmd.exe find.exe PID 1300 wrote to memory of 648 1300 cmd.exe sc.exe PID 1300 wrote to memory of 648 1300 cmd.exe sc.exe PID 1300 wrote to memory of 3320 1300 cmd.exe net.exe PID 1300 wrote to memory of 3320 1300 cmd.exe net.exe PID 3320 wrote to memory of 3340 3320 net.exe net1.exe PID 3320 wrote to memory of 3340 3320 net.exe net1.exe PID 1300 wrote to memory of 3124 1300 cmd.exe curl.exe PID 1300 wrote to memory of 3124 1300 cmd.exe curl.exe PID 1300 wrote to memory of 2972 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 2972 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 252 1300 cmd.exe tar.exe PID 1300 wrote to memory of 252 1300 cmd.exe tar.exe PID 1300 wrote to memory of 2344 1300 cmd.exe chcp.com PID 1300 wrote to memory of 2344 1300 cmd.exe chcp.com PID 1300 wrote to memory of 3040 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 3040 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 1940 1300 cmd.exe chcp.com PID 1300 wrote to memory of 1940 1300 cmd.exe chcp.com PID 1300 wrote to memory of 2264 1300 cmd.exe chcp.com PID 1300 wrote to memory of 2264 1300 cmd.exe chcp.com PID 1300 wrote to memory of 2272 1300 cmd.exe powershell.exe PID 1300 wrote to memory of 2272 1300 cmd.exe powershell.exe PID 1300 wrote to memory of 2124 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 2124 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 660 1300 cmd.exe chcp.com PID 1300 wrote to memory of 660 1300 cmd.exe chcp.com PID 1300 wrote to memory of 408 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 408 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 3688 1300 cmd.exe chcp.com PID 1300 wrote to memory of 3688 1300 cmd.exe chcp.com PID 1300 wrote to memory of 2520 1300 cmd.exe reg.exe PID 1300 wrote to memory of 2520 1300 cmd.exe reg.exe PID 1300 wrote to memory of 3428 1300 cmd.exe reg.exe PID 1300 wrote to memory of 3428 1300 cmd.exe reg.exe PID 1300 wrote to memory of 3364 1300 cmd.exe reg.exe PID 1300 wrote to memory of 3364 1300 cmd.exe reg.exe PID 1300 wrote to memory of 996 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 996 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 708 1300 cmd.exe reg.exe PID 1300 wrote to memory of 708 1300 cmd.exe reg.exe PID 1300 wrote to memory of 2508 1300 cmd.exe reg.exe PID 1300 wrote to memory of 2508 1300 cmd.exe reg.exe PID 1300 wrote to memory of 4028 1300 cmd.exe reg.exe PID 1300 wrote to memory of 4028 1300 cmd.exe reg.exe PID 1300 wrote to memory of 4928 1300 cmd.exe reg.exe PID 1300 wrote to memory of 4928 1300 cmd.exe reg.exe PID 1300 wrote to memory of 3160 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 3160 1300 cmd.exe timeout.exe PID 1300 wrote to memory of 3088 1300 cmd.exe reg.exe PID 1300 wrote to memory of 3088 1300 cmd.exe reg.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" OOSU10.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:4620
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵PID:1008
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:1136
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:1012
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵PID:984
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:4104
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:4588
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=auto2⤵PID:648
-
C:\Windows\system32\net.exenet start TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TrustedInstaller3⤵PID:3340
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵PID:3124
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2972 -
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵PID:252
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2344
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:3040 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:1940
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:2264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:2124 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:660
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:408 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:3688
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f2⤵PID:2520
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵PID:3428
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f2⤵PID:3364
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:996 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:708
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f2⤵PID:2508
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f2⤵PID:4028
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f2⤵PID:4928
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3160 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f2⤵PID:3088
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f2⤵PID:3616
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2536 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5112 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f2⤵PID:8
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:1476
-
C:\Windows\system32\reg.exereg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f2⤵
- Modifies data under HKEY_USERS
PID:2144 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:2152
-
C:\Windows\system32\reg.exereg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:1400 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4884 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f2⤵PID:3604
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3736 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:4460
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2352 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f2⤵PID:4916
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f2⤵PID:5020
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f2⤵PID:1000
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f2⤵PID:3900
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f2⤵PID:2452
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f2⤵PID:1856
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f2⤵PID:2460
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f2⤵PID:2740
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f2⤵PID:1548
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f2⤵PID:3188
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f2⤵PID:3060
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f2⤵PID:1588
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f2⤵PID:4992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2680 -
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f2⤵PID:4660
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f2⤵PID:4656
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f2⤵PID:4620
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f2⤵PID:4128
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f2⤵PID:3044
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f2⤵PID:1008
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵PID:2060
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:4104
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f2⤵PID:4508
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f2⤵PID:2876
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4716 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f2⤵PID:3992
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:3392
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
PID:5116 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3084 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f2⤵PID:3320
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f2⤵PID:4512
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f2⤵PID:4400
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:3824
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f2⤵PID:4336
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f2⤵PID:900
-
C:\Windows\system32\powercfg.exepowercfg.exe /hibernate off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3068 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1216 -
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵
- Launches sc.exe
PID:4972 -
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:5044
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:244 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:2972
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:1076
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4776 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f2⤵PID:848
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4704 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f2⤵PID:2096
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3500 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 02⤵
- UAC bypass
PID:1628 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2032 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:2960
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:812 -
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:392
-
C:\Windows\system32\sc.exesc config ALG start=demand2⤵PID:2880
-
C:\Windows\system32\sc.exesc config AppIDSvc start=demand2⤵
- Launches sc.exe
PID:2056 -
C:\Windows\system32\sc.exesc config AppMgmt start=demand2⤵PID:4428
-
C:\Windows\system32\sc.exesc config AppReadiness start=demand2⤵PID:5112
-
C:\Windows\system32\sc.exesc config AppVClient start=disabled2⤵PID:1984
-
C:\Windows\system32\sc.exesc config AppXSvc start=demand2⤵PID:2072
-
C:\Windows\system32\sc.exesc config Appinfo start=demand2⤵PID:1948
-
C:\Windows\system32\sc.exesc config AssignedAccessManagerSvc start=disabled2⤵PID:3472
-
C:\Windows\system32\sc.exesc config AudioEndpointBuilder start=auto2⤵PID:1648
-
C:\Windows\system32\sc.exesc config AudioSrv start=auto2⤵
- Launches sc.exe
PID:2992 -
C:\Windows\system32\sc.exesc config Audiosrv start=auto2⤵PID:5060
-
C:\Windows\system32\sc.exesc config AxInstSV start=demand2⤵PID:4736
-
C:\Windows\system32\sc.exesc config BDESVC start=demand2⤵PID:1508
-
C:\Windows\system32\sc.exesc config BFE start=auto2⤵PID:3536
-
C:\Windows\system32\sc.exesc config BITS start=delayed-auto2⤵PID:2180
-
C:\Windows\system32\sc.exesc config BTAGService start=demand2⤵PID:972
-
C:\Windows\system32\sc.exesc config BcastDVRUserService_dc2a4 start=demand2⤵PID:3812
-
C:\Windows\system32\sc.exesc config BluetoothUserService_dc2a4 start=demand2⤵PID:2696
-
C:\Windows\system32\sc.exesc config BrokerInfrastructure start=auto2⤵PID:3096
-
C:\Windows\system32\sc.exesc config Browser start=demand2⤵PID:1320
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=auto2⤵PID:3628
-
C:\Windows\system32\sc.exesc config BthHFSrv start=auto2⤵PID:1848
-
C:\Windows\system32\sc.exesc config CDPSvc start=demand2⤵PID:1748
-
C:\Windows\system32\sc.exesc config CDPUserSvc_dc2a4 start=auto2⤵PID:3604
-
C:\Windows\system32\sc.exesc config COMSysApp start=demand2⤵PID:3736
-
C:\Windows\system32\sc.exesc config CaptureService_dc2a4 start=demand2⤵PID:1912
-
C:\Windows\system32\sc.exesc config CertPropSvc start=demand2⤵PID:4100
-
C:\Windows\system32\sc.exesc config ClipSVC start=demand2⤵PID:5048
-
C:\Windows\system32\sc.exesc config ConsentUxUserSvc_dc2a4 start=demand2⤵PID:4456
-
C:\Windows\system32\sc.exesc config CoreMessagingRegistrar start=auto2⤵PID:5020
-
C:\Windows\system32\sc.exesc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand2⤵PID:4196
-
C:\Windows\system32\sc.exesc config CryptSvc start=auto2⤵PID:1000
-
C:\Windows\system32\sc.exesc config CscService start=demand2⤵PID:2320
-
C:\Windows\system32\sc.exesc config DPS start=auto2⤵PID:4232
