Analysis
-
max time kernel
310s -
max time network
367s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 08:56
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/QuakedK/Oneclick
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/QuakedK/Oneclick
Malware Config
Signatures
-
Modifies security service 2 TTPs 11 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeOOSU10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" OOSU10.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 93 5788 powershell.exe 94 5788 powershell.exe 96 5788 powershell.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 13 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
setup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\130.0.6723.117\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" setup.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} setup.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components -
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5204 powershell.exe 6696 powershell.exe 5092 powershell.exe 432 powershell.exe 4348 powershell.exe 5252 powershell.exe 6112 powershell.exe 6276 3552 5268 1592 6984 6828 6012 3992 4528 4180 2216 1768 powershell.exe 5264 5196 6308 4780 6424 4528 6972 5100 6308 6808 4776 6224 5748 3676 3732 5848 6216 6636 3984 4696 4364 1768 3140 6552 4680 4056 4260 3440 1616 3508 5172 powershell.exe 6328 powershell.exe 3572 3136 7012 3128 4720 4944 5788 powershell.exe 4956 2200 5580 3604 4080 908 -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
Processes:
GoogleUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe GoogleUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0" GoogleUpdate.exe -
Possible privilege escalation attempt 17 IoCs
Processes:
icacls.exepid process 2020 5920 556 1528 1332 4808 7072 232 icacls.exe 2184 400 6092 7092 6520 5492 5912 3264 412 -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
GoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation GoogleUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation chrome.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 44 IoCs
Processes:
GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe130.0.6723.117_chrome_installer.exesetup.exesetup.exesetup.exesetup.exeGoogleUpdate.exeGoogleUpdateOnDemand.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeOOSU10.exepid process 232 GoogleUpdate.exe 5512 GoogleUpdate.exe 2916 GoogleUpdate.exe 5996 GoogleUpdateComRegisterShell64.exe 6016 GoogleUpdateComRegisterShell64.exe 432 GoogleUpdateComRegisterShell64.exe 6024 GoogleUpdate.exe 4776 GoogleUpdate.exe 5300 GoogleUpdate.exe 5640 130.0.6723.117_chrome_installer.exe 552 setup.exe 2900 setup.exe 5704 setup.exe 5588 setup.exe 3292 GoogleUpdate.exe 324 GoogleUpdateOnDemand.exe 5576 GoogleUpdate.exe 5484 chrome.exe 4816 chrome.exe 1036 chrome.exe 5832 chrome.exe 5768 chrome.exe 3872 chrome.exe 3528 chrome.exe 2448 elevation_service.exe 1940 chrome.exe 5644 chrome.exe 2324 chrome.exe 64 chrome.exe 3636 chrome.exe 2600 chrome.exe 2100 chrome.exe 5152 chrome.exe 6660 chrome.exe 6412 chrome.exe 5812 chrome.exe 1464 OOSU10.exe 6232 5344 7104 3644 5416 5772 3304 -
Loads dropped DLL 64 IoCs
Processes:
GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepid process 232 GoogleUpdate.exe 5512 GoogleUpdate.exe 2916 GoogleUpdate.exe 5996 GoogleUpdateComRegisterShell64.exe 2916 GoogleUpdate.exe 6016 GoogleUpdateComRegisterShell64.exe 2916 GoogleUpdate.exe 432 GoogleUpdateComRegisterShell64.exe 2916 GoogleUpdate.exe 6024 GoogleUpdate.exe 4776 GoogleUpdate.exe 5300 GoogleUpdate.exe 5300 GoogleUpdate.exe 4776 GoogleUpdate.exe 3292 GoogleUpdate.exe 5576 GoogleUpdate.exe 5576 GoogleUpdate.exe 5484 chrome.exe 4816 chrome.exe 5484 chrome.exe 1036 chrome.exe 5832 chrome.exe 1036 chrome.exe 5832 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 5768 chrome.exe 5768 chrome.exe 1036 chrome.exe 1036 chrome.exe 1036 chrome.exe 3872 chrome.exe 3528 chrome.exe 3528 chrome.exe 3872 chrome.exe 1940 chrome.exe 1940 chrome.exe 2324 chrome.exe 2324 chrome.exe 64 chrome.exe 64 chrome.exe 5644 chrome.exe 5644 chrome.exe 3636 chrome.exe 3636 chrome.exe 2600 chrome.exe 2600 chrome.exe 2100 chrome.exe 2100 chrome.exe 5152 chrome.exe 5152 chrome.exe 6660 chrome.exe 6660 chrome.exe 6412 chrome.exe 6412 chrome.exe 5812 chrome.exe 5812 chrome.exe 4280 3484 5744 720 3644 2740 -
Modifies file permissions 1 TTPs 17 IoCs
Processes:
icacls.exepid process 6520 2020 7072 6092 1332 4808 5912 232 icacls.exe 5920 3264 1528 400 412 7092 556 5492 2184 -
Modifies system executable filetype association 2 TTPs 10 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun" Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mksltw Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup Key deleted \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 58 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
description ioc process File opened (read-only) \??\E: File opened (read-only) \??\O: File opened (read-only) \??\D: File opened (read-only) \??\U: File opened (read-only) \??\Y: File opened (read-only) \??\G: File opened (read-only) \??\K: File opened (read-only) \??\P: File opened (read-only) \??\O: File opened (read-only) \??\R: File opened (read-only) \??\V: File opened (read-only) \??\Z: File opened (read-only) \??\T: File opened (read-only) \??\X: File opened (read-only) \??\A: File opened (read-only) \??\N: File opened (read-only) \??\Q: File opened (read-only) \??\W: File opened (read-only) \??\F: File opened (read-only) \??\R: File opened (read-only) \??\U: File opened (read-only) \??\H: File opened (read-only) \??\K: File opened (read-only) \??\H: File opened (read-only) \??\J: File opened (read-only) \??\F: File opened (read-only) \??\F: File opened (read-only) \??\F: File opened (read-only) \??\D: File opened (read-only) \??\V: File opened (read-only) \??\B: File opened (read-only) \??\M: File opened (read-only) \??\D: File opened (read-only) \??\D: File opened (read-only) \??\F: File opened (read-only) \??\G: File opened (read-only) \??\I: File opened (read-only) \??\A: File opened (read-only) \??\B: File opened (read-only) \??\M: File opened (read-only) \??\E: File opened (read-only) \??\X: File opened (read-only) \??\I: File opened (read-only) \??\L: File opened (read-only) \??\N: File opened (read-only) \??\Y: File opened (read-only) \??\J: File opened (read-only) \??\L: File opened (read-only) \??\T: File opened (read-only) \??\D: File opened (read-only) \??\S: File opened (read-only) \??\Q: File opened (read-only) \??\D: File opened (read-only) \??\Z: File opened (read-only) \??\S: File opened (read-only) \??\F: File opened (read-only) \??\P: File opened (read-only) \??\W: -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 82 raw.githubusercontent.com 83 raw.githubusercontent.com 124 raw.githubusercontent.com 173 drive.google.com 174 drive.google.com 187 raw.githubusercontent.com -
Modifies Security services 2 TTPs 6 IoCs
Modifies the startup behavior of a security service.
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" reg.exe -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
chrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer chrome.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-940901362-3608833189-1915618603-1000_StartupInfo3.xml svchost.exe File created C:\Windows\system32\StartMenuHelper64.dll File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3e96badd-a0f2-45a6-98b7-6e3fbee47ab0}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-940901362-3608833189-1915618603-1000_UserData.bin svchost.exe File created C:\Windows\SysWOW64\StartMenuHelper32.dll File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3e96badd-a0f2-45a6-98b7-6e3fbee47ab0}\snapshot.etl svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ChromeSetup.exeGoogleUpdate.exechrome.exesetup.exesetup.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ko.dll ChromeSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_te.dll ChromeSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ur.dll ChromeSetup.exe File created C:\Program Files (x86)\Google\Update\1.3.36.342\psmachine.dll GoogleUpdate.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\cs\messages.json chrome.exe File created C:\Program Files\Open-Shell\Start Menu Settings.lnk File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_th.dll ChromeSetup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\kn\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\sk\messages.json chrome.exe File created C:\Program Files\Open-Shell\ClassicExplorer64.dll File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\psuser_64.dll ChromeSetup.exe File created C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_te.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\af.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\mr.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\vulkan-1.dll setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\ur\messages.json chrome.exe File created C:\Program Files\Open-Shell\OpenShellReadme.rtf File opened for modification C:\Program Files\Open-Shell\Start Menu Settings.lnk File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdateOnDemand.exe ChromeSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_hr.dll ChromeSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ml.dll ChromeSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_mr.dll ChromeSetup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\sw.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\sw\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\be\messages.json chrome.exe File created C:\Program Files\Open-Shell\ExplorerL10N.ini File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ro.dll ChromeSetup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\te.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\PrivacySandboxAttestationsPreloaded\manifest.json setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\zh_TW\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\mr\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\bn\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\page_embed_script.js chrome.exe File opened for modification C:\Program Files\Crashpad\settings.dat setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\pl.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\libGLESv2.dll setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\notification_helper.exe setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_metadata\verified_contents.json chrome.exe File created C:\Program Files\Open-Shell\Skins\Full Glass.skin File opened for modification C:\Program Files\Open-Shell\~tart Menu Settings.tmp File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ar.dll ChromeSetup.exe File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_de.dll ChromeSetup.exe File opened for modification C:\Program Files\Crashpad\metadata setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\vk_swiftshader.dll setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\uk\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\si\messages.json chrome.exe File created C:\Program Files\Open-Shell\Skins\Smoked Glass.skin File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe5ba8df.TMP File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ms.dll ChromeSetup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\d3dcompiler_47.dll setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\es-419.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\pt-BR.pak setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\tr.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\th\messages.json chrome.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\da\messages.json chrome.exe File created C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleCrashHandler64.exe ChromeSetup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\offscreendocument.html chrome.exe File created C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe5ba8c0.TMP File created C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleCrashHandler.exe GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_bn.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_cs.dll GoogleUpdate.exe File created C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_ms.dll GoogleUpdate.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat setup.exe File created C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\chrome.dll setup.exe -
Drops file in Windows directory 19 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\ svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-940901362-3608833189-1915618603-1000.dat svchost.exe File created C:\Windows\Installer\e5ba537.msi File created C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7} File opened for modification C:\Windows\Installer\MSIA63F.tmp File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\ svchost.exe File opened for modification C:\Windows\Installer\e5ba535.msi File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat svchost.exe File created C:\Windows\Installer\e5ba535.msi File created C:\Windows\Installer\inprogressinstallinfo.ipi File opened for modification C:\Windows\Installer\ File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontSet-S-1-5-21-940901362-3608833189-1915618603-1000.dat svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat svchost.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
Processes:
powershell.exepowershell.exepowershell.exepid process 5092 powershell.exe 5232 powershell.exe 6696 powershell.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 6624 sc.exe 3556 sc.exe 1708 7076 sc.exe 6924 sc.exe 1664 sc.exe 4076 sc.exe 3524 sc.exe 6720 sc.exe 6788 sc.exe 5640 sc.exe 6248 sc.exe 4276 sc.exe 6648 sc.exe 6772 sc.exe 6876 sc.exe 6360 sc.exe 1556 sc.exe 4136 sc.exe 180 sc.exe 6152 sc.exe 3304 sc.exe 6636 sc.exe 6564 sc.exe 7144 sc.exe 5176 sc.exe 6384 sc.exe 5384 sc.exe 5824 sc.exe 6408 sc.exe 5752 sc.exe 440 sc.exe 6248 sc.exe 1408 sc.exe 4948 sc.exe 6956 sc.exe 3232 sc.exe 1760 sc.exe 5092 sc.exe 5752 sc.exe 6648 sc.exe 6264 sc.exe 3572 sc.exe 6836 sc.exe 4332 sc.exe 1872 sc.exe 6680 sc.exe 4588 sc.exe 3420 sc.exe 7160 sc.exe 4016 sc.exe 976 sc.exe 180 sc.exe 4316 sc.exe 6920 sc.exe 1464 sc.exe 6812 sc.exe 5888 sc.exe 5012 sc.exe 6592 sc.exe 3944 sc.exe 7152 sc.exe 1708 sc.exe 4948 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
GoogleUpdate.exeGoogleUpdateOnDemand.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeChromeSetup.exeGoogleUpdate.exeGoogleUpdate.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdateOnDemand.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ChromeSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GoogleUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