-
C:\Windows\system32\sc.exesc config DcomLaunch start=auto2⤵
- Launches sc.exe
PID:1952 -
C:\Windows\system32\sc.exesc config DcpSvc start=demand2⤵PID:1856
-
C:\Windows\system32\sc.exesc config DevQueryBroker start=demand2⤵PID:2740
-
C:\Windows\system32\sc.exesc config DeviceAssociationBrokerSvc_dc2a4 start=demand2⤵
- Launches sc.exe
PID:2840 -
C:\Windows\system32\sc.exesc config DeviceAssociationService start=demand2⤵PID:1108
-
C:\Windows\system32\sc.exesc config DeviceInstall start=demand2⤵PID:3464
-
C:\Windows\system32\sc.exesc config DevicePickerUserSvc_dc2a4 start=demand2⤵PID:3016
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_dc2a4 start=demand2⤵
- Launches sc.exe
PID:3060 -
C:\Windows\system32\sc.exesc config Dhcp start=auto2⤵PID:4040
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:2416
-
C:\Windows\system32\sc.exesc config DialogBlockingService start=disabled2⤵PID:4084
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start=auto2⤵PID:1128
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start=demand2⤵PID:472
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=demand2⤵PID:4752
-
C:\Windows\system32\sc.exesc config Dnscache start=auto2⤵
- Launches sc.exe
PID:2668 -
C:\Windows\system32\sc.exesc config DoSvc start=delayed-auto2⤵PID:3848
-
C:\Windows\system32\sc.exesc config DsSvc start=demand2⤵
- Launches sc.exe
PID:3964 -
C:\Windows\system32\sc.exesc config DsmSvc start=demand2⤵PID:3532
-
C:\Windows\system32\sc.exesc config DusmSvc start=auto2⤵PID:4652
-
C:\Windows\system32\sc.exesc config EFS start=demand2⤵PID:564
-
C:\Windows\system32\sc.exesc config EapHost start=demand2⤵
- Launches sc.exe
PID:4852 -
C:\Windows\system32\sc.exesc config EntAppSvc start=demand2⤵PID:4656
-
C:\Windows\system32\sc.exesc config EventLog start=auto2⤵PID:4764
-
C:\Windows\system32\sc.exesc config EventSystem start=auto2⤵PID:4300
-
C:\Windows\system32\sc.exesc config FDResPub start=demand2⤵PID:4940
-
C:\Windows\system32\sc.exesc config Fax start=demand2⤵PID:3892
-
C:\Windows\system32\sc.exesc config FontCache start=auto2⤵PID:3044
-
C:\Windows\system32\sc.exesc config FrameServer start=demand2⤵PID:2060
-
C:\Windows\system32\sc.exesc config FrameServerMonitor start=demand2⤵PID:5084
-
C:\Windows\system32\sc.exesc config GraphicsPerfSvc start=demand2⤵PID:4104
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:4200
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:4896
-
C:\Windows\system32\sc.exesc config HvHost start=demand2⤵PID:4404
-
C:\Windows\system32\sc.exesc config IEEtwCollectorService start=demand2⤵
- Launches sc.exe
PID:1084 -
C:\Windows\system32\sc.exesc config IKEEXT start=demand2⤵PID:2676
-
C:\Windows\system32\sc.exesc config InstallService start=demand2⤵PID:2652
-
C:\Windows\system32\sc.exesc config InventorySvc start=demand2⤵PID:2192
-
C:\Windows\system32\sc.exesc config IpxlatCfgSvc start=demand2⤵PID:1932
-
C:\Windows\system32\sc.exesc config KeyIso start=auto2⤵
- Launches sc.exe
PID:844 -
C:\Windows\system32\sc.exesc config KtmRm start=demand2⤵
- Launches sc.exe
PID:1808 -
C:\Windows\system32\sc.exesc config LSM start=auto2⤵PID:2036
-
C:\Windows\system32\sc.exesc config LanmanServer start=auto2⤵PID:1800
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start=auto2⤵PID:3084
-
C:\Windows\system32\sc.exesc config LicenseManager start=demand2⤵PID:652
-
C:\Windows\system32\sc.exesc config LxpSvc start=demand2⤵PID:808
-
C:\Windows\system32\sc.exesc config MSDTC start=demand2⤵PID:5024
-
C:\Windows\system32\sc.exesc config MSiSCSI start=demand2⤵PID:4512
-
C:\Windows\system32\sc.exesc config MapsBroker start=delayed-auto2⤵PID:3996
-
C:\Windows\system32\sc.exesc config McpManagementService start=demand2⤵PID:3704
-
C:\Windows\system32\sc.exesc config MessagingService_dc2a4 start=demand2⤵
- Launches sc.exe
PID:4336 -
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start=demand2⤵PID:900
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start=demand2⤵PID:2176
-
C:\Windows\system32\sc.exesc config MpsSvc start=auto2⤵PID:2108
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start=demand2⤵PID:4076
-
C:\Windows\system32\sc.exesc config NPSMSvc_dc2a4 start=demand2⤵PID:5044
-
C:\Windows\system32\sc.exesc config NaturalAuthentication start=demand2⤵
- Launches sc.exe
PID:2228 -
C:\Windows\system32\sc.exesc config NcaSvc start=demand2⤵PID:4000
-
C:\Windows\system32\sc.exesc config NcbService start=demand2⤵PID:2972
-
C:\Windows\system32\sc.exesc config NcdAutoSetup start=demand2⤵PID:336
-
C:\Windows\system32\sc.exesc config NetSetupSvc start=demand2⤵PID:3624
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start=disabled2⤵PID:4144
-
C:\Windows\system32\sc.exesc config Netlogon start=demand2⤵
- Launches sc.exe
PID:2976 -
C:\Windows\system32\sc.exesc config Netman start=demand2⤵
- Launches sc.exe
PID:4704 -
C:\Windows\system32\sc.exesc config NgcCtnrSvc start=demand2⤵PID:1940
-
C:\Windows\system32\sc.exesc config NgcSvc start=demand2⤵PID:4600
-
C:\Windows\system32\sc.exesc config NlaSvc start=demand2⤵PID:2232
-
C:\Windows\system32\sc.exesc config OneSyncSvc_dc2a4 start=auto2⤵PID:1140
-
C:\Windows\system32\sc.exesc config P9RdrService_dc2a4 start=demand2⤵PID:448
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=demand2⤵PID:2260
-
C:\Windows\system32\sc.exesc config PNRPsvc start=demand2⤵PID:3436
-
C:\Windows\system32\sc.exesc config PcaSvc start=demand2⤵PID:3048
-
C:\Windows\system32\sc.exesc config PeerDistSvc start=demand2⤵PID:2324
-
C:\Windows\system32\sc.exesc config PenService_dc2a4 start=demand2⤵
- Launches sc.exe
PID:1500 -
C:\Windows\system32\sc.exesc config PerfHost start=demand2⤵PID:3820
-
C:\Windows\system32\sc.exesc config PhoneSvc start=demand2⤵PID:2752
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_dc2a4 start=demand2⤵PID:3056
-
C:\Windows\system32\sc.exesc config PlugPlay start=demand2⤵
- Launches sc.exe
PID:1564 -
C:\Windows\system32\sc.exesc config PolicyAgent start=demand2⤵PID:3904
-
C:\Windows\system32\sc.exesc config Power start=auto2⤵PID:3356
-
C:\Windows\system32\sc.exesc config PrintNotify start=demand2⤵PID:4012
-
C:\Windows\system32\sc.exesc config PrintWorkflowUserSvc_dc2a4 start=demand2⤵PID:4272
-
C:\Windows\system32\sc.exesc config ProfSvc start=auto2⤵PID:4624
-
C:\Windows\system32\sc.exesc config PushToInstall start=demand2⤵PID:3500
-
C:\Windows\system32\sc.exesc config QWAVE start=demand2⤵PID:2332
-
C:\Windows\system32\sc.exesc config RasAuto start=demand2⤵
- Launches sc.exe
PID:4388 -
C:\Windows\system32\sc.exesc config RasMan start=demand2⤵PID:4596
-
C:\Windows\system32\sc.exesc config RemoteAccess start=disabled2⤵
- Launches sc.exe
PID:4552 -
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:2828
-
C:\Windows\system32\sc.exesc config RetailDemo start=demand2⤵PID:1936
-
C:\Windows\system32\sc.exesc config RmSvc start=demand2⤵PID:2200
-
C:\Windows\system32\sc.exesc config RpcEptMapper start=auto2⤵
- Launches sc.exe
PID:2888 -
C:\Windows\system32\sc.exesc config RpcLocator start=demand2⤵PID:1860
-
C:\Windows\system32\sc.exesc config RpcSs start=auto2⤵
- Launches sc.exe
PID:1560 -
C:\Windows\system32\sc.exesc config SCPolicySvc start=demand2⤵PID:3952
-
C:\Windows\system32\sc.exesc config SCardSvr start=demand2⤵PID:4428
-
C:\Windows\system32\sc.exesc config SDRSVC start=demand2⤵PID:5112
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=demand2⤵PID:1984
-
C:\Windows\system32\sc.exesc config SENS start=auto2⤵PID:1476
-
C:\Windows\system32\sc.exesc config SNMPTRAP start=demand2⤵PID:2700
-
C:\Windows\system32\sc.exesc config SNMPTrap start=demand2⤵PID:3472
-
C:\Windows\system32\sc.exesc config SSDPSRV start=demand2⤵PID:2292
-
C:\Windows\system32\sc.exesc config SamSs start=auto2⤵PID:4136
-
C:\Windows\system32\sc.exesc config ScDeviceEnum start=demand2⤵PID:3372
-
C:\Windows\system32\sc.exesc config Schedule start=auto2⤵
- Launches sc.exe
PID:488 -
C:\Windows\system32\sc.exesc config SecurityHealthService start=demand2⤵PID:4872
-
C:\Windows\system32\sc.exesc config Sense start=demand2⤵PID:3940
-
C:\Windows\system32\sc.exesc config SensorDataService start=demand2⤵PID:972
-
C:\Windows\system32\sc.exesc config SensorService start=demand2⤵PID:3812
-
C:\Windows\system32\sc.exesc config SensrSvc start=demand2⤵PID:2696
-
C:\Windows\system32\sc.exesc config SessionEnv start=demand2⤵
- Launches sc.exe
PID:604 -
C:\Windows\system32\sc.exesc config SgrmBroker start=auto2⤵PID:1320
-
C:\Windows\system32\sc.exesc config SharedAccess start=demand2⤵PID:3628
-
C:\Windows\system32\sc.exesc config SharedRealitySvc start=demand2⤵PID:2672
-
C:\Windows\system32\sc.exesc config ShellHWDetection start=auto2⤵PID:1240
-
C:\Windows\system32\sc.exesc config SmsRouter start=demand2⤵PID:1652
-
C:\Windows\system32\sc.exesc config Spooler start=auto2⤵PID:3256
-
C:\Windows\system32\sc.exesc config SstpSvc start=demand2⤵PID:2600
-
C:\Windows\system32\sc.exesc config StateRepository start=demand2⤵PID:1488
-
C:\Windows\system32\sc.exesc config StiSvc start=demand2⤵PID:1252
-
C:\Windows\system32\sc.exesc config StorSvc start=demand2⤵PID:4936
-
C:\Windows\system32\sc.exesc config SysMain start=auto2⤵PID:4196
-
C:\Windows\system32\sc.exesc config SystemEventsBroker start=auto2⤵PID:1000
-
C:\Windows\system32\sc.exesc config TabletInputService start=demand2⤵PID:2140
-
C:\Windows\system32\sc.exesc config TapiSrv start=demand2⤵PID:2712
-
C:\Windows\system32\sc.exesc config TermService start=auto2⤵PID:3152
-
C:\Windows\system32\sc.exesc config TextInputManagementService start=demand2⤵PID:5004
-
C:\Windows\system32\sc.exesc config Themes start=auto2⤵PID:4856
-
C:\Windows\system32\sc.exesc config TieringEngineService start=demand2⤵PID:3488
-
C:\Windows\system32\sc.exesc config TimeBroker start=demand2⤵PID:3640
-
C:\Windows\system32\sc.exesc config TimeBrokerSvc start=demand2⤵
- Launches sc.exe
PID:1740 -
C:\Windows\system32\sc.exesc config TokenBroker start=demand2⤵PID:1588
-
C:\Windows\system32\sc.exesc config TrkWks start=auto2⤵PID:4992
-
C:\Windows\system32\sc.exesc config TroubleshootingSvc start=demand2⤵PID:636
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=demand2⤵PID:4084
-
C:\Windows\system32\sc.exesc config UI0Detect start=demand2⤵PID:1128
-
C:\Windows\system32\sc.exesc config UdkUserSvc_dc2a4 start=demand2⤵PID:3744
-
C:\Windows\system32\sc.exesc config UevAgentService start=disabled2⤵PID:4912
-
C:\Windows\system32\sc.exesc config UmRdpService start=demand2⤵PID:2852
-
C:\Windows\system32\sc.exesc config UnistoreSvc_dc2a4 start=demand2⤵PID:4828
-
C:\Windows\system32\sc.exesc config UserDataSvc_dc2a4 start=demand2⤵PID:4052
-
C:\Windows\system32\sc.exesc config UserManager start=auto2⤵
- Launches sc.exe
PID:3828 -
C:\Windows\system32\sc.exesc config UsoSvc start=demand2⤵PID:564
-
C:\Windows\system32\sc.exesc config VGAuthService start=auto2⤵PID:4852
-
C:\Windows\system32\sc.exesc config VMTools start=auto2⤵PID:4656
-
C:\Windows\system32\sc.exesc config VSS start=demand2⤵PID:4764
-
C:\Windows\system32\sc.exesc config VacSvc start=demand2⤵PID:4300
-
C:\Windows\system32\sc.exesc config VaultSvc start=auto2⤵PID:1008
-
C:\Windows\system32\sc.exesc config W32Time start=demand2⤵PID:3892
-
C:\Windows\system32\sc.exesc config WEPHOSTSVC start=demand2⤵PID:3448
-
C:\Windows\system32\sc.exesc config WFDSConMgrSvc start=demand2⤵PID:3300
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=demand2⤵PID:984
-
C:\Windows\system32\sc.exesc config WManSvc start=demand2⤵PID:648
-
C:\Windows\system32\sc.exesc config WPDBusEnum start=demand2⤵PID:3368