GoogleUpdate.exeGoogleUpdate.exepid process 6024 GoogleUpdate.exe 3292 GoogleUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 64 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 432 timeout.exe 5584 timeout.exe 5060 timeout.exe 4332 timeout.exe 6328 2200 552 timeout.exe 5172 timeout.exe 7088 timeout.exe 5412 timeout.exe 5676 timeout.exe 3904 timeout.exe 4880 timeout.exe 6476 timeout.exe 4668 timeout.exe 6260 timeout.exe 6688 timeout.exe 1544 timeout.exe 6716 2128 timeout.exe 5940 timeout.exe 3712 timeout.exe 3872 timeout.exe 4768 timeout.exe 4348 timeout.exe 928 3296 5624 timeout.exe 4720 7048 timeout.exe 5604 2652 2028 timeout.exe 976 timeout.exe 2932 timeout.exe 4828 timeout.exe 5164 timeout.exe 5716 5864 5544 timeout.exe 5204 64 timeout.exe 3712 timeout.exe 5872 timeout.exe 2204 timeout.exe 5756 timeout.exe 2672 timeout.exe 7160 timeout.exe 7076 timeout.exe 6496 1448 timeout.exe 6368 timeout.exe 6404 timeout.exe 6256 timeout.exe 2988 timeout.exe 2916 timeout.exe 908 timeout.exe 5304 timeout.exe 6440 timeout.exe 4512 2836 3080 4364 timeout.exe 1012 timeout.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 18 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4044 taskkill.exe 3800 taskkill.exe 5132 taskkill.exe 432 taskkill.exe 868 5836 taskkill.exe 5044 taskkill.exe 4952 4012 6456 5772 taskkill.exe 3724 taskkill.exe 1168 5808 taskkill.exe 4648 5768 6292 1552 taskkill.exe -
Modifies Control Panel 1 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" OOSU10.exe -
Processes:
description ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU -
Modifies data under HKEY_USERS 10 IoCs
Processes:
svchost.exereg.exechrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\FontSetGeneration = "3" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\ConfigExpiration = "133761347687568434" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" reg.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755299551677239" chrome.exe -
Modifies registry class 64 IoCs
Processes:
GoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesetup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2BA23CE-B832-4767-85DF-6C7847B485D8}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.342\\psmachine_64.dll" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0\CLSID\ = "{25461599-633D-42B1-84FB-7CD68D026E53}" GoogleUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation\Enabled = "1" GoogleUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32\ = "{A2BA23CE-B832-4767-85DF-6C7847B485D8}" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\ProgID GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32 GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods\ = "7" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\ChromeHTML setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - French (France)" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\ = "Update3COMClass" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\CLSID\ = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32\ = "{A2BA23CE-B832-4767-85DF-6C7847B485D8}" GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachineFallback.1.0\CLSID\ = "{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}" GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\ChromeHTML setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ProgID\ = "ClassicExplorer.ShareOverlay.1" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\ShellEx\ContextMenuHandlers\StartMenuExt Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928} GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb" GoogleUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28} GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\ = "ExplorerBand Class" Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32 GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID\ = "GoogleUpdate.OnDemandCOMClassMachine" GoogleUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041" Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VERSIONINDEPENDENTPROGID GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.DesktopPackagedApplication\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2BA23CE-B832-4767-85DF-6C7847B485D8} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32 GoogleUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F} Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\ = "ClassicCopyExt Class" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7} Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928} GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods GoogleUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB} GoogleUpdateComRegisterShell64.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031" Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\OpenShell Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods\ = "12" GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID GoogleUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\ = "ClassicExplorer 1.0 Type Library" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32 GoogleUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exeGoogleUpdate.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exeGoogleUpdate.exeGoogleUpdate.exechrome.exepowershell.exepowershell.exeTaskmgr.exepowershell.exepowershell.exepid process 448 msedge.exe 448 msedge.exe 5112 msedge.exe 5112 msedge.exe 3688 identity_helper.exe 3688 identity_helper.exe 3608 msedge.exe 3608 msedge.exe 5172 powershell.exe 5172 powershell.exe 5172 powershell.exe 5788 powershell.exe 5788 powershell.exe 5788 powershell.exe 5788 powershell.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 1768 powershell.exe 1768 powershell.exe 1768 powershell.exe 5092 powershell.exe 5092 powershell.exe 5092 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 4348 powershell.exe 4348 powershell.exe 4348 powershell.exe 4776 GoogleUpdate.exe 4776 GoogleUpdate.exe 3292 GoogleUpdate.exe 3292 GoogleUpdate.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 232 GoogleUpdate.exe 5484 chrome.exe 5484 chrome.exe 6328 powershell.exe 6328 powershell.exe 6328 powershell.exe 5204 powershell.exe 5204 powershell.exe 5204 powershell.exe 5848 Taskmgr.exe 5848 Taskmgr.exe 5848 Taskmgr.exe 5848 Taskmgr.exe 5848 Taskmgr.exe 5232 powershell.exe 5232 powershell.exe 5232 powershell.exe 6112 powershell.exe 6112 powershell.exe 6112 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2612 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
Processes:
msedge.exechrome.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exeGoogleUpdate.exe130.0.6723.117_chrome_installer.exepowershell.exepowershell.exepowershell.exepowershell.exeGoogleUpdate.exeGoogleUpdate.exechrome.exepowercfg.exepowershell.exedescription pid process Token: SeDebugPrivilege 5172 powershell.exe Token: SeDebugPrivilege 5772 taskkill.exe Token: SeDebugPrivilege 5808 taskkill.exe Token: SeDebugPrivilege 5836 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe Token: SeDebugPrivilege 4044 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 5132 taskkill.exe Token: SeDebugPrivilege 5044 taskkill.exe Token: SeDebugPrivilege 3724 taskkill.exe Token: SeDebugPrivilege 5788 powershell.exe Token: SeIncreaseQuotaPrivilege 5788 powershell.exe Token: SeSecurityPrivilege 5788 powershell.exe Token: SeTakeOwnershipPrivilege 5788 powershell.exe Token: SeLoadDriverPrivilege 5788 powershell.exe Token: SeSystemProfilePrivilege 5788 powershell.exe Token: SeSystemtimePrivilege 5788 powershell.exe Token: SeProfSingleProcessPrivilege 5788 powershell.exe Token: SeIncBasePriorityPrivilege 5788 powershell.exe Token: SeCreatePagefilePrivilege 5788 powershell.exe Token: SeBackupPrivilege 5788 powershell.exe Token: SeRestorePrivilege 5788 powershell.exe Token: SeShutdownPrivilege 5788 powershell.exe Token: SeDebugPrivilege 5788 powershell.exe Token: SeSystemEnvironmentPrivilege 5788 powershell.exe Token: SeRemoteShutdownPrivilege 5788 powershell.exe Token: SeUndockPrivilege 5788 powershell.exe Token: SeManageVolumePrivilege 5788 powershell.exe Token: 33 5788 powershell.exe Token: 34 5788 powershell.exe Token: 35 5788 powershell.exe Token: 36 5788 powershell.exe Token: SeDebugPrivilege 232 GoogleUpdate.exe Token: SeDebugPrivilege 232 GoogleUpdate.exe Token: SeDebugPrivilege 232 GoogleUpdate.exe Token: 33 5640 130.0.6723.117_chrome_installer.exe Token: SeIncBasePriorityPrivilege 5640 130.0.6723.117_chrome_installer.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeDebugPrivilege 4776 GoogleUpdate.exe Token: SeDebugPrivilege 3292 GoogleUpdate.exe Token: SeDebugPrivilege 232 GoogleUpdate.exe Token: SeShutdownPrivilege 5484 chrome.exe Token: SeCreatePagefilePrivilege 5484 chrome.exe Token: SeShutdownPrivilege 5484 chrome.exe Token: SeCreatePagefilePrivilege 5484 chrome.exe Token: SeShutdownPrivilege 5484 chrome.exe Token: SeCreatePagefilePrivilege 5484 chrome.exe Token: SeShutdownPrivilege 464 powercfg.exe Token: SeCreatePagefilePrivilege 464 powercfg.exe Token: SeShutdownPrivilege 464 powercfg.exe Token: SeCreatePagefilePrivilege 464 powercfg.exe Token: SeShutdownPrivilege 5484 chrome.exe Token: SeCreatePagefilePrivilege 5484 chrome.exe Token: SeShutdownPrivilege 5484 chrome.exe Token: SeCreatePagefilePrivilege 5484 chrome.exe Token: SeShutdownPrivilege 5484 chrome.exe Token: SeCreatePagefilePrivilege 5484 chrome.exe Token: SeShutdownPrivilege 5484 chrome.exe Token: SeCreatePagefilePrivilege 5484 chrome.exe Token: SeDebugPrivilege 6328 powershell.exe Token: SeShutdownPrivilege 5484 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepowershell.exechrome.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5788 powershell.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5112 msedge.exe 5484 chrome.exe 5112 msedge.exe 5484 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exechrome.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5484 chrome.exe 5112 msedge.exe 5484 chrome.exe 5112 msedge.exe 5484 chrome.exe 5112 msedge.exe 5484 chrome.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5484 chrome.exe 5484 chrome.exe 5112 msedge.exe 5112 msedge.exe 5484 chrome.exe 5484 chrome.exe 5112 msedge.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
pid process 5856 6708 6508 2208 6040 3648 2740 3644 2740 2740 2740 6880 5272 3644 1452 1452 1452 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 5112 wrote to memory of 3248 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3248 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 3516 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 448 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 448 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2384 5112 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" OOSU10.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/QuakedK/Oneclick1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3fda46f8,0x7ffe3fda4708,0x7ffe3fda47182⤵PID:3248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵PID:3516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵PID:2384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:1480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:1332
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:3548
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:3312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:12⤵PID:388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵PID:532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:5344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1096
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4332
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4972
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat" "1⤵PID:2448
-
C:\Windows\system32\fltMC.exefltmc2⤵PID:388
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵PID:3864
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:216
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:2292
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵PID:956
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:532
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:4432
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵PID:4528
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2128 -
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵PID:5000
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2292
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:64 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:5140
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:5156
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5172
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\3- OrcaLIte V2\OrcaLiteV2.bat" "1⤵PID:5556
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:5608
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:5624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat" "1⤵PID:5720
-
C:\Windows\system32\taskkill.exetaskkill /f /im ctfmon.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5772 -
C:\Windows\system32\taskkill.exetaskkill /f /im backgroundTaskHost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5808 -
C:\Windows\system32\taskkill.exetaskkill /f /im TextInputHost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5836 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5876
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5896
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5912
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5928
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5944
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5960
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5976
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:5992 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6008
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6024
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6040
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6060
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6076
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6092
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:6108 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6124
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6140
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5044
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2100
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:2912
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5024
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5100
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2000
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:64
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5140
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4236
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5240
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5264
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5296
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5184
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies Security services
PID:5200 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:5224 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies Security services
PID:5284 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4436
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5328
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5332
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3028
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4528
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4688