-
C:\Windows\system32\sc.exesc config WSService start=demand2⤵PID:4200
-
C:\Windows\system32\sc.exesc config WSearch start=delayed-auto2⤵PID:4896
-
C:\Windows\system32\sc.exesc config WaaSMedicSvc start=demand2⤵PID:4404
-
C:\Windows\system32\sc.exesc config WalletService start=demand2⤵PID:2412
-
C:\Windows\system32\sc.exesc config WarpJITSvc start=demand2⤵PID:2812
-
C:\Windows\system32\sc.exesc config WbioSrvc start=demand2⤵
- Launches sc.exe
PID:2660 -
C:\Windows\system32\sc.exesc config Wcmsvc start=auto2⤵PID:1732
-
C:\Windows\system32\sc.exesc config WcsPlugInService start=demand2⤵PID:3116
-
C:\Windows\system32\sc.exesc config WdNisSvc start=demand2⤵PID:3392
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=demand2⤵PID:2036
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=demand2⤵PID:1800
-
C:\Windows\system32\sc.exesc config WebClient start=demand2⤵PID:4844
-
C:\Windows\system32\sc.exesc config Wecsvc start=demand2⤵PID:652
-
C:\Windows\system32\sc.exesc config WerSvc start=demand2⤵PID:4400
-
C:\Windows\system32\sc.exesc config WiaRpc start=demand2⤵PID:1344
-
C:\Windows\system32\sc.exesc config WinDefend start=auto2⤵
- Launches sc.exe
PID:4416 -
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start=demand2⤵PID:416
-
C:\Windows\system32\sc.exesc config WinRM start=demand2⤵PID:3552
-
C:\Windows\system32\sc.exesc config Winmgmt start=auto2⤵PID:4336
-
C:\Windows\system32\sc.exesc config WlanSvc start=auto2⤵PID:1972
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=demand2⤵PID:2092
-
C:\Windows\system32\sc.exesc config WpnService start=demand2⤵PID:3124
-
C:\Windows\system32\sc.exesc config WpnUserService_dc2a4 start=auto2⤵PID:4076
-
C:\Windows\system32\sc.exesc config WwanSvc start=demand2⤵PID:5044
-
C:\Windows\system32\sc.exesc config XblAuthManager start=demand2⤵PID:2228
-
C:\Windows\system32\sc.exesc config XblGameSave start=demand2⤵PID:280
-
C:\Windows\system32\sc.exesc config XboxGipSvc start=demand2⤵PID:1076
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=demand2⤵
- Launches sc.exe
PID:5056 -
C:\Windows\system32\sc.exesc config autotimesvc start=demand2⤵PID:3624
-
C:\Windows\system32\sc.exesc config bthserv start=demand2⤵
- Launches sc.exe
PID:4144 -
C:\Windows\system32\sc.exesc config camsvc start=demand2⤵PID:2976
-
C:\Windows\system32\sc.exesc config cbdhsvc_dc2a4 start=demand2⤵PID:4704
-
C:\Windows\system32\sc.exesc config cloudidsvc start=demand2⤵PID:1940
-
C:\Windows\system32\sc.exesc config dcsvc start=demand2⤵PID:1780
-
C:\Windows\system32\sc.exesc config defragsvc start=demand2⤵PID:2732
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=demand2⤵PID:4964
-
C:\Windows\system32\sc.exesc config diagsvc start=demand2⤵PID:1448
-
C:\Windows\system32\sc.exesc config dmwappushservice start=demand2⤵PID:2252
-
C:\Windows\system32\sc.exesc config dot3svc start=demand2⤵PID:3036
-
C:\Windows\system32\sc.exesc config edgeupdate start=demand2⤵PID:4240
-
C:\Windows\system32\sc.exesc config edgeupdatem start=demand2⤵PID:3800
-
C:\Windows\system32\sc.exesc config embeddedmode start=demand2⤵PID:944
-
C:\Windows\system32\sc.exesc config fdPHost start=demand2⤵PID:3148
-
C:\Windows\system32\sc.exesc config fhsvc start=demand2⤵
- Launches sc.exe
PID:3804 -
C:\Windows\system32\sc.exesc config gpsvc start=auto2⤵PID:3104
-
C:\Windows\system32\sc.exesc config hidserv start=demand2⤵
- Launches sc.exe
PID:1700 -
C:\Windows\system32\sc.exesc config icssvc start=demand2⤵PID:3356
-
C:\Windows\system32\sc.exesc config iphlpsvc start=auto2⤵
- Launches sc.exe
PID:2664 -
C:\Windows\system32\sc.exesc config lfsvc start=demand2⤵PID:4928
-
C:\Windows\system32\sc.exesc config lltdsvc start=demand2⤵PID:4464
-
C:\Windows\system32\sc.exesc config lmhosts start=demand2⤵PID:3136
-
C:\Windows\system32\sc.exesc config mpssvc start=auto2⤵PID:2332
-
C:\Windows\system32\sc.exesc config msiserver start=demand2⤵PID:4388
-
C:\Windows\system32\sc.exesc config netprofm start=demand2⤵PID:4596
-
C:\Windows\system32\sc.exesc config nsi start=auto2⤵PID:4552
-
C:\Windows\system32\sc.exesc config p2pimsvc start=demand2⤵PID:1180
-
C:\Windows\system32\sc.exesc config p2psvc start=demand2⤵PID:1936
-
C:\Windows\system32\sc.exesc config perceptionsimulation start=demand2⤵
- Launches sc.exe
PID:4816 -
C:\Windows\system32\sc.exesc config pla start=demand2⤵PID:392
-
C:\Windows\system32\sc.exesc config seclogon start=demand2⤵PID:4184
-
C:\Windows\system32\sc.exesc config shpamsvc start=disabled2⤵PID:1388
-
C:\Windows\system32\sc.exesc config smphost start=demand2⤵
- Launches sc.exe
PID:3952 -
C:\Windows\system32\sc.exesc config spectrum start=demand2⤵PID:8
-
C:\Windows\system32\sc.exesc config sppsvc start=delayed-auto2⤵PID:4556
-
C:\Windows\system32\sc.exesc config ssh-agent start=disabled2⤵PID:2144
-
C:\Windows\system32\sc.exesc config svsvc start=demand2⤵PID:2064
-
C:\Windows\system32\sc.exesc config swprv start=demand2⤵PID:1648
-
C:\Windows\system32\sc.exesc config tiledatamodelsvc start=auto2⤵PID:2992
-
C:\Windows\system32\sc.exesc config tzautoupdate start=disabled2⤵PID:1232
-
C:\Windows\system32\sc.exesc config uhssvc start=disabled2⤵PID:4136
-
C:\Windows\system32\sc.exesc config upnphost start=demand2⤵PID:3372
-
C:\Windows\system32\sc.exesc config vds start=demand2⤵PID:3592
-
C:\Windows\system32\sc.exesc config vm3dservice start=demand2⤵PID:2180
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=demand2⤵PID:3940
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=demand2⤵PID:1772
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=demand2⤵PID:2152
-
C:\Windows\system32\sc.exesc config vmicrdv start=demand2⤵
- Launches sc.exe
PID:3096 -
C:\Windows\system32\sc.exesc config vmicshutdown start=demand2⤵
- Launches sc.exe
PID:2720 -
C:\Windows\system32\sc.exesc config vmictimesync start=demand2⤵
- Launches sc.exe
PID:3456 -
C:\Windows\system32\sc.exesc config vmicvmsession start=demand2⤵
- Launches sc.exe
PID:3628 -
C:\Windows\system32\sc.exesc config vmicvss start=demand2⤵PID:2672
-
C:\Windows\system32\sc.exesc config vmvss start=demand2⤵PID:1240
-
C:\Windows\system32\sc.exesc config wbengine start=demand2⤵PID:1652
-
C:\Windows\system32\sc.exesc config wcncsvc start=demand2⤵PID:1912
-
C:\Windows\system32\sc.exesc config webthreatdefsvc start=demand2⤵PID:4100
-
C:\Windows\system32\sc.exesc config webthreatdefusersvc_dc2a4 start=auto2⤵PID:5048
-
C:\Windows\system32\sc.exesc config wercplsupport start=demand2⤵PID:2704
-
C:\Windows\system32\sc.exesc config wisvc start=demand2⤵PID:1252
-
C:\Windows\system32\sc.exesc config wlidsvc start=demand2⤵
- Launches sc.exe
PID:1188 -
C:\Windows\system32\sc.exesc config wlpasvc start=demand2⤵PID:4196
-
C:\Windows\system32\sc.exesc config wmiApSrv start=demand2⤵PID:1000
-
C:\Windows\system32\sc.exesc config workfolderssvc start=demand2⤵PID:4792
-
C:\Windows\system32\sc.exesc config wscsvc start=delayed-auto2⤵PID:3520
-
C:\Windows\system32\sc.exesc config wuauserv start=demand2⤵PID:4824
-
C:\Windows\system32\sc.exesc config wudfsvc start=demand2⤵PID:2740
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2840 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:3488
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:4836
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:1684
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:4760
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:752
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:1636
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:3496
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:1104
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:2668
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable2⤵PID:2852
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable2⤵PID:2680
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:4652
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:4572
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:4852
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:704
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:4940
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f2⤵PID:4172
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:3892
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:2156
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f2⤵PID:1568
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:648
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f2⤵PID:4772
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f2⤵PID:440
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f2⤵PID:2224
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f2⤵PID:2412
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f2⤵PID:2192
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f2⤵PID:4156
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f2⤵PID:844
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f2⤵PID:1808
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f2⤵PID:3340
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f2⤵PID:3084
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:808
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f2⤵PID:4164
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f2⤵PID:2548
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f2⤵PID:4336
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f2⤵PID:4984
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f2⤵PID:3124
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f2⤵PID:232
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f2⤵PID:2004
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f2⤵PID:2972
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f2⤵PID:1076
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f2⤵PID:848
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f2⤵PID:3040
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f2⤵PID:2976
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f2⤵PID:4600
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f2⤵PID:2232
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f2⤵PID:2836
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f2⤵PID:5096
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f2⤵PID:4964
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f2⤵PID:2760
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f2⤵PID:3048
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f2⤵PID:4240
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f2⤵PID:3800
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f2⤵PID:2752
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:3056
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1564 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy Legacy2⤵
- Modifies boot configuration data using bcdedit
PID:2264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"2⤵PID:940
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild3⤵PID:2664
-
C:\Windows\system32\findstr.exefindstr /r /c:"CurrentBuild"3⤵PID:4624
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764 -
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860 -
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
PID:4428 -
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences2⤵PID:2712
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
PID:4824 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f2⤵PID:4040
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"2⤵PID:4660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176 -