-
C:\Windows\system32\timeout.exetimeout 32⤵
- Delays execution with timeout.exe
PID:1448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat" "1⤵PID:2204
-
C:\Windows\system32\taskkill.exetaskkill /f /im ctfmon.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1552 -
C:\Windows\system32\taskkill.exetaskkill /f /im backgroundTaskHost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044 -
C:\Windows\system32\taskkill.exetaskkill /f /im TextInputHost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:4544
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:4188
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:232
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:4900
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:4060
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5532
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4588
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:2624 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4216
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2968
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3048
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4796
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4960
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5576
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:5612 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5672
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5652
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5636
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5580
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:5700
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5596
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5556
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3712
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:2616
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5736
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5784
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5772
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2984
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2080
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3124
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies Security services
PID:1888 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:5816 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies Security services
PID:5852 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:636
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:800
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5848
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5836
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5888
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5908
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5924
-
C:\Windows\system32\timeout.exetimeout 32⤵
- Delays execution with timeout.exe
PID:5940
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat"1⤵PID:6084
-
C:\Windows\system32\taskkill.exetaskkill /f /im ctfmon.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5132 -
C:\Windows\system32\taskkill.exetaskkill /f /im backgroundTaskHost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5044 -
C:\Windows\system32\taskkill.exetaskkill /f /im TextInputHost.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3724 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:4396
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:3232
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5144
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5156
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f2⤵PID:5228
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5248
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5244
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:5196 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5188
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5184
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5220
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5224
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5284
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5324
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:5336 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1840
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4432
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1168
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:224
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1428
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4076
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2152
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:5764
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4340
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5756
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5728
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2128
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:876
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4828
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies Security services
PID:3972 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies security service
PID:3608 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
- Modifies Security services
PID:3728 -
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:440
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3892
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1100
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3548
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1264
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3572
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2344
-
C:\Windows\system32\timeout.exetimeout 32⤵
- Delays execution with timeout.exe
PID:552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\CTT App Installer.bat" "1⤵PID:5624
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:5544 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:3712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -Command "iwr -useb https://christitus.com/win | iex"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5788 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwznn1ey\kwznn1ey.cmdline"3⤵PID:6072
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE26.tmp" "c:\Users\Admin\AppData\Local\Temp\kwznn1ey\CSC89514FDE3051491186F114B6EF7ECB42.TMP"4⤵PID:6120
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\Powershell Chrome Installer.txt1⤵PID:5320
-
C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe"C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4276 -
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe"C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8130FB42-5831-10A9-876B-159E043F7AB1}&lang=en&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5512 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5996 -
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6016 -
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:432 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REExN0Y2RTAtMUU4MC00OUZGLUIwOUYtRTM1REJDRkUzMkY1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezlFNDUyNkM2LTI4ODktNEM5Ni1CRkY3LUFCMEI5MkUzRkJERn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4zNDIiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7ODEzMEZCNDItNTgzMS0xMEE5LTg3NkItMTU5RTA0M0Y3QUIxfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI3NTAiLz48L2FwcD48L3JlcXVlc3Q-3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:6024 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8130FB42-5831-10A9-876B-159E043F7AB1}&lang=en&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{DA17F6E0-1E80-49FF-B09F-E35DBCFE32F5}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776
-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\130.0.6723.117_chrome_installer.exe"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\130.0.6723.117_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\gui5414.tmp"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5640 -
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\gui5414.tmp"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
PID:552 -
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x268,0x26c,0x270,0x240,0x274,0x7ff796d9ec28,0x7ff796d9ec34,0x7ff796d9ec404⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2900 -
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Executes dropped EXE
PID:5704 -
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff796d9ec28,0x7ff796d9ec34,0x7ff796d9ec405⤵
- Executes dropped EXE
PID:5588 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REExN0Y2RTAtMUU4MC00OUZGLUIwOUYtRTM1REJDRkUzMkY1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezI4MEM1Mjc3LTZFODktNDBBNC1BNTM4LTI1NjFGRDE3ODkxQn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMwLjAuNjcyMy4xMTciIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMzEiIGlpZD0iezgxMzBGQjQyLTU4MzEtMTBBOS04NzZCLTE1OUUwNDNGN0FCMX0iIGNvaG9ydD0iMTpndS9pMTk6IiBjb2hvcnRuYW1lPSJTdGFibGUgSW5zdGFsbHMgJmFtcDsgVmVyc2lvbiBQaW5zIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL2FjbHM2aHQ2eGt4eW1lN2tteXBnMngycWEyNWFfMTMwLjAuNjcyMy4xMTcvMTMwLjAuNjcyMy4xMTdfY2hyb21lX2luc3RhbGxlci5leGUiIGRvd25sb2FkZWQ9IjExNTM1NzA0MCIgdG90YWw9IjExNTM1NzA0MCIgZG93bmxvYWRfdGltZV9tcz0iNzgxMSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzA3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzU5IiBkb3dubG9hZF90aW1lX21zPSI4OTM2IiBkb3dubG9hZGVkPSIxMTUzNTcwNDAiIHRvdGFsPSIxMTUzNTcwNDAiIGluc3RhbGxfdGltZV9tcz0iMzAwMjIiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat"1⤵PID:5740
-
C:\Windows\system32\fltMC.exefltmc2⤵PID:5896
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵PID:1012
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:4724
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:4872
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵PID:4016
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:3316
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:5872
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵PID:5512
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:432 -
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵PID:5248
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:5888
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:5172 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2448
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:4804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:5756 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:3608
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5676 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1204
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f2⤵PID:3712
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵PID:2360
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f2⤵PID:5816
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5584 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4752
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f2⤵PID:5500
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f2⤵PID:5572
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f2⤵PID:1664
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:2324
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f2⤵PID:5580
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f2⤵PID:728
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1012 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2028 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f2⤵PID:5636
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2916 -
C:\Windows\system32\reg.exereg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f2⤵
- Modifies data under HKEY_USERS
PID:5160 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:908 -
C:\Windows\system32\reg.exereg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:4344 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5304 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f2⤵PID:4340
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3872 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:1028
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2672 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f2⤵PID:4988
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f2⤵PID:3804
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f2⤵PID:3856
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f2⤵PID:5292
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f2⤵PID:2624
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f2⤵PID:5616
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f2⤵PID:1680
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f2⤵PID:5544
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f2⤵PID:2776
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f2⤵PID:1968
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f2⤵PID:512
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f2⤵PID:4176
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f2⤵PID:720
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:976 -
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f2⤵PID:5760
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f2⤵PID:6060
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f2⤵PID:2292
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f2⤵PID:548
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f2⤵PID:5676
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f2⤵PID:1204
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵PID:5864
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3712 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f2⤵PID:1556
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f2⤵PID:4316
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5060 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f2⤵PID:1204
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3904 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
PID:2492 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4332 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f2⤵PID:440
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f2⤵PID:548
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f2⤵PID:5676
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:5920
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f2⤵PID:4316
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f2⤵PID:4588
-
C:\Windows\system32\powercfg.exepowercfg.exe /hibernate off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:464 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4880 -
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:7064
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵
- Launches sc.exe
PID:7076 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:7088 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:7128
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:7144
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:7160 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f2⤵PID:6384