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2340 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5044 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2228
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:1328
-
C:\Windows\system32\curl.execurl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"2⤵PID:252
-
C:\Windows\system32\curl.execurl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"2⤵PID:4144
-
C:\Oneclick Tools\OOShutup10\OOSU10.exe"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet2⤵
- Modifies security service
- Executes dropped EXE
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:408 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3452 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:3220
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1564 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2264
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2664 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1196
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2200
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4624
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1080
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3816
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:4388
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:4816
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:4032
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:1320
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:4436
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵PID:3736
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:2704
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f2⤵PID:5064
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:5048
-
C:\Windows\system32\sc.exesc config wlidsvc start= disabled2⤵
- Launches sc.exe
PID:4056 -
C:\Windows\system32\sc.exesc config DisplayEnhancementService start= disabled2⤵
- Launches sc.exe
PID:4196 -
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵PID:4792
-
C:\Windows\system32\sc.exesc config DusmSvc start= disabled2⤵
- Launches sc.exe
PID:4284 -
C:\Windows\system32\sc.exesc config TabletInputService start= disabled2⤵PID:4428
-
C:\Windows\system32\sc.exesc config RetailDemo start= disabled2⤵PID:3520
-
C:\Windows\system32\sc.exesc config Fax start= disabled2⤵PID:2884
-
C:\Windows\system32\sc.exesc config SharedAccess start= disabled2⤵PID:392
-
C:\Windows\system32\sc.exesc config lfsvc start= disabled2⤵PID:1608
-
C:\Windows\system32\sc.exesc config WpcMonSvc start= disabled2⤵PID:1948
-
C:\Windows\system32\sc.exesc config SessionEnv start= disabled2⤵
- Launches sc.exe
PID:3536 -
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start= disabled2⤵PID:3592
-
C:\Windows\system32\sc.exesc config edgeupdate start= disabled2⤵PID:1108
-
C:\Windows\system32\sc.exesc config edgeupdatem start= disabled2⤵PID:5004
-
C:\Windows\system32\sc.exesc config autotimesvc start= disabled2⤵PID:4760
-
C:\Windows\system32\sc.exesc config CscService start= disabled2⤵PID:4040
-
C:\Windows\system32\sc.exesc config TermService start= disabled2⤵PID:4828
-
C:\Windows\system32\sc.exesc config SensorDataService start= disabled2⤵PID:3964
-
C:\Windows\system32\sc.exesc config SensorService start= disabled2⤵PID:580
-
C:\Windows\system32\sc.exesc config SensrSvc start= disabled2⤵PID:2132
-
C:\Windows\system32\sc.exesc config shpamsvc start= disabled2⤵
- Launches sc.exe
PID:4900 -
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵
- Launches sc.exe
PID:4052 -
C:\Windows\system32\sc.exesc config PhoneSvc start= disabled2⤵PID:5040
-
C:\Windows\system32\sc.exesc config TapiSrv start= disabled2⤵PID:4468
-
C:\Windows\system32\sc.exesc config UevAgentService start= disabled2⤵PID:3880
-
C:\Windows\system32\sc.exesc config WalletService start= disabled2⤵PID:5084
-
C:\Windows\system32\sc.exesc config TokenBroker start= disabled2⤵PID:912
-
C:\Windows\system32\sc.exesc config WebClient start= disabled2⤵PID:4300
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start= disabled2⤵PID:4988
-
C:\Windows\system32\sc.exesc config stisvc start= disabled2⤵PID:4128
-
C:\Windows\system32\sc.exesc config WbioSrvc start= disabled2⤵PID:1008
-
C:\Windows\system32\sc.exesc config icssvc start= disabled2⤵PID:2156
-
C:\Windows\system32\sc.exesc config Wecsvc start= disabled2⤵PID:984
-
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵PID:3368
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵PID:3664
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵
- Launches sc.exe
PID:4660 -
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵PID:4716
-
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled2⤵PID:1932
-
C:\Windows\system32\sc.exesc config iphlpsvc start= disabled2⤵PID:4156
-
C:\Windows\system32\sc.exesc config Backupper Service start= disabled2⤵PID:4404
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start= disabled2⤵
- Launches sc.exe
PID:2392 -
C:\Windows\system32\sc.exesc config BDESVC start= disabled2⤵PID:2660
-
C:\Windows\system32\sc.exesc config cbdhsvc start= disabled2⤵PID:3116
-
C:\Windows\system32\sc.exesc config CDPSvc start= disabled2⤵PID:3392
-
C:\Windows\system32\sc.exesc config CDPUserSvc start= disabled2⤵PID:416
-
C:\Windows\system32\sc.exesc config DevQueryBroker start= disabled2⤵PID:2548
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc start= disabled2⤵PID:4336
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵PID:5052
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start= disabled2⤵PID:5024
-
C:\Windows\system32\sc.exesc config TrkWks start= disabled2⤵PID:1808
-
C:\Windows\system32\sc.exesc config dLauncherLoopback start= disabled2⤵PID:3996
-
C:\Windows\system32\sc.exesc config EFS start= disabled2⤵
- Launches sc.exe
PID:4512 -
C:\Windows\system32\sc.exesc config fdPHost start= disabled2⤵PID:3068
-
C:\Windows\system32\sc.exesc config FDResPub start= disabled2⤵PID:128
-
C:\Windows\system32\sc.exesc config IKEEXT start= disabled2⤵PID:5044
-
C:\Windows\system32\sc.exesc config NPSMSvc start= disabled2⤵PID:5100
-
C:\Windows\system32\sc.exesc config WPDBusEnum start= disabled2⤵PID:2972
-
C:\Windows\system32\sc.exesc config PcaSvc start= disabled2⤵PID:3624
-
C:\Windows\system32\sc.exesc config RasMan start= disabled2⤵PID:4776
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:3076
-
C:\Windows\system32\sc.exesc config SstpSvc start=disabled2⤵PID:5104
-
C:\Windows\system32\sc.exesc config ShellHWDetection start= disabled2⤵PID:4840
-
C:\Windows\system32\sc.exesc config SSDPSRV start= disabled2⤵PID:3040
-
C:\Windows\system32\sc.exesc config SysMain start= disabled2⤵
- Launches sc.exe
PID:4144 -
C:\Windows\system32\sc.exesc config OneSyncSvc start= disabled2⤵PID:3316
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:3400
-
C:\Windows\system32\sc.exesc config UserDataSvc start= disabled2⤵PID:3048
-
C:\Windows\system32\sc.exesc config UnistoreSvc start= disabled2⤵PID:344
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:4240
-
C:\Windows\system32\sc.exesc config FontCache start= disabled2⤵PID:3148
-
C:\Windows\system32\sc.exesc config W32Time start= disabled2⤵PID:3056
-
C:\Windows\system32\sc.exesc config tzautoupdate start= disabled2⤵PID:1656
-
C:\Windows\system32\sc.exesc config DsSvc start= disabled2⤵PID:4408
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_5f1ad start= disabled2⤵PID:1564
-
C:\Windows\system32\sc.exesc config diagsvc start= disabled2⤵PID:2264
-
C:\Windows\system32\sc.exesc config DialogBlockingService start= disabled2⤵PID:2348
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_5f1ad start= disabled2⤵PID:4552
-
C:\Windows\system32\sc.exesc config MessagingService_5f1ad start= disabled2⤵PID:4464
-
C:\Windows\system32\sc.exesc config AppVClient start= disabled2⤵PID:4116
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start= disabled2⤵PID:2844
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start= disabled2⤵PID:2792
-
C:\Windows\system32\sc.exesc config ssh-agent start= disabled2⤵PID:4624
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled2⤵PID:2032
-
C:\Windows\system32\sc.exesc config OneSyncSvc_5f1ad start= disabled2⤵PID:3816
-
C:\Windows\system32\sc.exesc config wercplsupport start= disabled2⤵PID:812
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start= disabled2⤵PID:1836
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled2⤵PID:2764
-
C:\Windows\system32\sc.exesc config WpnUserService_5f1ad start= disabled2⤵PID:4816
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= disabled2⤵PID:1848
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDInstallLauncher" /f2⤵PID:2820
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDLinkUpdate" /f2⤵PID:1912
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f2⤵PID:3736
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "Driver Easy Scheduled Scan" /f2⤵PID:1488
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵PID:5048
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "SoftMakerUpdater" /f2⤵PID:4056
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartCN" /f2⤵PID:2460
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartDVR" /f2⤵PID:1480
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:4428
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:1388
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:1476
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:5112
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:1948
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:488
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:2740
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable2⤵PID:1548
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable2⤵PID:4760
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable2⤵PID:3848
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable2⤵PID:2852
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable2⤵PID:2468
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable2⤵PID:752
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:1104
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable2⤵PID:3744
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable2⤵PID:5040
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:2060
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable2⤵PID:1364
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:1600
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:4852
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable2⤵PID:4940
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable2⤵PID:1008
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable2⤵PID:4104
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable2⤵PID:4656
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable2⤵PID:3664
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable2⤵PID:2192
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable2⤵PID:564
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable2⤵PID:1084
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable2⤵PID:4772
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable2⤵PID:440
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable2⤵PID:2676
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable2⤵PID:1776
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable2⤵PID:1176
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:416
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:2548
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable2⤵PID:1036
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable2⤵PID:1800