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:6368 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f2⤵PID:6344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6328 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:5196
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 02⤵
- UAC bypass
PID:2360 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2932 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:6456
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:6476 -
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:6580
-
C:\Windows\system32\sc.exesc config ALG start=demand2⤵PID:5812
-
C:\Windows\system32\sc.exesc config AppIDSvc start=demand2⤵
- Launches sc.exe
PID:6592 -
C:\Windows\system32\sc.exesc config AppMgmt start=demand2⤵PID:6608
-
C:\Windows\system32\sc.exesc config AppReadiness start=demand2⤵PID:6624
-
C:\Windows\system32\sc.exesc config AppVClient start=disabled2⤵PID:6636
-
C:\Windows\system32\sc.exesc config AppXSvc start=demand2⤵
- Launches sc.exe
PID:6648 -
C:\Windows\system32\sc.exesc config Appinfo start=demand2⤵PID:6668
-
C:\Windows\system32\sc.exesc config AssignedAccessManagerSvc start=disabled2⤵
- Launches sc.exe
PID:6680 -
C:\Windows\system32\sc.exesc config AudioEndpointBuilder start=auto2⤵PID:6696
-
C:\Windows\system32\sc.exesc config AudioSrv start=auto2⤵PID:6708
-
C:\Windows\system32\sc.exesc config Audiosrv start=auto2⤵
- Launches sc.exe
PID:6720 -
C:\Windows\system32\sc.exesc config AxInstSV start=demand2⤵PID:6736
-
C:\Windows\system32\sc.exesc config BDESVC start=demand2⤵PID:6748
-
C:\Windows\system32\sc.exesc config BFE start=auto2⤵PID:6760
-
C:\Windows\system32\sc.exesc config BITS start=delayed-auto2⤵PID:6776
-
C:\Windows\system32\sc.exesc config BTAGService start=demand2⤵
- Launches sc.exe
PID:6788 -
C:\Windows\system32\sc.exesc config BcastDVRUserService_dc2a4 start=demand2⤵PID:6800
-
C:\Windows\system32\sc.exesc config BluetoothUserService_dc2a4 start=demand2⤵PID:6812
-
C:\Windows\system32\sc.exesc config BrokerInfrastructure start=auto2⤵PID:6824
-
C:\Windows\system32\sc.exesc config Browser start=demand2⤵PID:6836
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=auto2⤵PID:6852
-
C:\Windows\system32\sc.exesc config BthHFSrv start=auto2⤵PID:6864
-
C:\Windows\system32\sc.exesc config CDPSvc start=demand2⤵PID:6876
-
C:\Windows\system32\sc.exesc config CDPUserSvc_dc2a4 start=auto2⤵PID:6888
-
C:\Windows\system32\sc.exesc config COMSysApp start=demand2⤵PID:6900
-
C:\Windows\system32\sc.exesc config CaptureService_dc2a4 start=demand2⤵PID:6920
-
C:\Windows\system32\sc.exesc config CertPropSvc start=demand2⤵PID:6924
-
C:\Windows\system32\sc.exesc config ClipSVC start=demand2⤵PID:6944
-
C:\Windows\system32\sc.exesc config ConsentUxUserSvc_dc2a4 start=demand2⤵PID:6956
-
C:\Windows\system32\sc.exesc config CoreMessagingRegistrar start=auto2⤵PID:6972
-
C:\Windows\system32\sc.exesc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand2⤵PID:6684
-
C:\Windows\system32\sc.exesc config CryptSvc start=auto2⤵PID:1012
-
C:\Windows\system32\sc.exesc config CscService start=demand2⤵PID:5152
-
C:\Windows\system32\sc.exesc config DPS start=auto2⤵PID:3712
-
C:\Windows\system32\sc.exesc config DcomLaunch start=auto2⤵PID:6436
-
C:\Windows\system32\sc.exesc config DcpSvc start=demand2⤵PID:7060
-
C:\Windows\system32\sc.exesc config DevQueryBroker start=demand2⤵
- Launches sc.exe
PID:3304 -
C:\Windows\system32\sc.exesc config DeviceAssociationBrokerSvc_dc2a4 start=demand2⤵PID:2876
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=demand2⤵PID:64
-
C:\Windows\system32\sc.exesc config DeviceInstall start=demand2⤵PID:5564
-
C:\Windows\system32\sc.exesc config DevicePickerUserSvc_dc2a4 start=demand2⤵PID:7068
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_dc2a4 start=demand2⤵PID:7084
-
C:\Windows\system32\sc.exesc config Dhcp start=auto2⤵PID:7104
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:7112
-
C:\Windows\system32\sc.exesc config DialogBlockingService start=disabled2⤵PID:7096
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start=auto2⤵PID:7140
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start=demand2⤵PID:7156
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=demand2⤵PID:5224
-
C:\Windows\system32\sc.exesc config Dnscache start=auto2⤵PID:6396
-
C:\Windows\system32\sc.exesc config DoSvc start=delayed-auto2⤵PID:6376
-
C:\Windows\system32\sc.exesc config DsSvc start=demand2⤵PID:6028
-
C:\Windows\system32\sc.exesc config DsmSvc start=demand2⤵PID:6360
-
C:\Windows\system32\sc.exesc config DusmSvc start=auto2⤵PID:6332
-
C:\Windows\system32\sc.exesc config EFS start=demand2⤵PID:6272
-
C:\Windows\system32\sc.exesc config EapHost start=demand2⤵PID:6260
-
C:\Windows\system32\sc.exesc config EntAppSvc start=demand2⤵PID:6240
-
C:\Windows\system32\sc.exesc config EventLog start=auto2⤵PID:3316
-
C:\Windows\system32\sc.exesc config EventSystem start=auto2⤵PID:3232
-
C:\Windows\system32\sc.exesc config FDResPub start=demand2⤵PID:6176
-
C:\Windows\system32\sc.exesc config Fax start=demand2⤵PID:6192
-
C:\Windows\system32\sc.exesc config FontCache start=auto2⤵PID:6200
-
C:\Windows\system32\sc.exesc config FrameServer start=demand2⤵
- Launches sc.exe
PID:3944 -
C:\Windows\system32\sc.exesc config FrameServerMonitor start=demand2⤵
- Launches sc.exe
PID:5640 -
C:\Windows\system32\sc.exesc config GraphicsPerfSvc start=demand2⤵PID:6316
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:6324
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:6292
-
C:\Windows\system32\sc.exesc config HvHost start=demand2⤵PID:6228
-
C:\Windows\system32\sc.exesc config IEEtwCollectorService start=demand2⤵PID:6220
-
C:\Windows\system32\sc.exesc config IKEEXT start=demand2⤵PID:6296
-
C:\Windows\system32\sc.exesc config InstallService start=demand2⤵
- Launches sc.exe
PID:1708 -
C:\Windows\system32\sc.exesc config InventorySvc start=demand2⤵PID:5988
-
C:\Windows\system32\sc.exesc config IpxlatCfgSvc start=demand2⤵PID:4284
-
C:\Windows\system32\sc.exesc config KeyIso start=auto2⤵PID:6072
-
C:\Windows\system32\sc.exesc config KtmRm start=demand2⤵PID:4076
-
C:\Windows\system32\sc.exesc config LSM start=auto2⤵PID:1616
-
C:\Windows\system32\sc.exesc config LanmanServer start=auto2⤵PID:3572
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start=auto2⤵PID:516
-
C:\Windows\system32\sc.exesc config LicenseManager start=demand2⤵PID:4588
-
C:\Windows\system32\sc.exesc config LxpSvc start=demand2⤵PID:2492
-
C:\Windows\system32\sc.exesc config MSDTC start=demand2⤵
- Launches sc.exe
PID:4316 -
C:\Windows\system32\sc.exesc config MSiSCSI start=demand2⤵PID:5752
-
C:\Windows\system32\sc.exesc config MapsBroker start=delayed-auto2⤵PID:5196
-
C:\Windows\system32\sc.exesc config McpManagementService start=demand2⤵PID:2324
-
C:\Windows\system32\sc.exesc config MessagingService_dc2a4 start=demand2⤵PID:6416
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start=demand2⤵PID:6400
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start=demand2⤵PID:5260
-
C:\Windows\system32\sc.exesc config MpsSvc start=auto2⤵PID:6432
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start=demand2⤵PID:3208
-
C:\Windows\system32\sc.exesc config NPSMSvc_dc2a4 start=demand2⤵PID:6472
-
C:\Windows\system32\sc.exesc config NaturalAuthentication start=demand2⤵PID:6456
-
C:\Windows\system32\sc.exesc config NcaSvc start=demand2⤵PID:6516
-
C:\Windows\system32\sc.exesc config NcbService start=demand2⤵PID:6504
-
C:\Windows\system32\sc.exesc config NcdAutoSetup start=demand2⤵PID:2988
-
C:\Windows\system32\sc.exesc config NetSetupSvc start=demand2⤵PID:6480
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start=disabled2⤵PID:5128
-
C:\Windows\system32\sc.exesc config Netlogon start=demand2⤵PID:6580
-
C:\Windows\system32\sc.exesc config Netman start=demand2⤵PID:5812
-
C:\Windows\system32\sc.exesc config NgcCtnrSvc start=demand2⤵PID:6552
-
C:\Windows\system32\sc.exesc config NgcSvc start=demand2⤵PID:6568
-
C:\Windows\system32\sc.exesc config NlaSvc start=demand2⤵PID:6596
-
C:\Windows\system32\sc.exesc config OneSyncSvc_dc2a4 start=auto2⤵PID:6576
-
C:\Windows\system32\sc.exesc config P9RdrService_dc2a4 start=demand2⤵PID:6620
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=demand2⤵PID:6608
-
C:\Windows\system32\sc.exesc config PNRPsvc start=demand2⤵
- Launches sc.exe
PID:6624 -
C:\Windows\system32\sc.exesc config PcaSvc start=demand2⤵
- Launches sc.exe
PID:6636 -
C:\Windows\system32\sc.exesc config PeerDistSvc start=demand2⤵PID:6676
-
C:\Windows\system32\sc.exesc config PenService_dc2a4 start=demand2⤵PID:6692
-
C:\Windows\system32\sc.exesc config PerfHost start=demand2⤵PID:6704
-
C:\Windows\system32\sc.exesc config PhoneSvc start=demand2⤵PID:6712
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_dc2a4 start=demand2⤵PID:6732
-
C:\Windows\system32\sc.exesc config PlugPlay start=demand2⤵PID:6720
-
C:\Windows\system32\sc.exesc config PolicyAgent start=demand2⤵PID:6756
-
C:\Windows\system32\sc.exesc config Power start=auto2⤵
- Launches sc.exe
PID:6772 -
C:\Windows\system32\sc.exesc config PrintNotify start=demand2⤵PID:6760
-
C:\Windows\system32\sc.exesc config PrintWorkflowUserSvc_dc2a4 start=demand2⤵PID:6776
-
C:\Windows\system32\sc.exesc config ProfSvc start=auto2⤵PID:6808
-
C:\Windows\system32\sc.exesc config PushToInstall start=demand2⤵PID:6820
-
C:\Windows\system32\sc.exesc config QWAVE start=demand2⤵PID:6828
-
C:\Windows\system32\sc.exesc config RasAuto start=demand2⤵PID:6840
-
C:\Windows\system32\sc.exesc config RasMan start=demand2⤵
- Launches sc.exe
PID:6836 -
C:\Windows\system32\sc.exesc config RemoteAccess start=disabled2⤵PID:6852
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:6864
-
C:\Windows\system32\sc.exesc config RetailDemo start=demand2⤵PID:6876
-
C:\Windows\system32\sc.exesc config RmSvc start=demand2⤵PID:6888
-
C:\Windows\system32\sc.exesc config RpcEptMapper start=auto2⤵PID:6900
-
C:\Windows\system32\sc.exesc config RpcLocator start=demand2⤵PID:6920
-
C:\Windows\system32\sc.exesc config RpcSs start=auto2⤵
- Launches sc.exe
PID:6924 -
C:\Windows\system32\sc.exesc config SCPolicySvc start=demand2⤵PID:6944
-
C:\Windows\system32\sc.exesc config SCardSvr start=demand2⤵
- Launches sc.exe
PID:6956 -
C:\Windows\system32\sc.exesc config SDRSVC start=demand2⤵PID:6972
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=demand2⤵PID:2448
-
C:\Windows\system32\sc.exesc config SENS start=auto2⤵PID:1012
-
C:\Windows\system32\sc.exesc config SNMPTRAP start=demand2⤵PID:5152
-
C:\Windows\system32\sc.exesc config SNMPTrap start=demand2⤵PID:3712
-
C:\Windows\system32\sc.exesc config SSDPSRV start=demand2⤵PID:6436
-
C:\Windows\system32\sc.exesc config SamSs start=auto2⤵PID:7060
-
C:\Windows\system32\sc.exesc config ScDeviceEnum start=demand2⤵PID:5888
-
C:\Windows\system32\sc.exesc config Schedule start=auto2⤵PID:440
-
C:\Windows\system32\sc.exesc config SecurityHealthService start=demand2⤵PID:4880
-
C:\Windows\system32\sc.exesc config Sense start=demand2⤵PID:7064
-
C:\Windows\system32\sc.exesc config SensorDataService start=demand2⤵PID:1060
-
C:\Windows\system32\sc.exesc config SensorService start=demand2⤵PID:7108
-
C:\Windows\system32\sc.exesc config SensrSvc start=demand2⤵PID:7100
-
C:\Windows\system32\sc.exesc config SessionEnv start=demand2⤵PID:7112
-
C:\Windows\system32\sc.exesc config SgrmBroker start=auto2⤵PID:7132
-
C:\Windows\system32\sc.exesc config SharedAccess start=demand2⤵PID:7148
-
C:\Windows\system32\sc.exesc config SharedRealitySvc start=demand2⤵PID:7152
-
C:\Windows\system32\sc.exesc config ShellHWDetection start=auto2⤵PID:6392
-
C:\Windows\system32\sc.exesc config SmsRouter start=demand2⤵PID:6372
-
C:\Windows\system32\sc.exesc config Spooler start=auto2⤵PID:6364
-
C:\Windows\system32\sc.exesc config SstpSvc start=demand2⤵PID:6368
-
C:\Windows\system32\sc.exesc config StateRepository start=demand2⤵PID:6344
-
C:\Windows\system32\sc.exesc config StiSvc start=demand2⤵PID:6272
-
C:\Windows\system32\sc.exesc config StorSvc start=demand2⤵
- Launches sc.exe
PID:6248 -
C:\Windows\system32\sc.exesc config SysMain start=auto2⤵PID:6252
-
C:\Windows\system32\sc.exesc config SystemEventsBroker start=auto2⤵PID:7048
-
C:\Windows\system32\sc.exesc config TabletInputService start=demand2⤵PID:5696
-
C:\Windows\system32\sc.exesc config TapiSrv start=demand2⤵PID:6148
-
C:\Windows\system32\sc.exesc config TermService start=auto2⤵PID:6196
-
C:\Windows\system32\sc.exesc config TextInputManagementService start=demand2⤵PID:6152
-
C:\Windows\system32\sc.exesc config Themes start=auto2⤵PID:6204
-
C:\Windows\system32\sc.exesc config TieringEngineService start=demand2⤵PID:2396
-
C:\Windows\system32\sc.exesc config TimeBroker start=demand2⤵PID:6288
-
C:\Windows\system32\sc.exesc config TimeBrokerSvc start=demand2⤵PID:6312
-
C:\Windows\system32\sc.exesc config TokenBroker start=demand2⤵PID:6276
-
C:\Windows\system32\sc.exesc config TrkWks start=auto2⤵PID:6216
-
C:\Windows\system32\sc.exesc config TroubleshootingSvc start=demand2⤵PID:6284
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=demand2⤵PID:6300
-
C:\Windows\system32\sc.exesc config UI0Detect start=demand2⤵PID:6320
-
C:\Windows\system32\sc.exesc config UdkUserSvc_dc2a4 start=demand2⤵PID:5248
-
C:\Windows\system32\sc.exesc config UevAgentService start=disabled2⤵
- Launches sc.exe
PID:5092 -
C:\Windows\system32\sc.exesc config UmRdpService start=demand2⤵PID:4780
-
C:\Windows\system32\sc.exesc config UnistoreSvc_dc2a4 start=demand2⤵PID:4528
-
C:\Windows\system32\sc.exesc config UserDataSvc_dc2a4 start=demand2⤵PID:624
-
C:\Windows\system32\sc.exesc config UserManager start=auto2⤵PID:3908
-
C:\Windows\system32\sc.exesc config UsoSvc start=demand2⤵
- Launches sc.exe
PID:3420 -
C:\Windows\system32\sc.exesc config VGAuthService start=auto2⤵PID:4332
-
C:\Windows\system32\sc.exesc config VMTools start=auto2⤵PID:5504
-
C:\Windows\system32\sc.exesc config VSS start=demand2⤵
- Launches sc.exe
PID:4588 -
C:\Windows\system32\sc.exesc config VacSvc start=demand2⤵PID:3120
-
C:\Windows\system32\sc.exesc config VaultSvc start=auto2⤵PID:4316
-
C:\Windows\system32\sc.exesc config W32Time start=demand2⤵
- Launches sc.exe
PID:5752 -
C:\Windows\system32\sc.exesc config WEPHOSTSVC start=demand2⤵PID:5196
-
C:\Windows\system32\sc.exesc config WFDSConMgrSvc start=demand2⤵PID:2324
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=demand2⤵PID:5240
-
C:\Windows\system32\sc.exesc config WManSvc start=demand2⤵PID:6412
-
C:\Windows\system32\sc.exesc config WPDBusEnum start=demand2⤵PID:6428
-
C:\Windows\system32\sc.exesc config WSService start=demand2⤵
- Launches sc.exe
PID:1664 -
C:\Windows\system32\sc.exesc config WSearch start=delayed-auto2⤵PID:6468
-
C:\Windows\system32\sc.exesc config WaaSMedicSvc start=demand2⤵PID:6520
-
C:\Windows\system32\sc.exesc config WalletService start=demand2⤵PID:6456
-
C:\Windows\system32\sc.exesc config WarpJITSvc start=demand2⤵PID:6516
-
C:\Windows\system32\sc.exesc config WbioSrvc start=demand2⤵PID:6504
-
C:\Windows\system32\sc.exesc config Wcmsvc start=auto2⤵PID:2988
-
C:\Windows\system32\sc.exesc config WcsPlugInService start=demand2⤵PID:6572
-
C:\Windows\system32\sc.exesc config WdNisSvc start=demand2⤵
- Launches sc.exe
PID:6564 -
C:\Windows\system32\sc.exesc config WdiServiceHost start=demand2⤵PID:6548
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=demand2⤵PID:6592