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable2⤵PID:3228
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable2⤵PID:5108
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:2148
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable2⤵PID:5080
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable2⤵PID:128
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable2⤵PID:2228
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable2⤵PID:280
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable2⤵PID:2344
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable2⤵PID:252
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable2⤵PID:1940
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable2⤵PID:5104
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable2⤵PID:4840
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable2⤵PID:3040
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable2⤵PID:4144
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable2⤵PID:3316
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:3400
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:2508
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable2⤵PID:3820
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable2⤵PID:2752
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable2⤵PID:3104
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable2⤵PID:3444
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable2⤵PID:1700
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable2⤵PID:4008
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable2⤵PID:1220
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable2⤵PID:4272
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable2⤵PID:4552
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable2⤵PID:2828
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable2⤵PID:3580
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable2⤵PID:3236
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable2⤵PID:4624
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable2⤵PID:2032
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable2⤵PID:4388
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable2⤵PID:664
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable2⤵PID:2764
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable2⤵PID:4816
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable2⤵PID:1848
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable2⤵PID:4068
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable2⤵PID:4456
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable2⤵PID:784
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable2⤵PID:4628
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable2⤵PID:2452
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1000 -
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:1188
-
C:\Windows\system32\sc.exesc stop upfc2⤵PID:3952
-
C:\Windows\system32\sc.exesc stop PushToInstall2⤵PID:2072
-
C:\Windows\system32\sc.exesc stop BITS2⤵PID:2884
-
C:\Windows\system32\sc.exesc stop InstallService2⤵PID:1984
-
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:1476
-
C:\Windows\system32\sc.exesc stop UsoSvc2⤵PID:1608
-
C:\Windows\system32\sc.exesc stop wuauserv2⤵PID:4544
-
C:\Windows\system32\sc.exesc stop LanmanServer2⤵PID:4856
-
C:\Windows\system32\sc.exesc config BITS start= disabled2⤵PID:488
-
C:\Windows\system32\sc.exesc config InstallService start= disabled2⤵PID:5004
-
C:\Windows\system32\sc.exesc config uhssvc start= disabled2⤵PID:4040
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled2⤵PID:3828
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled2⤵PID:4084
-
C:\Windows\system32\sc.exesc config LanmanServer start= disabled2⤵PID:2852
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f2⤵PID:3496
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:2680
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f2⤵
- Modifies security service
PID:4052 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f2⤵PID:3044
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f2⤵PID:3880
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f2⤵PID:5084
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f2⤵PID:912
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f2⤵PID:4988
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f2⤵PID:4128
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f2⤵PID:4172
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f2⤵PID:4508
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f2⤵PID:3368
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable2⤵PID:4660
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable2⤵PID:2412
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable2⤵PID:1732
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable2⤵PID:3336
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable2⤵PID:4896
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable2⤵PID:2392
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable2⤵PID:2660
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable2⤵PID:3116
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable2⤵PID:4956
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable2⤵PID:4164
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable2⤵PID:4972
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable2⤵PID:1344
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:808 -
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled2⤵PID:3228
-
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled2⤵PID:3996
-
C:\Windows\system32\sc.exesc config WinRM start= disabled2⤵PID:2340
-
C:\Windows\system32\sc.exesc config RmSvc start= disabled2⤵PID:3068
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5080 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:128
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵PID:5056
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable2⤵PID:2972
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable2⤵PID:2096
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4036 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:4520
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵PID:4704
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1944 -
C:\Windows\system32\sc.exesc config NlaSvc start= disabled2⤵PID:2260
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start= disabled2⤵PID:3040
-
C:\Windows\system32\sc.exesc config BFE start= demand2⤵PID:1092
-
C:\Windows\system32\sc.exesc config Dnscache start= demand2⤵PID:3800
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= demand2⤵PID:3316
-
C:\Windows\system32\sc.exesc config Dhcp start= auto2⤵PID:4964
-
C:\Windows\system32\sc.exesc config DPS start= auto2⤵PID:1736
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:1500
-
C:\Windows\system32\sc.exesc config nsi start= auto2⤵PID:3148
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:3056
-
C:\Windows\system32\sc.exesc config Winmgmt start= auto2⤵PID:1656
-
C:\Windows\system32\sc.exesc config WlanSvc start= demand2⤵
- Launches sc.exe
PID:4408 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f2⤵PID:4008
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable2⤵PID:1220
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable2⤵PID:4272
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable2⤵PID:2200
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:4552
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3580 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:3236
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4624 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2032
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4388 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:664
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2764 -
C:\Windows\system32\sc.exesc config ALG start=disabled2⤵PID:4816
-
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:4916
-
C:\Windows\system32\sc.exesc config XblAuthManager start=disabled2⤵PID:2352
-
C:\Windows\system32\sc.exesc config XblGameSave start=disabled2⤵PID:2704
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=disabled2⤵
- Launches sc.exe
PID:4664 -
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵
- Launches sc.exe
PID:2820 -
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵PID:5048
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:4792
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:1000
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=disabled2⤵
- Launches sc.exe
PID:1188 -
C:\Windows\system32\sc.exesc config SCardSvr start=disabled2⤵PID:3584
-
C:\Windows\system32\sc.exesc config Netlogon start=disabled2⤵PID:2712
-
C:\Windows\system32\sc.exesc config CscService start=disabled2⤵PID:4184
-
C:\Windows\system32\sc.exesc config icssvc start=disabled2⤵
- Launches sc.exe
PID:8 -
C:\Windows\system32\sc.exesc config wisvc start=disabled2⤵PID:2952
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:5112
-
C:\Windows\system32\sc.exesc config WalletService start=disabled2⤵PID:1948
-
C:\Windows\system32\sc.exesc config Fax start=disabled2⤵PID:4856
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:2912
-
C:\Windows\system32\sc.exesc config iphlpsvc start=disabled2⤵PID:1108
-
C:\Windows\system32\sc.exesc config wcncsvc start=disabled2⤵PID:488
-
C:\Windows\system32\sc.exesc config fhsvc start=disabled2⤵PID:2740
-
C:\Windows\system32\sc.exesc config PhoneSvc start=disabled2⤵PID:1604
-
C:\Windows\system32\sc.exesc config seclogon start=disabled2⤵PID:3120
-
C:\Windows\system32\sc.exesc config FrameServer start=disabled2⤵PID:4760
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:3848
-
C:\Windows\system32\sc.exesc config StiSvc start=disabled2⤵PID:3828
-
C:\Windows\system32\sc.exesc config PcaSvc start=disabled2⤵PID:4084
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:2852
-
C:\Windows\system32\sc.exesc config MapsBroker start=disabled2⤵PID:1636
-
C:\Windows\system32\sc.exesc config bthserv start=disabled2⤵PID:3532
-
C:\Windows\system32\sc.exesc config BDESVC start=disabled2⤵PID:4836
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=disabled2⤵PID:4468
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:4052
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:3044
-
C:\Windows\system32\sc.exesc config CertPropSvc start=disabled2⤵
- Launches sc.exe
PID:2060 -
C:\Windows\system32\sc.exesc config WdiServiceHost start=disabled2⤵PID:432
-
C:\Windows\system32\sc.exesc config lmhosts start=disabled2⤵PID:1012
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=disabled2⤵PID:2512
-
C:\Windows\system32\sc.exesc config TrkWks start=disabled2⤵PID:4988
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled2⤵PID:2156
-
C:\Windows\system32\sc.exesc config TabletInputService start=disabled2⤵PID:704
-
C:\Windows\system32\sc.exesc config EntAppSvc start=disabled2⤵PID:4652
-
C:\Windows\system32\sc.exesc config Spooler start=disabled2⤵PID:2652
-
C:\Windows\system32\sc.exesc config BcastDVRUserService start=disabled2⤵PID:3664
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=disabled2⤵PID:1932
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=disabled2⤵PID:2412
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=disabled2⤵PID:564
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=disabled2⤵PID:1084
-
C:\Windows\system32\sc.exesc config wlidsvc start=disabled2⤵PID:4404
-
C:\Windows\system32\sc.exesc config AXInstSV start=disabled2⤵PID:2224
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵PID:648
-
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵
- Launches sc.exe
PID:2660 -
C:\Windows\system32\sc.exesc config DeviceAssociationService start=disabled2⤵PID:3340
-
C:\Windows\system32\sc.exesc config StorSvc start=disabled2⤵PID:1176
-
C:\Windows\system32\sc.exesc config TieringEngineService start=disabled2⤵PID:4336
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:244
-
C:\Windows\system32\sc.exesc config Themes start=disabled2⤵PID:5024
-
C:\Windows\system32\sc.exesc config AppReadiness start=disabled2⤵
- Launches sc.exe
PID:1344 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:808 -
C:\Windows\system32\sc.exesc config HvHost start=disabled2⤵
- Launches sc.exe
PID:3124 -
C:\Windows\system32\sc.exesc config vmickvpexchange start=disabled2⤵
- Launches sc.exe
PID:4000 -
C:\Windows\system32\sc.exesc config vmicguestinterface start=disabled2⤵PID:2148
-
C:\Windows\system32\sc.exesc config vmicshutdown start=disabled2⤵
- Launches sc.exe
PID:3380 -
C:\Windows\system32\sc.exesc config vmicheartbeat start=disabled2⤵PID:336
-
C:\Windows\system32\sc.exesc config vmicvmsession start=disabled2⤵PID:5100
-
C:\Windows\system32\sc.exesc config vmicrdv start=disabled2⤵PID:1328
-
C:\Windows\system32\sc.exesc config vmictimesync start=disabled2⤵PID:5056
-
C:\Windows\system32\sc.exesc config vmicvss start=disabled2⤵PID:1076
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4600 -
C:\Windows\system32\sc.exesc config edgeupdate start=disabled2⤵PID:1780
-
C:\Windows\system32\sc.exesc config edgeupdatem start=disabled2⤵PID:1940
-
C:\Windows\system32\sc.exesc config GoogleChromeElevationService start=disabled2⤵PID:1140
-
C:\Windows\system32\sc.exesc config gupdate start=disabled2⤵PID:4976
-
C:\Windows\system32\sc.exesc config gupdatem start=disabled2⤵PID:5096
-
C:\Windows\system32\sc.exesc config BraveElevationService start=disabled2⤵PID:2760
-
C:\Windows\system32\sc.exesc config brave start=disabled2⤵PID:4788
-
C:\Windows\system32\sc.exesc config bravem start=disabled2⤵PID:3040
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1092 -
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:3048
-
C:\Windows\system32\sc.exesc config jhi_service start=disabled2⤵
- Launches sc.exe
PID:3400 -
C:\Windows\system32\sc.exesc config WMIRegistrationService start=disabled2⤵PID:448
-
C:\Windows\system32\sc.exesc config "Intel(R) TPM Provisioning Service" start=disabled2⤵PID:4240
-
C:\Windows\system32\sc.exesc config ipfsvc start=disabled2⤵
- Launches sc.exe
PID:1448 -
C:\Windows\system32\sc.exesc config igccservice start=disabled2⤵
- Launches sc.exe
PID:3804 -
C:\Windows\system32\sc.exesc config cplspcon start=disabled2⤵PID:3444
-
C:\Windows\system32\sc.exesc config esifsvc start=disabled2⤵PID:1656
-
C:\Windows\system32\sc.exesc config LMS start=disabled2⤵PID:1564
-
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2264 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1220 -
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4272 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable2⤵PID:2056
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable2⤵PID:2332
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable2⤵PID:4596
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable2⤵PID:3816
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable2⤵PID:2880
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleaner Update" /Disable2⤵PID:1484
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerCrashReporting" /Disable2⤵PID:2720
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable2⤵PID:1240
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable2⤵PID:4816
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable2⤵PID:4916
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:2352
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:2704
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable2⤵PID:4232
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable2⤵PID:4196
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable2⤵PID:4056
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable2⤵PID:2460
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable2⤵PID:1188
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable2⤵PID:1388
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable2⤵PID:1560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable2⤵PID:1984
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable2⤵PID:2952
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable2⤵PID:3592
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F2⤵PID:2916
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F2⤵PID:2904
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F2⤵PID:3188
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F2⤵PID:488
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F2⤵PID:1512
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleaner Update" /F2⤵PID:5004
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerCrashReporting" /F2⤵PID:2668
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F2⤵PID:3848
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F2⤵PID:1128
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:752 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4940 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2156 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:704 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4652 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe2⤵
- Kills process with taskkill
PID:2652 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:3808 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:4772 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:648 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "OneDrive.exe"2⤵
- Kills process with taskkill
PID:2092 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "explorer.exe"2⤵
- Kills process with taskkill
PID:1972 -
C:\Windows\system32\reg.exereg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵PID:2148
-
C:\Windows\system32\reg.exereg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
- Modifies registry class
PID:5044 -
C:\Windows\system32\reg.exereg load "hku\Default" "C:\Users\Default\NTUSER.DAT"2⤵PID:5100
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f2⤵PID:280
-
C:\Windows\system32\reg.exereg unload "hku\Default"2⤵PID:4776
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "OneDrive*" /f2⤵PID:2788
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:252 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1780 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\UsoClient.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2764 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1912 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1236 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5064 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:4628
-
C:\Windows\system32\taskkill.exetaskkill /F /IM WidgetService.exe2⤵
- Kills process with taskkill
PID:4540 -
C:\Windows\system32\taskkill.exetaskkill /F /IM Widgets.exe2⤵
- Kills process with taskkill
PID:4248 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:4688
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:3976
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3948 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\smartscreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4756 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3780 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4008 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3004 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2324 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4856 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4848 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:4164
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:4532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3740 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1200 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3088 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4584 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2320 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4628 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:848 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\taskhostw.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2652 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\taskhostw.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2724 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3756 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:3768
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Needed if you''d like to Search things!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3844 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4700
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/Open-Shell/Open-Shell-Menu/releases/download/v4.4.191/OpenShellSetup_4_4_191.exe" -o "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"2⤵PID:4732
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/Menu_Settings_1.xml" -o "C:\Oneclick Tools\Open Shell\Menu_Settings_1.xml"2⤵PID:4780
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4464 -
C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4916 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Do not skip if you want to Search things' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic startup get caption /format:list2⤵PID:3528
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption /format:list3⤵PID:3784
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:4112 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:4676 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "yjdn8r " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:4180 -
C:\Windows\system32\timeout.exetimeout 22⤵PID:4356
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:4236 -
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:4360 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f2⤵PID:4800
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:3968 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:3356 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:5104 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f2⤵PID:4464
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:5048 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2764 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:4816
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4800 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3944 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"2⤵PID:4180
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"2⤵PID:5028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"2⤵PID:1240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4236 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"2⤵PID:5048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"2⤵PID:1180
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"2⤵PID:1036
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2404 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"2⤵PID:5040
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2516 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"2⤵PID:1872
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"2⤵PID:4160
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"2⤵PID:3460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"2⤵PID:652