-
C:\Windows\system32\sc.exesc config WebClient start=demand2⤵PID:6528
-
C:\Windows\system32\sc.exesc config Wecsvc start=demand2⤵PID:6616
-
C:\Windows\system32\sc.exesc config WerSvc start=demand2⤵PID:6628
-
C:\Windows\system32\sc.exesc config WiaRpc start=demand2⤵PID:6640
-
C:\Windows\system32\sc.exesc config WinDefend start=auto2⤵
- Launches sc.exe
PID:6648 -
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start=demand2⤵PID:6636
-
C:\Windows\system32\sc.exesc config WinRM start=demand2⤵PID:6676
-
C:\Windows\system32\sc.exesc config Winmgmt start=auto2⤵PID:6692
-
C:\Windows\system32\sc.exesc config WlanSvc start=auto2⤵PID:6704
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=demand2⤵PID:6728
-
C:\Windows\system32\sc.exesc config WpnService start=demand2⤵PID:6736
-
C:\Windows\system32\sc.exesc config WpnUserService_dc2a4 start=auto2⤵PID:6720
-
C:\Windows\system32\sc.exesc config WwanSvc start=demand2⤵PID:6756
-
C:\Windows\system32\sc.exesc config XblAuthManager start=demand2⤵PID:6772
-
C:\Windows\system32\sc.exesc config XblGameSave start=demand2⤵PID:6760
-
C:\Windows\system32\sc.exesc config XboxGipSvc start=demand2⤵PID:6796
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=demand2⤵PID:6800
-
C:\Windows\system32\sc.exesc config autotimesvc start=demand2⤵
- Launches sc.exe
PID:6812 -
C:\Windows\system32\sc.exesc config bthserv start=demand2⤵PID:6824
-
C:\Windows\system32\sc.exesc config camsvc start=demand2⤵PID:6844
-
C:\Windows\system32\sc.exesc config cbdhsvc_dc2a4 start=demand2⤵PID:6836
-
C:\Windows\system32\sc.exesc config cloudidsvc start=demand2⤵PID:6852
-
C:\Windows\system32\sc.exesc config dcsvc start=demand2⤵PID:6864
-
C:\Windows\system32\sc.exesc config defragsvc start=demand2⤵
- Launches sc.exe
PID:6876 -
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=demand2⤵PID:6904
-
C:\Windows\system32\sc.exesc config diagsvc start=demand2⤵PID:6912
-
C:\Windows\system32\sc.exesc config dmwappushservice start=demand2⤵
- Launches sc.exe
PID:6920 -
C:\Windows\system32\sc.exesc config dot3svc start=demand2⤵PID:6924
-
C:\Windows\system32\sc.exesc config edgeupdate start=demand2⤵PID:6944
-
C:\Windows\system32\sc.exesc config edgeupdatem start=demand2⤵PID:6956
-
C:\Windows\system32\sc.exesc config embeddedmode start=demand2⤵PID:6972
-
C:\Windows\system32\sc.exesc config fdPHost start=demand2⤵PID:2448
-
C:\Windows\system32\sc.exesc config fhsvc start=demand2⤵PID:6448
-
C:\Windows\system32\sc.exesc config gpsvc start=auto2⤵PID:5912
-
C:\Windows\system32\sc.exesc config hidserv start=demand2⤵PID:2164
-
C:\Windows\system32\sc.exesc config icssvc start=demand2⤵PID:7056
-
C:\Windows\system32\sc.exesc config iphlpsvc start=auto2⤵PID:7060
-
C:\Windows\system32\sc.exesc config lfsvc start=demand2⤵
- Launches sc.exe
PID:5888 -
C:\Windows\system32\sc.exesc config lltdsvc start=demand2⤵
- Launches sc.exe
PID:440 -
C:\Windows\system32\sc.exesc config lmhosts start=demand2⤵PID:7080
-
C:\Windows\system32\sc.exesc config mpssvc start=auto2⤵PID:7076
-
C:\Windows\system32\sc.exesc config msiserver start=demand2⤵PID:7116
-
C:\Windows\system32\sc.exesc config netprofm start=demand2⤵PID:7104
-
C:\Windows\system32\sc.exesc config nsi start=auto2⤵PID:7100
-
C:\Windows\system32\sc.exesc config p2pimsvc start=demand2⤵PID:7112
-
C:\Windows\system32\sc.exesc config p2psvc start=demand2⤵PID:7132
-
C:\Windows\system32\sc.exesc config perceptionsimulation start=demand2⤵
- Launches sc.exe
PID:7144 -
C:\Windows\system32\sc.exesc config pla start=demand2⤵PID:5224
-
C:\Windows\system32\sc.exesc config seclogon start=demand2⤵
- Launches sc.exe
PID:7160 -
C:\Windows\system32\sc.exesc config shpamsvc start=disabled2⤵PID:6340
-
C:\Windows\system32\sc.exesc config smphost start=demand2⤵
- Launches sc.exe
PID:6360 -
C:\Windows\system32\sc.exesc config spectrum start=demand2⤵
- Launches sc.exe
PID:6264 -
C:\Windows\system32\sc.exesc config sppsvc start=delayed-auto2⤵PID:6344
-
C:\Windows\system32\sc.exesc config ssh-agent start=disabled2⤵PID:6272
-
C:\Windows\system32\sc.exesc config svsvc start=demand2⤵
- Launches sc.exe
PID:6248 -
C:\Windows\system32\sc.exesc config swprv start=demand2⤵PID:3316
-
C:\Windows\system32\sc.exesc config tiledatamodelsvc start=auto2⤵PID:6184
-
C:\Windows\system32\sc.exesc config tzautoupdate start=disabled2⤵PID:3232
-
C:\Windows\system32\sc.exesc config uhssvc start=disabled2⤵PID:6176
-
C:\Windows\system32\sc.exesc config upnphost start=demand2⤵PID:3400
-
C:\Windows\system32\sc.exesc config vds start=demand2⤵PID:928
-
C:\Windows\system32\sc.exesc config vm3dservice start=demand2⤵PID:5964
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=demand2⤵PID:5640
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=demand2⤵PID:6308
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=demand2⤵PID:6324
-
C:\Windows\system32\sc.exesc config vmicrdv start=demand2⤵PID:6292
-
C:\Windows\system32\sc.exesc config vmicshutdown start=demand2⤵PID:6228
-
C:\Windows\system32\sc.exesc config vmictimesync start=demand2⤵PID:6220
-
C:\Windows\system32\sc.exesc config vmicvmsession start=demand2⤵PID:6296
-
C:\Windows\system32\sc.exesc config vmicvss start=demand2⤵PID:1708
-
C:\Windows\system32\sc.exesc config vmvss start=demand2⤵PID:5988
-
C:\Windows\system32\sc.exesc config wbengine start=demand2⤵PID:4284
-
C:\Windows\system32\sc.exesc config wcncsvc start=demand2⤵PID:6072
-
C:\Windows\system32\sc.exesc config webthreatdefsvc start=demand2⤵
- Launches sc.exe
PID:4076 -
C:\Windows\system32\sc.exesc config webthreatdefusersvc_dc2a4 start=auto2⤵PID:1616
-
C:\Windows\system32\sc.exesc config wercplsupport start=demand2⤵
- Launches sc.exe
PID:3572 -
C:\Windows\system32\sc.exesc config wisvc start=demand2⤵PID:516
-
C:\Windows\system32\sc.exesc config wlidsvc start=demand2⤵PID:5968
-
C:\Windows\system32\sc.exesc config wlpasvc start=demand2⤵PID:5504
-
C:\Windows\system32\sc.exesc config wmiApSrv start=demand2⤵PID:4588
-
C:\Windows\system32\sc.exesc config workfolderssvc start=demand2⤵PID:4768
-
C:\Windows\system32\sc.exesc config wscsvc start=delayed-auto2⤵
- Launches sc.exe
PID:1556 -
C:\Windows\system32\sc.exesc config wuauserv start=demand2⤵PID:4836
-
C:\Windows\system32\sc.exesc config wudfsvc start=demand2⤵PID:2360
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:6404 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:6440 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:6924
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:6936
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:6684
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:6092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:5696
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:6280
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:3672
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:5504
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable2⤵PID:3120
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable2⤵PID:4316
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:4836
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:5764
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:6404
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:4224
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:5856
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f2⤵PID:3088
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:6560
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:4828
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f2⤵PID:5492
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:2776
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f2⤵PID:4216
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f2⤵PID:6576
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f2⤵PID:6572
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f2⤵PID:5760
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f2⤵PID:976
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f2⤵PID:6548
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f2⤵PID:860
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f2⤵PID:4532
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f2⤵PID:6632
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f2⤵PID:1940
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:4560
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f2⤵PID:6764
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f2⤵PID:6772
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f2⤵PID:6700
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f2⤵PID:6708
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f2⤵PID:6728
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f2⤵PID:6748
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f2⤵PID:6856
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f2⤵PID:6544
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f2⤵PID:6608
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f2⤵PID:6932
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f2⤵PID:6440
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f2⤵PID:6924
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f2⤵PID:6936
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f2⤵PID:6852
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f2⤵PID:5872
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f2⤵PID:6972
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f2⤵PID:5672
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f2⤵PID:5912
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f2⤵PID:2164
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f2⤵PID:7056
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f2⤵PID:64
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f2⤵PID:7072
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:7068
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:7076 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy Legacy2⤵
- Modifies boot configuration data using bcdedit
PID:6308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"2⤵PID:4528
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild3⤵PID:3692
-
C:\Windows\system32\findstr.exefindstr /r /c:"CurrentBuild"3⤵PID:5216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5204 -
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5848 -
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
PID:4668 -
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences2⤵PID:5536
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
PID:432 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f2⤵PID:5644
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:5232 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"2⤵PID:3052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:6112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5252 -
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
PID:6696 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5872 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:6972
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:5672
-
C:\Windows\system32\curl.execurl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"2⤵PID:5912
-
C:\Windows\system32\curl.execurl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"2⤵PID:7080
-
C:\Oneclick Tools\OOShutup10\OOSU10.exe"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet2⤵
- Modifies security service
- Executes dropped EXE
- Modifies Control Panel
- System policy modification
PID:1464 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:6256 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:6184
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:6260 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:5928
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:7048 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:6372
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6188
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6180
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:6192
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2396
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:3944
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:6304
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:4340
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:4988
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:4328
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵PID:4860
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:2740
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f2⤵PID:2548
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:2984
-
C:\Windows\system32\sc.exesc config wlidsvc start= disabled2⤵PID:2332
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start= disabled2⤵PID:1668
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵PID:7052
-
C:\Windows\system32\sc.exesc config DusmSvc start= disabled2⤵PID:720
-
C:\Windows\system32\sc.exesc config TabletInputService start= disabled2⤵
- Launches sc.exe
PID:5012 -
C:\Windows\system32\sc.exesc config RetailDemo start= disabled2⤵PID:912
-
C:\Windows\system32\sc.exesc config Fax start= disabled2⤵PID:6072
-
C:\Windows\system32\sc.exesc config SharedAccess start= disabled2⤵
- Launches sc.exe
PID:4136 -
C:\Windows\system32\sc.exesc config lfsvc start= disabled2⤵PID:4924
-
C:\Windows\system32\sc.exesc config WpcMonSvc start= disabled2⤵PID:5608
-
C:\Windows\system32\sc.exesc config SessionEnv start= disabled2⤵PID:5988
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start= disabled2⤵PID:1624
-
C:\Windows\system32\sc.exesc config edgeupdate start= disabled2⤵PID:5364
-
C:\Windows\system32\sc.exesc config edgeupdatem start= disabled2⤵PID:5392
-
C:\Windows\system32\sc.exesc config autotimesvc start= disabled2⤵PID:5400
-
C:\Windows\system32\sc.exesc config CscService start= disabled2⤵PID:5412
-
C:\Windows\system32\sc.exesc config TermService start= disabled2⤵PID:1708
-
C:\Windows\system32\sc.exesc config SensorDataService start= disabled2⤵PID:5248
-
C:\Windows\system32\sc.exesc config SensorService start= disabled2⤵PID:1200
-
C:\Windows\system32\sc.exesc config SensrSvc start= disabled2⤵PID:6320
-
C:\Windows\system32\sc.exesc config shpamsvc start= disabled2⤵PID:6208
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵PID:6324
-
C:\Windows\system32\sc.exesc config PhoneSvc start= disabled2⤵PID:1480
-
C:\Windows\system32\sc.exesc config TapiSrv start= disabled2⤵PID:7132
-
C:\Windows\system32\sc.exesc config UevAgentService start= disabled2⤵PID:2920
-
C:\Windows\system32\sc.exesc config WalletService start= disabled2⤵PID:6364
-
C:\Windows\system32\sc.exesc config TokenBroker start= disabled2⤵PID:5088
-
C:\Windows\system32\sc.exesc config WebClient start= disabled2⤵PID:2856
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start= disabled2⤵PID:2020
-
C:\Windows\system32\sc.exesc config stisvc start= disabled2⤵PID:2296
-
C:\Windows\system32\sc.exesc config WbioSrvc start= disabled2⤵PID:1408
-
C:\Windows\system32\sc.exesc config icssvc start= disabled2⤵PID:6128
-
C:\Windows\system32\sc.exesc config Wecsvc start= disabled2⤵PID:3968
-
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵PID:2092
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵PID:4008
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵PID:1236
-
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵PID:3852
-
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled2⤵PID:5944
-
C:\Windows\system32\sc.exesc config iphlpsvc start= disabled2⤵PID:2384
-
C:\Windows\system32\sc.exesc config Backupper Service start= disabled2⤵PID:6264
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start= disabled2⤵
- Launches sc.exe
PID:6384 -
C:\Windows\system32\sc.exesc config BDESVC start= disabled2⤵
- Launches sc.exe
PID:7152 -
C:\Windows\system32\sc.exesc config cbdhsvc start= disabled2⤵PID:3440
-
C:\Windows\system32\sc.exesc config CDPSvc start= disabled2⤵PID:1360
-
C:\Windows\system32\sc.exesc config CDPUserSvc start= disabled2⤵PID:1928
-
C:\Windows\system32\sc.exesc config DevQueryBroker start= disabled2⤵
- Launches sc.exe
PID:4276 -
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc start= disabled2⤵PID:3516
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵PID:7120
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start= disabled2⤵PID:6044
-
C:\Windows\system32\sc.exesc config TrkWks start= disabled2⤵
- Launches sc.exe
PID:5176 -
C:\Windows\system32\sc.exesc config dLauncherLoopback start= disabled2⤵PID:4644
-
C:\Windows\system32\sc.exesc config EFS start= disabled2⤵PID:5268
-
C:\Windows\system32\sc.exesc config fdPHost start= disabled2⤵PID:4528
-
C:\Windows\system32\sc.exesc config FDResPub start= disabled2⤵PID:1240
-
C:\Windows\system32\sc.exesc config IKEEXT start= disabled2⤵PID:5236
-
C:\Windows\system32\sc.exesc config NPSMSvc start= disabled2⤵PID:5292
-
C:\Windows\system32\sc.exesc config WPDBusEnum start= disabled2⤵PID:5900
-
C:\Windows\system32\sc.exesc config PcaSvc start= disabled2⤵PID:6760
-
C:\Windows\system32\sc.exesc config RasMan start= disabled2⤵PID:5304
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:5192
-
C:\Windows\system32\sc.exesc config SstpSvc start=disabled2⤵PID:2948
-
C:\Windows\system32\sc.exesc config ShellHWDetection start= disabled2⤵
- Launches sc.exe
PID:1760 -
C:\Windows\system32\sc.exesc config SSDPSRV start= disabled2⤵PID:5920
-
C:\Windows\system32\sc.exesc config SysMain start= disabled2⤵PID:7024
-
C:\Windows\system32\sc.exesc config OneSyncSvc start= disabled2⤵PID:6424
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:2100
-
C:\Windows\system32\sc.exesc config UserDataSvc start= disabled2⤵PID:3520
-
C:\Windows\system32\sc.exesc config UnistoreSvc start= disabled2⤵PID:6508
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:3524
-
C:\Windows\system32\sc.exesc config FontCache start= disabled2⤵PID:5212
-
C:\Windows\system32\sc.exesc config W32Time start= disabled2⤵PID:3864
-
C:\Windows\system32\sc.exesc config tzautoupdate start= disabled2⤵PID:5340
-
C:\Windows\system32\sc.exesc config DsSvc start= disabled2⤵PID:5768
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_5f1ad start= disabled2⤵PID:6100
-
C:\Windows\system32\sc.exesc config diagsvc start= disabled2⤵PID:4432
-
C:\Windows\system32\sc.exesc config DialogBlockingService start= disabled2⤵
- Launches sc.exe
PID:4016 -
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_5f1ad start= disabled2⤵PID:5680
-
C:\Windows\system32\sc.exesc config MessagingService_5f1ad start= disabled2⤵PID:5308
-
C:\Windows\system32\sc.exesc config AppVClient start= disabled2⤵PID:4140
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start= disabled2⤵PID:5612
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start= disabled2⤵PID:4332
-
C:\Windows\system32\sc.exesc config ssh-agent start= disabled2⤵
- Launches sc.exe
PID:5384 -
C:\Windows\system32\sc.exesc config SstpSvc start= disabled2⤵PID:5832
-
C:\Windows\system32\sc.exesc config OneSyncSvc_5f1ad start= disabled2⤵PID:6516
-
C:\Windows\system32\sc.exesc config wercplsupport start= disabled2⤵PID:6476
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start= disabled2⤵PID:6536
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled2⤵
- Launches sc.exe
PID:180 -
C:\Windows\system32\sc.exesc config WpnUserService_5f1ad start= disabled2⤵PID:5956
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= disabled2⤵
- Launches sc.exe
PID:4948 -
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDInstallLauncher" /f2⤵PID:4836
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDLinkUpdate" /f2⤵PID:5764
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f2⤵PID:6404
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "Driver Easy Scheduled Scan" /f2⤵PID:4316
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵PID:5752
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "SoftMakerUpdater" /f2⤵PID:6416
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartCN" /f2⤵PID:3000
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartDVR" /f2⤵PID:5232
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:1968
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:2200
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:2720
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:6528
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:2988
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:6560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:4828
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable2⤵PID:6060
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable2⤵PID:4348
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable2⤵PID:5856
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable2⤵PID:1544
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable2⤵PID:6628
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable2⤵PID:6764
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:6568
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable2⤵PID:512
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable2⤵PID:5864
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:6756
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable2⤵PID:6772
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:6712
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:6748
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable2⤵PID:6584
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable2⤵PID:6980
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable2⤵PID:3136
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable2⤵PID:6884
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable2⤵PID:6872
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable2⤵PID:6700
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable2⤵PID:6732
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable2⤵PID:6912
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable2⤵PID:5996
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable2⤵PID:6684
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable2⤵PID:6448
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable2⤵PID:6752
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable2⤵PID:5888
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:5060
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:6460
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable2⤵PID:6436
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable2⤵PID:7092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable2⤵PID:5440
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable2⤵PID:7108
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:5472
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable2⤵PID:7068
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable2⤵PID:7080
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable2⤵PID:1876
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable2⤵PID:7096
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable2⤵PID:3680
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable2⤵PID:5436
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable2⤵PID:4708
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable2⤵PID:6268
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable2⤵PID:4992
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable2⤵PID:6260
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable2⤵PID:5928
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable2⤵PID:7048
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:6372
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:6188
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable2⤵PID:6180
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable2⤵PID:6192
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable2⤵PID:2396
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable2⤵PID:3944
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable2⤵PID:6304
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable2⤵PID:4340
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable2⤵PID:4988
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable2⤵PID:4328
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable2⤵PID:4860
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable2⤵PID:2740
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable2⤵PID:2548
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable2⤵PID:2984
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable2⤵PID:928
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable2⤵PID:6204
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable2⤵PID:3908
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable2⤵PID:624
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable2⤵PID:1996
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable2⤵PID:6072
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable2⤵PID:1172
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable2⤵PID:4512
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable2⤵PID:5988
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable2⤵PID:5376
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable2⤵PID:5396
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable2⤵PID:5400
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5412 -
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:6296
-
C:\Windows\system32\sc.exesc stop upfc2⤵PID:3540
-
C:\Windows\system32\sc.exesc stop PushToInstall2⤵PID:6220
-
C:\Windows\system32\sc.exesc stop BITS2⤵PID:6284
-
C:\Windows\system32\sc.exesc stop InstallService2⤵PID:6324
-
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:4468
-
C:\Windows\system32\sc.exesc stop UsoSvc2⤵PID:2456
-
C:\Windows\system32\sc.exesc stop wuauserv2⤵PID:3976
-
C:\Windows\system32\sc.exesc stop LanmanServer2⤵PID:5088
-
C:\Windows\system32\sc.exesc config BITS start= disabled2⤵PID:2892
-
C:\Windows\system32\sc.exesc config InstallService start= disabled2⤵PID:2020
-
C:\Windows\system32\sc.exesc config uhssvc start= disabled2⤵
- Launches sc.exe
PID:1408 -
C:\Windows\system32\sc.exesc config UsoSvc start= disabled2⤵PID:6128
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled2⤵PID:3968
-
C:\Windows\system32\sc.exesc config LanmanServer start= disabled2⤵PID:2092
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:6336
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:6396
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f2⤵
- Modifies security service
PID:2384 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1332
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f2⤵PID:4104
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f2⤵PID:4192
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f2⤵PID:400
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f2⤵PID:1928
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f2⤵PID:7116
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f2⤵PID:6276
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f2⤵PID:6044
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f2⤵PID:3692
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable2⤵PID:6048
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable2⤵PID:1188
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable2⤵PID:1240
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable2⤵PID:5216
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable2⤵PID:3824
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable2⤵PID:6760
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable2⤵PID:4812
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable2⤵PID:2028
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable2⤵PID:5204
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable2⤵PID:5920
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable2⤵PID:6520
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable2⤵PID:2252
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4768 -
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled2⤵
- Launches sc.exe
PID:3524 -
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled2⤵PID:5212
-
C:\Windows\system32\sc.exesc config WinRM start= disabled2⤵PID:3864
-
C:\Windows\system32\sc.exesc config RmSvc start= disabled2⤵
- Launches sc.exe
PID:5824 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2204 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:4432
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵PID:4016
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable2⤵PID:5680
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable2⤵PID:4344
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:6688 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵
- Launches sc.exe
PID:4332 -
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵
- Launches sc.exe
PID:1872 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:6504
-
C:\Windows\system32\sc.exesc config NlaSvc start= disabled2⤵PID:6476
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start= disabled2⤵PID:6536
-
C:\Windows\system32\sc.exesc config BFE start= demand2⤵
- Launches sc.exe
PID:180 -
C:\Windows\system32\sc.exesc config Dnscache start= demand2⤵PID:5956
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= demand2⤵
- Launches sc.exe
PID:4948 -
C:\Windows\system32\sc.exesc config Dhcp start= auto2⤵
- Launches sc.exe
PID:6408 -
C:\Windows\system32\sc.exesc config DPS start= auto2⤵PID:1828
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:5628
-
C:\Windows\system32\sc.exesc config nsi start= auto2⤵PID:6660
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:4316
-
C:\Windows\system32\sc.exesc config Winmgmt start= auto2⤵
- Launches sc.exe
PID:5752 -
C:\Windows\system32\sc.exesc config WlanSvc start= demand2⤵PID:5196
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f2⤵PID:4224
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f2⤵PID:5592
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable2⤵PID:404
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable2⤵PID:5516
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable2⤵PID:2172
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:6528
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2988 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:6560
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4828 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:6060
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4348 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:5856