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"2⤵PID:1560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"2⤵PID:1176
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"2⤵PID:1744
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"2⤵PID:4808
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵PID:4348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵PID:1572
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵PID:4968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3264 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"2⤵PID:4804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3548 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"2⤵PID:4540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"2⤵PID:3700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"2⤵PID:1364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"2⤵PID:1972
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"2⤵PID:3460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"2⤵PID:3832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"2⤵PID:4140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"2⤵PID:4780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"2⤵PID:3912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"2⤵PID:2404
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"2⤵PID:2516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"2⤵PID:1180
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4816 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"2⤵PID:844
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *PandoraMediaInc.29680B314EFC2* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2148
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3320
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:5060
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4056
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1000
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3668 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3884
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:3080 -
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:4784 -
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3404 -
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"2⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Modifies registry class
PID:4488 -
C:\Program Files\Open-Shell\StartMenu.exe"C:\Program Files\Open-Shell\StartMenu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4060
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4080
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2020
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
11Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD57eef2fdada1173b30f213379739171a6
SHA1da287c86f954b44c821257c733eb95460e7b3300
SHA2562a072d6b3dc4466d4a5d8956966d7bd3e844edd7266889a72a4f66de6b8d6225
SHA5120ce789bfaf5d72fc776a234651a90ae7591dade00774191f3115c9831a9cbdb5df55c1e77c181181125b6e2c311c1dc5f34212340b375697a191fdff7e36983b
-
Filesize
564KB
MD5d2be90c23063c07c5bf6e02c9400ac35
SHA1c2ca99de035c17ba9b7912c26725efffe290b1db
SHA2569422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA51213935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e
-
Filesize
174KB
MD5423129ddb24fb923f35b2dd5787b13dd
SHA1575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA2565094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce
-
Filesize
1.9MB
MD54803e06db91fdb8b6d1b65c0010d2f87
SHA1f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6
-
Filesize
2KB
MD5109f47ced5da3f92362c49069fc4624e
SHA179b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA2562508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA51255a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774
-
Filesize
7.9MB
MD5e0484fd1e79a0227a5923cdc95b511ba
SHA1bea0cb5c42adbde14e8cf50b64982e1877c7855d
SHA2569e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c
SHA51280f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431
-
Filesize
863KB
MD5a805193aed76942c667a798f9dd721fc
SHA13d2f702b16cb22d5918f6d51585a871fb3b3f900
SHA25697eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89
SHA5120a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e
-
Filesize
964KB
MD5950ff69adc1b8eec1bd8d502615b0ba6
SHA1edb3916b7ada6aa0e765c6f70c39e182b8d45dfd
SHA2569f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e
SHA512f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711
-
Filesize
179KB
MD5c3c68d52fc3318e324021dab87e60779
SHA16855eabb6c38ff953c8c678473c6dd4ab9315f30
SHA256fed5e80a82f9a4a687fccdc0c610902e4b5b75faf5a9588a22918711f103689a
SHA512e506e39e036263db610f8fa33f35f9d708d4d52c16f801e58348ea8cc095ee8a0056f80b9d9c0bf8fde3ff76e61c2933504727e9dce1fafda91fde71c196635d
-
Filesize
98KB
MD56ed13b9c1719b252e735ba7e33280e67
SHA1f3753deab4d99dbee4821a8a70fe6e978e1a45f6
SHA256b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab
SHA512f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc
-
Filesize
1KB
MD5f63c8bb4c3554919fcefdb1849b9c901
SHA1a12d430bff937e92e34de55cb04cf39edaa9c99c
SHA25667a46f6a82f2940358fe388ce83ca825e359601617932917f2b5981d27ecf23d
SHA5127348f0b45e4cd2f277684f241f65ac7ef281b0f9bfcdc5aecd41073b21c4cd52845db6e6826c3ede2c674ce710bcacbf9f03d9dca0fe5f1d3617f2905e6a131a
-
Filesize
1KB
MD5b4d1d9706a6488b120b078bc04bb34f1
SHA1f5c6fec8f0ba4973c434fa16230f121d95e87d29
SHA25691e0fc512cbcbd050a88a6184bd62559843338e0f46db2c0b0b74602c3a8ee5b
SHA512790d8cae62b412d1be68f43234e063f49469dee6f6f29a09e6d737515293d618dc7e9bd4e78099e66c305a3b5a0b735154bedf5e8564065f5312a07bc63dc9d3
-
Filesize
1KB
MD5b64442dbe017c36ab3c63bb064a14602
SHA1b0eaec6d43c72f73d5ee0f160021e3432a10b167
SHA2568ae2be024bfdb3c2077d049218f7a056dd1683986294896103090661a07739af
SHA51269fb685ce6c44286cbe09bebd28460d58c701bc136ba7370854f8dd99b944a49d534bc9056ed956ed19021b6aad64be90a65ad50e53a7977dbe98f2f87d13e4b
-
Filesize
2KB
MD59c9528fa6730e61a121502e20703bf83
SHA1e21af9b21215f05bf235e48ae7b503c11b2c5f47
SHA2560fd7a56115054db9b33d4b33ac5b13ad421b02519e750789aba117552b2d1c65
SHA512d2bc868d1a25bffc52f8c27b4ad55b115357de69ad4f0bac4d4f6a8471071897d669f907e20e6b320fd1ce05e0544d412428d01925b4aea687f8487751df325a
-
Filesize
2KB
MD5b562f585f436925cb13f95a59ecbb6ef
SHA1db3797d861bd8d338ba0b8f56c34ae8ae715e9d0
SHA256f70bf848a23448d7d0b2b85c287ca61fa2a9e2e4a8b8ce16834803e657dcd5f5
SHA512f08f627a73d0d114dc183e816795c531dc985272da0b8784769aa744f8979e5a6d7214156fbc0306fd06cd573cc80a8715c629057f309db388014220250ba3c1
-
Filesize
1KB
MD54cb08d24eb6178df99ab8c1673f1c16b
SHA18d2ddf706ccf658facaec7de290c71f0edac1136
SHA256f16fbfeeb7aa45d159916f95e7f9deb6e9b486a2e3998990e8bf7504bbc62a73
SHA512205f047cde3c041c07d552062f58d19f4a4d92642953a9c9ad5002b6cd2b99f14d494b84e3a6bac3912110b0fab8641abbdcfd49e4b2fafcce31b43b6dddc944
-
Filesize
259KB
MD59aca92d31344210995d18ac75f7df752
SHA1fec9f414f3c399f8384ad6a32d0b60adde85d8d9
SHA256df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf
SHA512ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc
-
Filesize
2.7MB
MD5e29ab21b4d9266502677b9837ad23346
SHA1939e7bb40623f04dd3d75f4685a543437512771a
SHA256808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185
SHA5127047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd
-
Filesize
11KB
MD529221f620ea6b5893add15dd6c307684
SHA197c31bb9585a0896e1fcea8efa3f05ff16823da2
SHA25653cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84
SHA512b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42
-
Filesize
286KB
MD5673bb428b6d3fab8cba07890cad09d0e
SHA145039820289bdb485bb761e9b267f6de9e18a26c
SHA256ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33
SHA5122da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e
-
Filesize
500KB
MD56165bb2e4d2215f5ec4d074b6c06b72b
SHA103e13ac321eadfae93a9e72f80f30bbba811b5d8
SHA256078ab5206082b7b498e3a921913cc54e8022c79c314d37baee5290f1b451e202
SHA51260ad9ba86160d92f46e2b6b04a65484a55c61eadf5d02b084ac5a3fe2fd8f8f2f867baeeb854b3cd3403bea83ce29e17b02057696122caff0b021f2b0f144997
-
Filesize
1KB
MD5d12515cc553ee41a8291201a622e7d55
SHA1e098abfd71981657961e87921e8ddb947e060647
SHA2560de3b5807d46569b90a00113bcd566ea0ab2854b3b4724cf4c2f120b7f4a3c03
SHA5123c01b21ab657bb4dc9d2c897ce0ae67695fab9b0bc8924ea52345b1bcfdc75ad13a5998f2d081330b3724e4b98779f24376836d8faedb4595dcf0ae7e90336b9
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe59eff4.TMP
Filesize1KB
MD510c92c77cc1395d18c7a07e71faebe0e
SHA1000345129ad947f9241e3329cad27a46ec86c1bc
SHA256a04442bc12a3932d6c105c3086db5168751174dd47b5daa2df42071aa37724ae
SHA5125390e137211acb74548509595d6b45ef3786442b2ccc8c4ad5f3932b37cbfdd92fc2e2a7a0a017b3e8534fafb567ba9f37d98346eebb0e129df5c2bdb1e08a0b
-
Filesize
1KB
MD56bb002b4a2b1af0b166076680c1cc209
SHA1e7f29115bcec07819efb75b27515371ae76684d5
SHA256e96e9fb4ff150f9d4abbd911d0bd50a6302bcddfe242d51d33d7aa72b614ba55
SHA5120af59006e5d5bec41312020e422c011187fa0731213f45721deb1d2146c31cf0e930cf9020aa78fb6f82727503e35130bf9b8f643de2cac094eaa6cbb73845b3
-
Filesize
1KB
MD5e43162b88dfb442d8da8d325e253e7d8
SHA19ea73d93c4364144f10e50480c604f32271cf785
SHA256be401ba1d25f5e973c3b723b9b6c30b323a65a162e9e7d324cc1898fa074e3c9
SHA512a39fab5869609466e22045a0170ae87ec6efccc57f040d1011e511807aa65523155ec86344566e4facea1a657a072582b647a4636bb2a8df2e8eff7b38074e73
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe59f003.TMP
Filesize1KB
MD5dd5bc19c671c32b99bfeb7f6db16770d
SHA1443de77b886a644aa3905c27e7ef09759459d828
SHA256083f68f0ccec00b932c4f6d2e4df1c08415465d6fd92ba5381462ab4737f8ff6
SHA5124c357c2604e903aa848cca4494d7fed83fd5c924c0ef563c04d6e55dc59b0dec8c747554a0e364bddc3cc4349f0c17f1d4b70921f2abd00b6f5c3bda2ead350e
-
Filesize
1KB
MD5f330832216a4b3ba859b977e55af3d08
SHA1d44ba20ab38f337088404f54ae804c6b4b1dbc66
SHA256886589391a1c5513eef868aa6605f91eb89c3a13c80ca8346c125587df52886d
SHA51260c065cd4f2024177c70ecdcec4ed177ee9647a9bbdb10b16d7cc8c2339843e0d93f90a34eec2cd2d1c9d3ac7dcd6f69e8f03e6860fd1738f1b8f44c4f1337ee
-
Filesize
1KB
MD5b5bdd085c8a7fc95449280f75263c972
SHA1078da115f401282fe965b114c189ccc6edeba378
SHA25626a15f3f97d96a2a9638bf074329efe65e45d3771d4b1d8e354ce086d8455203
SHA512b2183d261662dcef2cc5276e1c2412a021e3c293465b401926e0f1aee3cfa1b5b5e5cadbb4091f791730e15183c19ba2ebed7aed385ecdf42ee5aa8d23490738
-
Filesize
1KB
MD5fa74aab37d847bb0207fca8198cbb2dc
SHA12577d80a0405ae05d21bc859b6f52ea82f8ae200
SHA256f4739df11c7c6dd92dff9fcb4169febe4418b6bdb3ebea4f0f900a3065db23dd
SHA512d3a770fa68ddc5575e9fb6f3f93cd43761a2e2a2b99886a99d090284e4d913fa70e647cbc191a6df0cbabf00560afdfc04be54a235997578176864fb0fe54024
-
Filesize
1KB
MD538cc738b7f3d88cd58fbf19fdb2e9697
SHA1b39903e05e77055959cff4264f12536ca3b4ab31
SHA25632eeac963766ade3a2aae0f1d9fa83899e4585e74cc3c26d5e923ed3661914df
SHA51286c1de686326a1324c0f7db4bc5a6323f29e80a5533535dad23ba35e45bbbc68afcde8896620a20d6b61482c9b695677b159fae21ceebfe16b0d788bbcdac1e0
-
Filesize
5.3MB
MD5cc25bc2f1b5dec7e9e7ab3289ed92cc7
SHA1449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2
SHA25625aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313
SHA512e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a
-
Filesize
649B
MD52fd1096d387cf32d8f141ac37d0486e2
SHA1e1b395599fac98a908c418e08c1d21fe91baa784
SHA2562a76642cf392db582c2bbf12b45978162e2dd1d04d2384cd3b64cc0483b05728
SHA5124366cf9cf48517cd0a3494b9111fee38df54850dfc2974f9daeb91dfa29e68ce5e9da661e40157fb2f18742fc6da5227d96e78b63eb552f6d5778362200b48e4
-
Filesize
216B
MD5b83a9f3c76d4500540bf2bb9cc0d75d6
SHA1820f7bc032843178b5b58773ed2d5d4c615d5b42