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1544 -
C:\Windows\system32\sc.exesc config ALG start=disabled2⤵PID:6628
-
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:6764
-
C:\Windows\system32\sc.exesc config XblAuthManager start=disabled2⤵PID:5812
-
C:\Windows\system32\sc.exesc config XblGameSave start=disabled2⤵
- Launches sc.exe
PID:976 -
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=disabled2⤵PID:860
-
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵PID:5864
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵PID:6780
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:232
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:6772
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=disabled2⤵PID:6636
-
C:\Windows\system32\sc.exesc config SCardSvr start=disabled2⤵PID:4808
-
C:\Windows\system32\sc.exesc config Netlogon start=disabled2⤵PID:6976
-
C:\Windows\system32\sc.exesc config CscService start=disabled2⤵PID:6956
-
C:\Windows\system32\sc.exesc config icssvc start=disabled2⤵PID:6980
-
C:\Windows\system32\sc.exesc config wisvc start=disabled2⤵PID:6876
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:6944
-
C:\Windows\system32\sc.exesc config WalletService start=disabled2⤵PID:6740
-
C:\Windows\system32\sc.exesc config Fax start=disabled2⤵PID:6872
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:6716
-
C:\Windows\system32\sc.exesc config iphlpsvc start=disabled2⤵PID:6644
-
C:\Windows\system32\sc.exesc config wcncsvc start=disabled2⤵PID:6908
-
C:\Windows\system32\sc.exesc config fhsvc start=disabled2⤵PID:6696
-
C:\Windows\system32\sc.exesc config PhoneSvc start=disabled2⤵PID:5996
-
C:\Windows\system32\sc.exesc config seclogon start=disabled2⤵PID:7044
-
C:\Windows\system32\sc.exesc config FrameServer start=disabled2⤵PID:1012
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:5672
-
C:\Windows\system32\sc.exesc config StiSvc start=disabled2⤵PID:6752
-
C:\Windows\system32\sc.exesc config PcaSvc start=disabled2⤵PID:64
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:7060
-
C:\Windows\system32\sc.exesc config MapsBroker start=disabled2⤵PID:4880
-
C:\Windows\system32\sc.exesc config bthserv start=disabled2⤵PID:5912
-
C:\Windows\system32\sc.exesc config BDESVC start=disabled2⤵PID:6436
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=disabled2⤵PID:5444
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:5348
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:5464
-
C:\Windows\system32\sc.exesc config CertPropSvc start=disabled2⤵PID:7108
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=disabled2⤵PID:5448
-
C:\Windows\system32\sc.exesc config lmhosts start=disabled2⤵PID:7084
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=disabled2⤵PID:3480
-
C:\Windows\system32\sc.exesc config TrkWks start=disabled2⤵PID:7080
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled2⤵PID:1876
-
C:\Windows\system32\sc.exesc config TabletInputService start=disabled2⤵
- Launches sc.exe
PID:3556 -
C:\Windows\system32\sc.exesc config EntAppSvc start=disabled2⤵PID:7112
-
C:\Windows\system32\sc.exesc config Spooler start=disabled2⤵PID:3092
-
C:\Windows\system32\sc.exesc config BcastDVRUserService start=disabled2⤵PID:6344
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=disabled2⤵
- Launches sc.exe
PID:1464 -
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=disabled2⤵PID:6268
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=disabled2⤵PID:6252
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=disabled2⤵PID:6248
-
C:\Windows\system32\sc.exesc config wlidsvc start=disabled2⤵PID:3712
-
C:\Windows\system32\sc.exesc config AXInstSV start=disabled2⤵PID:5224
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵
- Launches sc.exe
PID:3232 -
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:6372
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=disabled2⤵PID:6176
-
C:\Windows\system32\sc.exesc config StorSvc start=disabled2⤵
- Launches sc.exe
PID:6152 -
C:\Windows\system32\sc.exesc config TieringEngineService start=disabled2⤵PID:6200
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:5964
-
C:\Windows\system32\sc.exesc config Themes start=disabled2⤵PID:2396
-
C:\Windows\system32\sc.exesc config AppReadiness start=disabled2⤵PID:5640
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5164 -
C:\Windows\system32\sc.exesc config HvHost start=disabled2⤵PID:6116
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=disabled2⤵PID:8
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=disabled2⤵PID:4988
-
C:\Windows\system32\sc.exesc config vmicshutdown start=disabled2⤵PID:4328
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=disabled2⤵PID:4860
-
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateOnDemand.exe"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateOnDemand.exe" -Embedding1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:324 -
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5484 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe2d3b7c38,0x7ffe2d3b7c44,0x7ffe2d3b7c504⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4816 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=1944 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1840,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5832 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2344,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5768 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=3216 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3872 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3528 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:5644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4564,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4672,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4648 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3636 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4884,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5176,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:64 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5512,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5388,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5676,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5152 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5312,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:24⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:6660 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5816,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:6412 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=6252,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5812
-
C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe"C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5736
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:5676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:4436
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵PID:5924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:6132
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
4Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
12Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD50277ee1fc109282bd7c1589ba80525ad
SHA171e927b7e1f527146309c7ec365faf892e1962de
SHA256cd98a8c6bef1477bca1323999dd490d7e72c131bd69f7fac8fb687ad0a9c7d93
SHA5125760e9b32212e7c72e2d7f57cf4cf533361530676c456907a750f28b430429551a6e3de1f8779c749305a0eede028a3219f93a38942e32b11f69c09ac3120331
-
Filesize
564KB
MD5d2be90c23063c07c5bf6e02c9400ac35
SHA1c2ca99de035c17ba9b7912c26725efffe290b1db
SHA2569422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA51213935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e
-
Filesize
294KB
MD5c281ea9d8b6e02e9992a39f2edcefddf
SHA102bcdc22d0666a3d4f882e2746ba5902435e5b7f
SHA256a9ffff9a0636e35c0b0661a05705d3c74a2613be52093f892efdc370f2fb4453
SHA512c10a06cb88bbbf8e12de3f94abcc605c91d2d0eae4350709ed8bc0202c9be7f981747fc9627c0f84670bece1676d9860d08cecc13dd2c59b3a9ea0b1028bcd83
-
Filesize
392KB
MD5c9b7af8ceab51d99a8747ef7c2721d00
SHA1085bb3746c1aef6cb0caed0fab002a1755919020
SHA256bbaf147ab2631632fa6b40e5c42a753fdf08e23ac1a468ce6d61411c4e75cdae
SHA51225582203966baec4a6f05796a0b06738d0c9291f1d079167e3635a80e19194a01a55d0bd19e792973e36bf5f1a8e0cfa150e77cfbe75d79762914fbd9c9bc7c9
-
Filesize
158KB
MD59d11650401d71ce469f70b4f93d0b6c5
SHA1d562bc3ff94d4c9ed3b4ea495522a0c9a7b71934
SHA25675db49d5fe15f8affee5e3c08ae191db0839d34b54526ea1d9339897f99b48a3
SHA51222ac788f038b2e633a45b13a8ee672614d33ef94dd89ffdd60545c67100e01db250431f6126805a149dfd25210ebac14c53add5c69dcfc975cc60e18bca04881
-
Filesize
181KB
MD58506a7617f993ecdb00e21f52eff95e2
SHA1a9e7d4b81c28a70ff3ab9cfa6d97409654b0dada
SHA2568b1a4a549001d926be2e4e06c6820964b7155ec9ec87e28e1735cebe7b0048db
SHA5121dc7067d38b17f909bbd5edb0c983c3130270973e4f282eb199c349c0c25363429bc553f8e1759bbe3657c9c67c604e42d7822923a4a081c2d4729d68a2da182
-
Filesize
217KB
MD5a302b2911c09a97ba215aee8dcf45ef5
SHA1580e20d62f906b8d99ec52fb9d54f727cc468590
SHA25691eac5b15837121a222354001ec7a25a3fca23bbd41bafbc442a468e079d937d
SHA512c4b9e5de25b83ebddb94afc15933013b872293b22a7db95c2a0e5a382b92ad0def6c14dcc61b34f224ab0cc3550ed7cc0f0920fc85f87924a2463daec32d0052
-
Filesize
1.9MB
MD55fc51add59269589fa3e515aabd49c91
SHA124790893fa362a48c2367e7381ab40dc148f7942
SHA2567d8a5276b0309df7a2ebbc58cbd64235797b34fe77ede2bb61a67c7c791c6917
SHA512ad5c177b5c6a5aabdb434dc78eac217d1559b0fe2f95414a038cb4ab37ffce255c954b7a726e40f42156497fbdc1f0ced49e69be8d5d265499cd92de03a1da37
-
Filesize
42KB
MD516d24c3ee7bd990d606cc1ae1b36f0c6
SHA1e9339a69d828670a7be9419910f89446c25be571
SHA256c183203d266b6f0122f75cb035cfac59b264c03467434da64ca9ae10afb085ef
SHA5129ab59b0cc83d727caf067426601de391de617a99d36975d1ec420a0de828b00cea55e2c8f6eae68c0fcba7259bb57e9acb367aa1e8b5e5a1d1b1b38b1eb0f561
-
Filesize
41KB
MD5a897556c06506988947606230709dc05
SHA1315f991ba8ae96463d6ca789770bd0514cfda22c
SHA256ce4e4479b254d51cc4f8adf4803d4d2810fb430c74eff2db3fe9dc159e87804b
SHA512aa79b4cb73b925b9cf27d2603e7842c00d5cd5527b69281f9ba454a4a325711cc372f6a04e8f489cacf09ebe9ddefa01fc0c32323102df58bae453527a695557
-
Filesize
44KB
MD57a524191eb27b5ef81d5a108eca2e76f
SHA10baa260b174378e13c59fb0cea22ce3890edca65
SHA256544e49bffd37e40bb642f3aba26d3d72690075530107b58f391770068b958881
SHA512d029478e6418fdd92f2f940b3eb7d1477a857f2fb1eff6f4603c6da2bed43b6cb64df55b4d38feb8169f9d55cab861a7a1bcbc2c6bdd8fddfa8b0ff030603844
-
Filesize
44KB
MD576f438c02858015b3926f028409c6c39
SHA10960e0c1816b4d48a2fe0e1a5959ebad3571ebdb
SHA25669c3e0d056e9d49e19c8c303c31c5a493fe200444ce6396e6a1788f80026b9fb
SHA512bc320dacf034b33f8b73f77c13496d8abd488496a83a7fbce663274832e208b453004ef8f8136a29d41fdd78b90b42ebcddf0b0f653e2217385a24c825456aae
-
Filesize
44KB
MD5be4c2c8a77df3ec7ff0fed33e9ee471e
SHA1cceb9e251fec9b7373387ebc234b3c034314302e
SHA2569df902fe9a56b825a433c6ca949c378ff873396c438ba6466c13ec588956af3a
SHA5125310c1e8740cf68d7bf3d7e3d951bf9c2bd09491fc38b3611cefe8721c399229e42d42b40a471b78abafeffad6ab430d803895bc2c59673e9f2cebba77a9fa85
-
Filesize
43KB
MD5ba7ef0c0da231535173488952ed4fa3c
SHA120f558e94c187d0319ea29fffa7e3238b623d89e
SHA256129c42f715e76fef63bbda8f60b718f195f9b8e15eb2b594fd9756cbfcd45f1d
SHA5127b144d7abcb63285f31aa690a58abbcbfa1c69d8f975650d263e855f89e26bff16b5f9ff34a72afc5e1b61ab135000db046aa7f35e5c9cfe7133c983b39fd158
-
Filesize
43KB
MD5b2fea77ef33fcbeea2ef0b726b6f1359
SHA1a9d042a87f612e09012e3099a4cf0432207d75da
SHA2568fecad0347071ff293745937a15b797b3c51ac520835c63157013bd913cb866f
SHA512e67acaf4d063a128a4e240d04551178089d91d8be6f9d067952e7696e56c698b51fde8a67e1187f6ee025037e8ffd5909e2cf6f89ecaddf798304b2fd0b10f09
-
Filesize
45KB
MD5229e7d67c8cf7f493229540527403f96
SHA163e165565323f6171ab57d222f4269be104831f3
SHA25670e7c27a1413088a7bbb869c0c40112a7b6c1dc98db4d3f81dc4b494127a5155
SHA512c613ec73339bc59f1dc9fef2a8801bda8b519784a3514f0edcc742b462521a1e71485638083e363e2a30f61be133d40ddec7803c990e683647dadbbadf6f773e
-
Filesize
44KB
MD58299854798b02c7f298f98e9e9fa3fae
SHA154c94bbbb7089b5b1c494fab45ac48c0fba2d162
SHA25618a65693ec19ca4d25a5d40e05db0bcb2872fe08e3357521feb1b44c9aa90229
SHA512ab21410089ff740f8f7912188eb8a0375bd52e2888e390c0e8d7db652b0c2c1d31082c8acac233ec67a70a9190836e63a63611da46980a34430167fb9aede1a9
-
Filesize
42KB
MD5c062b5a4d25e7b6f96177ddbf75a1282
SHA1d575774c3677362d882b1901cf775ab402338264
SHA25621dd425a66babd1f72455cd27bb53fed743159aba345a8e8f4b1e5ca2ea7962c
SHA512aedd072d619b142cb15ae30eec4553ef9d158dbd7d51dd39931a1911ee1c029159fd550f371d3096ed031f4532056c324405c5ff06781aa5173164a24f3057ca
-
Filesize
42KB
MD55c21ee293e7675e94addcdf310df7ca9
SHA1617053566a3f30fe0300b65ee1c2bbd2b503162c
SHA25677fefd0cbbbfd59a026b6959e150f27bc31167ff1ab0b32fb5d82fafe6bab4c8
SHA5120d4098c2f6b697c877b6e0401e3942d20a8700562236fde347adfcafe1e8221234898080258b92ab9ebf5c8cd506d78149581598c09a0d76f7b1f0415e0f84f6
-
Filesize
43KB
MD5a77d7bd88f42c96cd869cc910b4bc00d
SHA1658d152e54522ec3f5f99259b973482d6dd9aa5f
SHA256d01f6199b83241120db133c86149bb43ad07631a2226aca410cb116e26531da8
SHA512af0031afd02f4343dd971835f72d84020df1f976a36e0cc4a1859c8e76a3c7dd9ccfef560aa699540c44458d7c7acc0efe811ad65148a63b4caf8a605cb2b72a
-
Filesize
45KB
MD5fae17db40fdc07960e22cb692e151c5c
SHA1ed5a92ae518c9c7cf095f78eac7b7addcbc7287a
SHA256860727bc15881c4f6b897ad361a20f3f80858494639a05b016fb1a572724368a
SHA512a24bf6bb52468db0d39b3252c862c0d62462bfd60c49e64f43d52512b4873b202292d1d0b895e9734f851037110ae7d8ba1fd24f0f45dd9f879fadad0be19134
-
Filesize
42KB
MD577c47b4191d07dcf9d4b2dc92865801a
SHA1521b7384fa26dccd978512834015129037e3e3d4
SHA2564c0d4c49b677632abc0d5c8ce3fd49782783d97fa810ca42d0edbd80714e1a91
SHA512f0d24b000b0cd90965ac437098e3e7ec04a35c0f451c1795c31e9dc5c2a5b6c41778780ab4e14dc7c5ebafd9ee4f1bc3dcdc17717eee10114954ee95f3114aca
-
Filesize
42KB
MD5ae487ce7dae2b30338915878a8d0c04c
SHA18a52ed3ada0f7e77033f01e25188488fc1731c36
SHA256979be24f9921321aeaa2826d1b52c6582543e9c691ebafe9aba1db167f1907bd
SHA512ea5091364a5cf844d238ed10d606190ab54e79091f41c6f2bf24d67589809c5f7ad3ff4e7efd87f6ad690dd4f2bd0b39e3190b479b8641a244e7728e9f0ab2ea
-
Filesize
43KB
MD556adc2f0db1331938ea05d5e165ed1ec
SHA1115cd2335ea8b02b5a0d30d7e44687f9c9cd8f54
SHA256ecebd63626dc344f4e4811e2bf76ef0cea600e62cf7b92e7553911d6432673ab
SHA51207df252ca48b426dc822e570f9f356b35e6d01ce5d72d146fee8126ea04d3f3c94605457aa68bb76b99d48903ea4f1786eebf79477ad566b2908d92894f14a3f
-
Filesize
44KB
MD5d4acde0f430445ae85095b996fa153e0
SHA18cd8bfc5732f912b3b5f4eb5ffecd3806a9445ef
SHA2563d76fd29cc9f4705c03a65ba9e4e861e8c2b5e0515ff9e54619aed5da51b620c
SHA512c670cec0753513d46da5da4cb16f2f6317dfd45732cc7b446d558a266bcdf0c770a9bcbc172521b50d0e5c44bdaf9f22171d6d903b010c157eb06bdb188d6d4c
-
Filesize
44KB
MD51377128b3630eeced7bf5301155cf5f1
SHA13fcaffee05b4ecb2694215b819368a3b986b277c
SHA256bd02d433485917d4c0fe97f493b525d2f816ff87771e49f877028aa45753e3fb
SHA512073eb63d5574082cf45ec5bd6b289c90e61d1db435aeb546a6b4f23da9642a17d893a001b080afeffbf31615038530f8b673bab3ea3adf7a21956a0565564403
-
Filesize
44KB
MD5182603f069ffd14a18c2fdf4fa51541e
SHA1c7c61a553db5810b8ef113bac82a4a9979f27a6e
SHA256f178061ee7d373f3ac63d940979ee0b8b14bbc1303f4b89cacca26faa985376f