SHA256dc88d3673083da32ad5effe43b28e62e946881bc52f307adeebcb1d8efdb6b3d
SHA51255b7707a92af16078ee75f4c56e9b0dc08e3a1b85feb72a153669a8f3a39eb8aa55accb8b4340b0eceb670fc977b3d7e5bc1e16a82efa6c94c5d077fc74e451f
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
3KB
MD58a60e32ab7ae7f271d92069cd0ee7a50
SHA1de5e8719b1ef86d784f42fceb803f98a67ed4b77
SHA256582be3fe0d0ff38ea01d0d92b21e77d07ed11c5333dcc4e08d6de2c77f7c4617
SHA512532779c0c57ce15e6a5cbe7d16c13b6f8fd2b11319e27c54f02716821ffc3fb95796deda9b7bb23172577e09210d052ce2253fb0bc2b12d973561a241801b00c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5cada701c3fb446fa61aa82982795f2f1
SHA18c2177dde9faeda3e4e2f9009103c465baca9d29
SHA256dc235e4c785f82447d92b80f99370cded155a94c7569d080c4af2c13e1c72107
SHA512adcf0e55192f34cf42db59ae07c636baba4e3f06ef96a9fb1a4cb19f8bb37f5b309ac5e028fe950efef0af5b4bbb57ff479e00b003de7fafa3b40c4c19198436
-
Filesize
9KB
MD552330119e612078bad29e61de3432f6c
SHA1df2899c534d32cb4d548c5079ed2d18361b2e326
SHA2563e8f99cf8a6fb6fbb58e57d3449ae3b3e86a5fdd074ace741a2b532ff2ed0b12
SHA512d6599e40e41455285b67d4cc5797a343555c3e48f4d81ccae8ac2c68cdb18a225a5459e079d91fe74d2fa319ee488876ae8b60885e8b15c11e4351a4f0c469b9
-
Filesize
15KB
MD57ec62768cad9b5cd8f0738a48c0c1ea2
SHA1cb53fca6be8f162aa90ee18c023378a099f3ff0e
SHA256a6a9deee128ceaadad49d4c1b6be9eb1c3560be1328fe55f96a2008fba023b0c
SHA5123bd7b8f68973450cc4f73cb2f56a799347c15f31733e2ac596c43de3e303eb9ff8ca451746f4ac2cb9adaa1f41794ffbf46dbbb8c1172e98fbabd2b15407ba9f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD543825e9e7ebe36d649edad32fa7fbf2d
SHA1c85b51527a3eb024e4c38771c7788d8aebbb6904
SHA256a7db46d2319547a9fa922a30036f1871637c5b1fb89a4ed3c83db71662ab71d8
SHA512dadaa38ab3d8a8d52ecc217f9cbe20d83787f1cc4730499bf5d1ff3052abf925f56820ce05d4493a19a8d864b0c6fc7b7b7d8a9114b7731eef7c55241d026409
-
Filesize
232KB
MD542a73e6a9723ff0d370fcf691697e5d1
SHA1470f546e9c71cd2ec258d81c600095c8b5e6164d
SHA2560d5ba4d985546ae31451e2f9e086e45f1ee2b5e1388a0af61a439611b6ddc9c3
SHA512c78a541b0c2b1014055ffe5bb94dd19881fcbe53c90f117a28f33cd47966863c0108504ff6fd81320a62225fe881240c446345fb42046165d63e39501b227fe9
-
Filesize
232KB
MD55ba73f621756353cbfd2c8dee7f88a72
SHA1d3e5ee6fa6ae004eab2ad5407a2970324203c55f
SHA256ccb50dbe90c3da56434ac669f56bfc3585cb284460bc87c69fe3d8a4c22f06f8
SHA512fe6060d81339d8e67075e10569ee6f68ef5dcb19ef9657b62f05f52cb6552407cba7f01a2c104957421d2da3930872306a8645d3652c86f5ee58553f3d53d688
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
14KB
MD569c5ff50e232f3c656abc8f433cf7a13
SHA1cc8584ae33fa8f4e9741011dab5878baaa13a663
SHA256101e8aafd0537092bc70ee55856964d23776cc412c2c789cfa68596b9f80af54
SHA5127de3c7ad32b7da8eee27ec101e919a01faffea85bf6b6ec52408fb9a9b77323be36a9b558b1907e7c5879121b944a2c94a5abd8bbfa3a2ed7cfc437e82967d86
-
Filesize
64B
MD5158a72355ea99a8bc04d0b6a380cc97c
SHA1750fff9e378ca754a4534371e54624f7e90b796f
SHA256c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c
SHA5120f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5238f0a5701700be966cc85a76ecbfc19
SHA1c69446816c9c6c0657e8705ca08459440b6e1d53
SHA256cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b
SHA512791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1
-
Filesize
1KB
MD5cb1d69b71a38dfe81ac0d2020830faf9
SHA11f8baf6d137b5138ee40c725f9138e1cdd2a71fd
SHA2565ca132239020780c2a57681b9b6960880f23c03daa982d03cb3142cb923f5001
SHA512dba787451922e7bd2d863ba23774d80200acf58243617d0c54e5b3941fa4a47e2c7f8ba43ed91580fdc82884db7bb22bbaec0ee9ca286faab6c1d827b62896fe
-
Filesize
948B
MD5eb6bbad04121efc4b28aafcfb2098c9b
SHA1874882a3749c41301505e95510f761491c465073
SHA256bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5
SHA5127ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3
-
Filesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
Filesize
1KB
MD570c91e55fe182a7b11ff383b0dbdd172
SHA1b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6
SHA25620a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f
SHA5120f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e
-
Filesize
1KB
MD569c6694442164720640e02b705a77901
SHA15804d9d4fb92f22747858460450e16675bc7d5fa
SHA2565bd4f69a26431eb0c73bd02f834c4307547a5c3d81df7fa8c1ea8a8332ef48dd
SHA512296877c67647f3f37e87dc3d6eb817a02d54ffdf747061e588e4b2af52f505adc2f4efaa929c357c12859d62ad5ccd514eacd342054a8e19700c393042d5ff0e
-
Filesize
1KB
MD56bfc02ee40e30ee8b3668a1a8cd74542
SHA1d05325b60c6e4c1bd331e89319efe02f2271b268
SHA2563798b25b810408a6e503f3bfc54da533f57bffd83250d3b24b2730e34f66348f
SHA5126c871a3e8017f37a65b002f88318b787d0d24d1cfb107bc66b22032857a960b6805975436b00bfcdf7874d74c8a774eb1376aaa895e38778af1f12a162cabc0a
-
Filesize
64B
MD59b367c53270b61ce59c2510a224c7a60
SHA1d46a8bebee55d5868e3d6f87e3ed25374919cf9f
SHA256ffea339ec5b5dfcd03c40c3d038684c9a5d2cdfbefd5dd6574b41a2ee3548960
SHA5124eda0a5d2ecae6d0f6605558f1f64557f1cc3acd47c5e167116a4e17c4edfe19bbd407737de0eec441f166090422b2691e6452cafb3cacf10186567c980860ac
-
Filesize
1KB
MD5e3a924916719c590c164e2306f5b3ad4
SHA16b99d5b4cadd988deb3f825c38d3b2ca62beed11
SHA256a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1
SHA51229ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be
-
Filesize
1KB
MD547669dd6c0d2e753ccd0992c138db0a7
SHA1b789f0ba0657e39159f98e5fb2754025849a0063
SHA25657804ceb4deb38eee4fad459587ed272337b185c2e6212dca7b6a3b87ae03aeb
SHA5120b0d8a3c2cd4fd8813b385631cb8006d946b25ed82089425cde481326a4067195daa9b35fd0a0140e3f439da369355f1a773503af69c60291af07fe9550fa741
-
Filesize
1KB
MD56983528783d0ea3e72113cfcfd8daaf5
SHA1ddade19bbafbfe7b2a9951284f537bb30d33a672
SHA25605557c990cf97ddb737175d1a6daf36258909f450269ad6f7b8b628edee9f056
SHA5122de5b664f109f9c425c2da85f65e055b6f254bc42e365065898935a4e1341dde268bee6092a665568a46dcefaf6c0802ba91fb7fd6ae7f4171dbfed8cbfc7e8b
-
Filesize
1KB
MD500feb474e97fe6745ba9cbc75fde811d
SHA1d7cd2eca8be292ada130156aa207f2122c5204d2
SHA2561f1ab4997c0836e6289cb807014ac3b70413b2bfcc798ae5ce2985d7c50db0f2
SHA5122c54a293153c54bafcf712468b60d65bd0e6e2aa4f40ac2d4c4fe6ef553ecc9354b636e229369186156b4eabf798e1eca42c63fccbcb1deaec5eb9a606d684cb
-
Filesize
1KB
MD561466c046c6556310708299cb1abe443
SHA1770116cd2daeaff1c54ec9e7425885c05e310c8b
SHA256b8e6d7b5fa92a774c17eaa681a827d203fc68022c8a877a00156bd8a63315922
SHA5127b0a6741891d38cf56ebee1295d8173fe65f376e3a7851802b6d3dc2f0b8b8863a6591987bc1f06755dc4da53bc95c406fb5590be08c52adc3b4b69daee56b56
-
Filesize
1KB
MD53adfbaa5d5d4496e4189fef4a2e00352
SHA13bb83762ace5d983c75d9f9d75ab719b687c448e
SHA2560f82ce7d51b010b0de3a32bc1477b25f13c83fb72fda14898a2334efb38c74f2
SHA51201c226233e730a69cb6b6a5a1362550747d51088fde1ef7be49e6b1ef742a30e901d885f0c9b4e3051af545b770da6204bf6c80d3e79afec97a5a569b763b9bc
-
Filesize
1KB
MD51624adf60378c66868c872e39f5a9adb
SHA1ec9ab5ebc48b336f7af299817d4e17d9d12940df
SHA256ab50b005219cc477e64bb1af4c7dea95d87ba604ae82f5c4a04aecbace49d788
SHA512c66aa3871cb0fae2fbd12cb453009c685559c7869c855e1f59f20c0dd72d29f4176c3d651a1b04d6e8156bd9eeed7b56ee2bce2eb29c6706a7e04d1e3b8d9cad
-
Filesize
1KB
MD5c7bc4342555b23e09ede6f68f4576502
SHA146628362f569140210fba0798854e3dbaa61ab46
SHA2561a969b27d2d7a726cf5fa435ad52582bb97d4dbea626a161752bcf3155fdc037
SHA512af46b1e90838c2c903b1fe91674c03b7fd694257fd888ce4df68178f04911620ce09942af9427d35b0d371c713a411bdcead3a899c89b5ce6ab16850622cb7b4
-
Filesize
1KB
MD5b04b0fca96913d10874a5a52390b575b
SHA15701469979579da2cb79a5317ef919ea596ef065
SHA256723e6b5e98d4ec34df030fbf460ffb8b728e6cfd9982867ae6d03700e0dcd8a5
SHA512c36acae46306813344b0665b76b20553eed19a591ad0a687697fff1890b9f3d50696b4b67065d680ed4a2f5f9620bd7756709edded70e10468c71909a6e273ae
-
Filesize
1KB
MD59ba362d115132ca321e847435af8f0f4
SHA131196b7d7a2ef738bbfdd0fd3b7ba6718e7c9aa3
SHA2563e7a17ab53761ff561c5b64a4ca99bb8f210aa865714dbd24c6e4839dd160702
SHA51204aecf1d94ebc24b3ae641c6c151999bde6c2ad877a7274d19d656db40b1fc016502dc8e3f61659d5dea1182e89435a6891f658419c91b2df4791b33a14e8b97
-
Filesize
1KB
MD548b0bcfb2fd635484d03659c428dc094
SHA1f182e3c1c4a02036ca525ddf4a1075e52418f30f
SHA25672f032d8ce5a0b1b412adfe48bdb292523b4efadcd789dcfa72b9ff137dedd9f
SHA5125ab9cfe8a70b576eed6ab39b293af48b2be7156ca6388f5226186da5ca4ccd6df47396b2131362bfb9414aea06ed673bceac4009377a6a6292bcff180c0988b4
-
Filesize
1KB
MD5d5f601d6edc73cc35f2ae7362c97e104
SHA1278102329feb830730a86c76e9cc22cd629acb4e
SHA2567a915e699cbc9a7b5d242013125137737d3f4d2978e91117d562eb5e1ec6dfb7
SHA512711ee708bd6aac67bfd26ba0089814db49f1405310ab819cbe88fd4413eb690446c59278995147b0089a9b85aa761283911df7020c600c4edef214841ed9dd2d
-
Filesize
1KB
MD51c4ef625cf7048e125356bc43122fc35
SHA1890b43e5a6612ad1dbf0774b6f42f3d370254281
SHA256dc857a7a5e6a2b6f3d14614e289938c4df8d75505ba0ae09110dd1c3b0ba0139
SHA5120cf348a74cce20e2860d6bedf4353a23739a4e6e246927e3f977352953cb9d1db10cbb5bdb28e7440779ad71779d392644ffc4e2da7b94d5fc5d09014e54a60c
-
Filesize
1KB
MD5615eed56bbdc19aaa96df71670093290
SHA10255083e13b695cdf8ad13fd963a73dfe62220c9
SHA25624f739f4194708f41d0d633c5bf47d4ff98e46a38bd4e4f657145fe239283bb0
SHA512b2457c877ae9fa7d56b9b0c927ac1bf17f3d149cb0d3877efa730c02ffb35a4efe57c91d19268111b28ad2ebf7c166d06297cd5084a086515388578c41677ca1
-
Filesize
1KB
MD545fdc4084a7ff868a689a6aa743f816d
SHA1202dbc190ed0dc393c543b0cf4c4b35f797d91bd
SHA2563cee9652934d49f1159af85b96d8e1d2e134c55c4376f9ddd684196b9ec4af97
SHA512cea8c4540575d95246b6636097ae8a7a45c496d77c3710639703c490ba611374b9205d52acd8b24713612fa88da3e57b49d741d8619e3357077ac45c8d99e35c
-
Filesize
1KB
MD5270c4074fd0ea036e6767c03fdda910f
SHA17cfab94130d6dcbc8687ceee1a7fac3867be1280
SHA256d0e378a191abca5ae7a9a574ef18bcabbcc0aa73becedb3abe70e51a0de33868
SHA512caeff478945d5acf63b6485cdfd9d936ad6d01c4a087da976e7f7dd94962278af8fba5b1a077181ea50161333bc2991b0c68333f6ef75416bb868e86105070db
-
Filesize
1KB
MD5a6472a580676d60dd89de4d0c4ea92ff
SHA11b628eaf008b7b87ead73e964703b62e35953155
SHA2561be7146c53116b9c949ef8a21935a274d03c993d2c3aa5b11d2ff41711d93c94
SHA5122d93e363fa83015d1c5dc6fa2a0a300c9216dcf5a6b7786414b8cd0062fd994974c3a5280dea5e52668bac53635bce1220b7003e14eb83d61407a44b99da93ed
-
Filesize
1KB
MD5b4aa40f4603995842fa879395a2a763b
SHA1ebe6fdca58eceac95d2b6625678e4e7b9fc63088
SHA256f88546d1b808dea4f7517e905c615d4d577b034b443888455fac615414a3730f
SHA512a9b283c4b8ce34d106c1dd4979417159bcf181c8c7394266b101e64b2e74a013b5995edd19d0b064f3aa57ecf7b307a247c930fb46e7d1728823475831927aa8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
351KB
MD5b7c7f2bf76b2220839af735e2b58fefc
SHA116631df5f62096b039fc1996066805721b622407
SHA256a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875
SHA5126df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed
-
Filesize
426KB
MD522c9a786f3ff34275c80876b8ac5cc10
SHA1beb6f4f28b98910b2031c37d7cec385543045614
SHA256b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca
SHA51292f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397
-
Filesize
24.6MB
MD5cafda5c0b3767e66a1c0989e7f1e1f7f
SHA1d12fe0bddb1337f3f49c19b3f28a6edfc6df8466
SHA256446b24777ba20589c217763a91fa93df1e8db8fd44d139166edb7c60177c266f
SHA512d62636957d280890d3ba1fc729d36fed119b51d8a1ff5fd113ee9af88560696e36a3396ac0951b50eb6adb1470aef22df8da66a9e146613d4d9099694683b955
-
\??\Volume{27bfae7d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7fa12de1-5d73-4572-a31a-9f6184dfa945}_OnDiskSnapshotProp
Filesize6KB
MD5986617fc90abf9aa398c605675cd0495
SHA1cf47f0f823b668da32f44f05aedfc70eb9dc10fe
SHA256c4ecf667d1d00d52be4c8c3930e1a99c6e0c5d45804654d8972d2f234361c8de
SHA51257ec8c6edc697149c495871b05356493c77d0eff4e3ee0f5d147bbc62d98fcee047ef4f92bfae31f3f3a8f08b243825d56b1071a4ad72a1e23200e5416734bdc