SHA512d31ca2130ebe9ef1ed7f0f6dc8adc8cbcb9c2450aa8fcc8cafe07c1828def5dd917287cead9f3b7946dc9562eea666c471810a5987693614328fe4d0f2279f29
-
Filesize
43KB
MD57f76e2c441dc51b075d189259df2abbb
SHA16bcdea5bd0490b064a1997506d1c521ee93f1e3c
SHA2568fc23044471be6be0fa0089684efce4796ec4ddbfe9eb28add86f69eb5aaf60d
SHA512ec5988ae6dec9c9e0764714a9fb6e4ac95f16cd107299841d617917cb46f73ce71be6706c143376a9d053f42dae4c62d69965160522c1145a9bbcea295b6e67d
-
Filesize
43KB
MD5b6ade531c5b0dd4818d912e75888c969
SHA1b2cb623d15c9afbe38ecca74a59b3180cbd91043
SHA2566aebac808995ccc5ffb93047ec1d4f2eb421544b5a5b20696e6f723f7379318c
SHA512919b8f23e5124ccc48698c749a90ccf92dba08061c7faae50f53a9c209ea156731b6eab5f9f45b8842e3ef8bd1927b5e92fbca840f6af4f9e57b6587d0a170b6
-
Filesize
43KB
MD5793e7ccaf19f40dc8a8fc1b37a334317
SHA195fef741a58f4e5725d6562dd91522bdb3cc710a
SHA25634f87b8b6057ddaaee1196e984abf9464b7ac709d603cfa1f9a680900a0fe9af
SHA512295a4dc4a6ed045fecaacf0cb060af2c37fac49f964e47409c5f9adf986a6d28539dfdb410f4c4ceaf06bbc2f02c910edcc60d0bbcb5c173641657decd229d76
-
Filesize
42KB
MD5c6547c7547c6045358028a6705b93b25
SHA189328d7a53ff48b8bcf9c48e4224978b81cb2778
SHA256ee5fbf68078b0b2e72fbe996b190658f201731e68df2fbd237f00c0d375f2381
SHA512cafc6f6187eaa7825d14a601a548bd06d24823f5bfd75df26a76f93c39076b2fe04878a4f9c494b09ca316aeb97f4a2556ce0a7986dedb8b5e492b02d3f6a0a3
-
Filesize
42KB
MD5fd53266c4c2fe27e582a8dde346b384d
SHA19e4cfab2726a91814a4b08edcf86844c9fca385d
SHA2569f968ad5436b82ba6e980d8e6f398e56688fe7004c4bbb8d636bb3c830c7b45d
SHA512607f9f1cc11dc6047f4c52718d631bc4de82650112fcd6630678a88ac32a9d757ac7160a7a44c6f0a5b0496667156cbc21651114ccf4116d7be757c367d07f05
-
Filesize
44KB
MD5034832d340773843a8df5c102236a4e4
SHA17ad97f211fc0f6ee2855b712104b7c79d9f81300
SHA2566ba57e9c1e5b6f5848f76c57a72a05fd26c4a175a6565215264d6746b1286c03
SHA512a71b580fd23ddca4394730bbf666460aee40a4a1e282e3fbafc8475aa744d7373f2f96d4f84e473273204b68aba12e1e89c1accebb5ba9199bb8f9edeb1a7036
-
Filesize
40KB
MD566f368446f6319e61643122eba941fb8
SHA1e65b384941cc21e3739685a2e277494e649fa752
SHA25693276078afa5b4874f056505be9be78bba0b87b5b33ab3f291097ea750325042
SHA5121c0bfb8a67cb117bf728256f00637f3ea65a2a67db6c54481bac04f2d5d6e1aa465b09b652c116335875d8068704cbcd936024fa64569a21cbe4837d406ddd6c
-
Filesize
39KB
MD51ef4a3d1c7c8c039de81f81fd7d93f30
SHA13138e335e4e454c05a3f1469fca4851160b5e217
SHA2562b33eaf99fae7cc1cb4449bcfabc7580b8463d686ce3075da91b1befa11fc356
SHA5122b4b55da069e2c83951082952f72470c6543482b351a3d0ced9e3c32fb18ecb0de7f8d2cd2a5a898fbf271af13b85fbe652529ee9b67c78681d4dbedbc41870c
-
Filesize
44KB
MD51de8f3628587faeb55ead5e6efca7a31
SHA13cb43cb76af9db6b254b836d81071d199dd63298
SHA256ac8f80fa2dd45ea3ca0f3208b566ec5a161c9cd4c85494a52e9fcfe35fc536c6
SHA51223e3a34d79459ded2f55a920729cc29e43f994553ede81412bcd04b2fef57b88b910a666557d4b2cdd5710e7e62887538580b77f68f728bf31b61d2d7f3d5d82
-
Filesize
38KB
MD56fd785cb2a82b52d318a4abc9fa55f75
SHA13435478498151e88835c79d326594bf644985710
SHA256bea642d58f62502cb75d862975060433f94b0bada5e1a92e7e7b74a85500cca8
SHA5123dfdc925ab3684d1b2aac676cfb359a2bc3280ba3ec171bb4d4a30a41c9218d0e6e2d328df0f9bc11075014cb6900f068e7c41c796fb458d1a61648bf59fc3c4
-
Filesize
42KB
MD5e47de2e3f2c834ab292623fc667b51f3
SHA191a82103a1dc875bfed7693e695a172b3d74fd3d
SHA25650a08575d882baa660bb91bd1f0f76af222dbe315d18ac0cf0f569739dac10e9
SHA512141cb2d311284288c1b6fec426ef1af3d1be2b1ae30fb8884234b0615210af7b47544bc8cfbe7f49f6fa08cc615ce419aaeffd5fd6fe72abc0d15ae978b5fd7c
-
Filesize
43KB
MD5c3a99de97e9a12b454fa9580c05b7927
SHA1074c883aff1530559b152587d9cf8a2d9535cae6
SHA2560274618487583909590bad7b6c51eebf99da3dd4ad6f43447fb81cd89560f3d0
SHA5121c81e0960feac84c822e8e9886baa3d5a4d7dd4f570a179710d4c21343bfe8ca1fcd38e3f7fa14a6125eb25f9b6b055b01f177299a1d8f37e5c4bec5bc0508ec
-
Filesize
46KB
MD56f932129d637fef1e4517613879aa3f4
SHA1f9015d5dab8036de48ba01d5752dd83d5c25a56c
SHA256ad67804ea0f82474c762c018435840a4c8a78e96b3cc04330706e9449dfbe435
SHA51252ac66f701aeff90c52bbb2d9016f45035827bbc2ba1ebf9a7527fcd127770c4881bd5382ff07010b66e26cddc56cc816decf236feb8f375e16e6d1a38355a64
-
Filesize
44KB
MD5238c4c2539d5b03a943296b9e9582743
SHA1b5fd7d01c02bf7dd19126b07d78c1decce8cfbfa
SHA2563c66ef42e9df33e958f4fc557ea22ae59995886e47b94cee65c8c9532aa03d64
SHA512cf65f667e1217660229b8380641714ce8478cfb34c717d0148b1cb2875a39f2e2b493b133d37d127eb14b137815f3e1a13adeb4e055514a14d063f91279722cd
-
Filesize
42KB
MD5791a83218841bac5604232529aa44140
SHA1251eafc3182ccbad6dfba3af8d3ba40e23488a4b
SHA25649be589cb02529171494d27a8fc92f1b4cd678e06328a50604b19ff979ef67b9
SHA5125b990c0d871114689bf54a10982a32daef74755a9be610e6ec107d7d56f819d13813282516adc9310ce7e23f88fdae50d75c69fd019f2c43724ccdbe7aa0e924
-
Filesize
44KB
MD5dc5436fd8d4a7d588ba0b784d88224d7
SHA1e3a4c19365378b93c8f853bc5bbf37c52ad52d01
SHA2568649d98614f98d4bcf4236f3c15534cf652ee7bd97672d8d9e49c5989f7dda81
SHA512af1c7364b8da1783c3375c002116f23378cdd71149a9dbc8d6c855fc6731cc4ceaa87b0a2355d764bbed1e890dbadc854a9dfe7898f00044de52436b7f600514
-
Filesize
5.7MB
MD5975f2eaa38bb31796f08bdf7ada59b5d
SHA13d8bbb8cc560a5be2d73d394caf19a914140432d
SHA256fdd374c979fdd584e6361d41a238c81436018d96d9f5be0cc1e05e7f997c1873
SHA512a110ddf5b7df6d871c0bfe0f1821df8e127e3e5e6d1c6955f844cce4725afa06ca258c34b9488681588da0fe0594660f080525a101a2f05ef6b5c63811332051
-
Filesize
1KB
MD55e7a8c43b1e2fd724f4b3661924343c7
SHA1e2c6f7694b352571664a375a271409b18e5c5706
SHA256067368fd8c128100f92c466609164b0dd767df96212a7c950b2f00f9664e890b
SHA512b07337e35236b12b330c7d7c15843a16a4325093830b213639da0cdb42e7e250ab263c5ade675bc1286380ad4f3872e05db7d133a9c033e8c6b1c7ea62afb95f
-
Filesize
1KB
MD5bb49355e418e885ac257df83279affa3
SHA11dfa49fa6a6b04795c11099b11610c647a32c232
SHA256c654099e819714aa4a2ebe9a534e6da84f88d12829dbded6363fb4bef0a063d5
SHA512c345cd55de5fb32227ffcec896a1515c3e1fa16e1c63c55bebd0586e89374db3cd86f45d83dbcd1dff3ec79d157aeca8776f2da25282749230a183072a2f5cc8
-
Filesize
1KB
MD52cacc64e5905566299a98a1a4a45f252
SHA19170ddcffd850b494733dff7449aaacc4d8ba452
SHA256779603efbc8eabbf66cf9d5ba1d6c813a553684c67b05ba4c8aed45d7fd7cbe9
SHA5128b1fe5ef712004227746d1dd03d2bcbf4813276da9e3458c94926d95032510c4dd6c984569a42bf5aff4a742f4a0686db49714c1d42b7c70116150e5a4b3d688
-
Filesize
2KB
MD5e4dd6f9e6b1b868307058338bea2176c
SHA113a5761bdcf74662b16e4a07bc8cdfe7c5304f05
SHA256d26e3623ee5be5e59cafdf57b39ea808cc56c699dfe0d877c675b8214e4fe3f8
SHA512ec7ca309cd0e160c28884aaaf2616fa9c6729ea911e34e2de81d4d51b2c605a36f387ba66b4372bb6fbadb2ce39ff12a24afe7170f6fa9306ebdd1ce9de8185e
-
Filesize
2KB
MD543f2a36b18e51d88a9d06eb27d281f60
SHA13a8f13e069329c1d8aabb4d1f5cc8a366e57d800
SHA256b4e3eca3830d2772fb73071f8083163f01702617f70b0af9b4ff02e89c155797
SHA51241a637aa0889ad822a3e5bab801e87abfae236ed8703f4b65d867de137f6287adbe46bf9e59e0be507127baaed6e706a2953f5b155e0137c8a9d307dc50e949c
-
Filesize
1KB
MD5169eec71d1cd016b01636ce10682f02e
SHA18a685c9d2104d0de969f04e2187fafd07beb9daf
SHA25641673cbea087ef35bd6fd9f7cd22ac7f63ba430a3c27360495de4685a0472465
SHA512c47f942efe584a6620c05ffeeb77b4c5bf40fc47bc7c30f13f1e75832792cacad5cdac305bf4ba26c7d28f58306551c595b45d0bff8e4313b8c9201ddaa7dd80
-
Filesize
259KB
MD59aca92d31344210995d18ac75f7df752
SHA1fec9f414f3c399f8384ad6a32d0b60adde85d8d9
SHA256df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf
SHA512ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc
-
Filesize
1KB
MD520c7276a8300b121e981057b277c0a13
SHA144a06af6aff68e97b71ae766b575caf1dbec398e
SHA256b07c462bcc554aff042af452294ff6985cbd2b3ed36c1deb074cb2abc122b905
SHA512ad24ceae60e9a51fd515c030b05d12dcdf7ac1146815f32e9e2358fff665f6800a02dad86e64f02e6d4844ed98234bd0fae13a76d197b3473616cb5de480e546
-
Filesize
1KB
MD5f9c4f3200f3237204ef12a6ddbd9a1e1
SHA1d9f1d9466ba1ab6211d38f23ba1cda94e9459981
SHA256fd56982dabc60b1fc566ebda065136cb9d44511ccbd71397cd92b9a7be312eca
SHA51202179858479d828429b6cce7d91a014010586aaa5a09830502639fefc89e826bee0bab54dc5991d67ff47c3b9125498a5bfc78e7b4d75826b41f56ced4bf2ccb
-
Filesize
1KB
MD5f9673cea8457f1985b1e57b7716e4b42
SHA1c23f1f4e64cc248fb2eee97beba8e3fb2594b947
SHA2563f6fe0237557b7f3c3403d59f75539eeba5abec6c65f19a9b5351b6a0088f904
SHA5128e3d4db2c9353de88a94d3d6aad25db22c771b065cb54631353ff866086de28885d36ac7abc1f7453c2269bec3723cda6d68598eb385027ec93d3800c2caedbf
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe5ba8b0.TMP
Filesize1KB
MD5d884a29d514c29ca93b24819627f0e9f
SHA164fb1a1a46f207dfe72c04c767c1c1ab9b7499c2
SHA256ee1e1269c81c2982e4ae82b8ab0a89c168e1df16ef457de7265c1251272ab552
SHA5127bd4b0373c4c0c4d6e7cfec9971939fd9a8dd778374d18b84287ea39f2b7d4b405a9c8eea61020695bb942ac75ecba043ed0575ff7a718604bc643e9449d1efe
-
Filesize
1KB
MD5d46ff9341d8779f8cf69499a48e247a7
SHA182d0de580d207fb0d29d5b79c9226bff67d3d276
SHA2567ca61f30ba6834b7b9cbff540bef1f1b2b9d6e274b6106d27a25ec8bca5741b0
SHA512ad1f9ab6bef08e96c3485007bc9ca29ce09846e070d6b586ee4aa1eb7e6268b1077777cac783c47cf0d2b4acfc68b7f470e06c84a749699f1934a7232a1b6fe6
-
Filesize
1KB
MD5c811594c6dcea9cf94ed7d0b282380de
SHA1949476de5626fce6b19f050e8f968b043db19353
SHA256912a78bae10ad9678d3f6f92b1064b8849fb4de5b547d8cac9b4f38759c8080c
SHA5127df0a7a5f3d03aeefe84894c97a666f2cc266df819153a4aed8b5c35b59cec585f3e77a8c9da358fff64353f9ccf28aef8f98c7347556d75bec8eed6c60a001a
-
Filesize
1KB
MD59b91fbc743dbfc7d191d843d8937178c
SHA15d0e2636e5823126d81546439a072907821311db
SHA256cb7cc02ebeba87181f68392b5eaa93e482cd28f52c7faf2c365abb81b35fe4b7
SHA51235b85833c4f4c2c2635326f0c20754792beec821e30ea4ac6545df7a2bbfe8d383cc1c831f000b323e88ef88227bd3fbd61c500351808abf2a777b6c082545ce
-
Filesize
16KB
MD50411457816ade35c1c6901b64423dea8
SHA1d179aa3423b2aff8b81a4ed6658668587851959d
SHA25680747fba31b493437c5af3da3d4f39e31f944270dfbc5ff0c0bbda80e5b8cf9e
SHA5129925015158a54a58cc5daac4f412bde791da263cb3394a3382a415459827e594a72131a8c1053cc6d84b089c8749578116b770a4721ce59876cd775abd5215b4
-
Filesize
414B
MD5831211caf15e3d5f4681015288a53ac9
SHA1d311e8533f470a46efd0384fe7ef015c4f9c9165
SHA2565c394d79e31c923a29a43b751dd0a78d5a66ad43190b5a1019e97dcdb56e7b04
SHA512f974f0962c28437c39e8dfb297a79d77d8c95e26b5cfbad02cb357cc9215f4351ceb4d8a02e7f562dd55bf03cd478c64644aae6cc1dc7962768996a6a3fc6507
-
Filesize
181B
MD5c62476327fcf8e0d6b5d33bc84ac2da6
SHA1bdaec9b4aa3ae3c59003cb9b7a61811c748116b4
SHA25633c71db42ed2ac0dd328b87f0095bf85f04f787bfc89595399b1c4c8df740b30
SHA51252988a7fde569ca5df3252e4e46ec696f244da46ce3ef8661dd3fb00597ebf2b76e97e6de4f1d2ed602b99b02ffdfa8126881d80af738cbe93a9ac0b5214e29b
-
Filesize
120B
MD5b60f627aa47266ce70e04507af7cbaeb
SHA121bbb8dd5a90f86126b8fce22660d7742f1e8c95
SHA2566a8d3b9ceb68a1bbda6c776b79cf0386ba92cd1980b371de1f03b7c18a56758e
SHA512bba50e307ccad56bced7658a8a3fe61f8b3b6cf6eb342ed37bdceaf71a8db10124be2ed1b502aaffa057f6760f036abcde8eb53661d808cc8e999fab38f0490c
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
192KB
MD5505a174e740b3c0e7065c45a78b5cf42
SHA138911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA5127891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911
-
Filesize
2KB
MD5fbae348a7e3f2c6a48c1c5e1dd708d27
SHA1c0a9eeeebd09bb85c381bd6eab1a9bb808d2b843
SHA2567b77c749aaab781b3808a78481addd6abf91c434d3b02e5737383b2a6385a47a
SHA512c77f8c744df7abbeca36a2bd56f7c78ca45d45336f6ebaf0d0911f86fb8c0efd43d918c5261246f1b482360924c1edcc2f762f3e3c29c2cf7092c650a1c29729
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5599e56156072a314ab60ab3ff096f2e9
SHA138273d0e1ba3dad916dca3c9ed5c6d2c428fe98e
SHA256e95e96de28990f073567aadc21709403ee99e33d2414d1385abd7872239442d7
SHA512e6db77b54b6a87ff7768f8956bce74fe7210794a96b156e2107ca72df2a2f8798907f348ad6b964349b68d3fca38b1f637f84502d76cb17995b711737dac137b
-
Filesize
11KB
MD510657a93c6fb3dd13532252e2c635362
SHA1c6b47c43380af592d3bb39400e3a50a103edeb7c
SHA256e944c55c7bdb68da2827d4a59ae877f84ebb74c59bb4bbe64bb50301019bc63f
SHA512fdc8273e06b1cffa53c6fc41a13360e4b205a7b4bb2c9da0e75a9064934b38a0cef5ca64fa220ba9335bfb409b69f25fcb4fd8752c1263d79ee6eb801f0e9276
-
Filesize
13KB
MD55f62d835be98b4562e9b2d43ecc6d234
SHA19d5f5961630772a3232ec57a29e8a564ea3c88d3
SHA256e431f37adbbacd903a1195d77927bef761ecd3a70ba7db212f97b57412ac9879
SHA5129552891fdde2b76073cff74d8d9cc4519ec5517df066fbd32c61cd3912cc3f7d036039ff00dbafd14426e1e960ee92d25ce656a6530ed0e022725a4066fd8f51
-
Filesize
16KB
MD56689447f96da8122312350b45a717d9a
SHA192a9eac89d2478f278766325755ac2f430df0a97
SHA25640edaba89f8fc847d0c2ef21097314618fe563b5bce94bac61e0a490dd6e7727
SHA512cbe102d6f297b61733e0f3f808a8099e6a41edc6c36c88a60cf17e787e4f528593f1f267586050416269a93aecb9382e561ac5367cf8ab99681d54433dca6467
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize120B
MD5125e868d56e6d7694ed9557a358683fc
SHA1dea919dec9e35054e91ff14ef8d8713064a4c271
SHA256ab3eb4e8e4837b2a3a39ba42b9217c419fe62434ad4f0744de35be33879cb7ef
SHA51208dfda0a530a2c12dc415a4f06d0b8adde57297ee353eae2f596a399fac50c55ae18d0593039fbc778876199a00c24af39dfde23a1ae332d8a046fa919a6f62d
-
Filesize
38B
MD53433ccf3e03fc35b634cd0627833b0ad
SHA1789a43382e88905d6eb739ada3a8ba8c479ede02
SHA256f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d
SHA51221a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c
-
Filesize
116KB
MD5533b89104378a52d4056bdd9f3db23ac
SHA1194fd12c1106b77d38fe891983875bc1512fd31f
SHA25669f9c8c074049d6b253e18b9a26f3adb405d8669d7000ee3f5468b18c16adf37
SHA512bd906b57b50ea887007bc1738db1496906a5ef615b547feb6a2a4d8ccd509074767f8ceead87a6d8023c52d8398ba12e54cdc270589e5b7fdecb3dcd7966500d
-
Filesize
201KB
MD5fdcc9a0a3a0ddbdd42216550affb60a0
SHA17d7f26c9641719c9928e241aacea1aa22151e0dc
SHA25641583e574c37d3012e6ae9fac737c1b1ed58999af41c6cbd4823209ac6fa6c5c
SHA5122bff0efee1cb2bd6d7717083e0cf6fdf9c76010e9d4b006b007eebf1a2d1a2795b2ffa21df708defcb6f7e92d9bcfa8f6900b035243a1c39a69bfb0b7f78e5f2
-
Filesize
115KB
MD5d3c85863e3c74985d50d0c3f5ece31d7
SHA155dde27f89e42b8ad773a797b8146396563a74e6
SHA2566c06e7240c5d97f4038e86bcd5b10cad6ae09550d86ec2d032d1ce1fb9015967
SHA5128cae886a7842ee771e9ff2c7abc9f5af3d808bea2b47377e336aa10a76c5bae6f4f27c6b473d962fa245695d1077ed3a636e168ce218810e16312574c9d192e3
-
Filesize
201KB
MD5b7f1d4ee4861901e9d957bb153c3350a
SHA138b3335c66059bd0fc3d68cf5a6331034471670f
SHA256716d682824d3b7b983513d3881d911e8e5b15b3310ef369f672dda764082abd2
SHA5123a5cb90c83409d789c628a1f49eaa038a095f64235ed0971489fd864055f8eeee0c7c9a1df280889df6ec66795540b9999c7d1db6ddce13d6bd8146797020d2e
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
Filesize132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD545059011123a090629f5200cd2d3033b
SHA1cb62b71ce45a11268be9d1208b7cd9b86deeb4c5
SHA256dcb7858655418f15f75e5b9b008c49b831cfe87c4551cf6fde29bf4854f06592
SHA51282588522671174cc868a28e1810267ccf96299d84576a61ba5e7b0a458fa78d5a4e91708579bba7c345161c7dd338a44ee701fd9359744fa154f6ac0be93e8f8
-
Filesize
595B
MD58161bf7a280f56447ce0b00c58e61454
SHA1bd486490f624db194c0949d0b1066defaf47a94c
SHA256ef88cc1f1f70c5209a578ef52d309435361f8c94eaf02323a21d13209ff2830b
SHA5121f8e87b11e10526d440f805bc05731c9755f847bc5cf00dae473db561c59d27688eff0da25c38a11b43a57b3c6d486ada23879ce9e347cc8d38e84293871f047
-
Filesize
595B
MD5cb2c9697111e87008354d236d31950de
SHA1eb6d7e2156462d483ae9e8715da74e96fb7056d7
SHA25656eb573349bb23d498705ea5ee72a995c8d064a214faa251347be97483352b66
SHA512dc172f2670b50b84d72fdb0351cf0da29c62862fdb19076b06dfe4d6f9aeab7db2c4ba45842112f9b5264b8afabd0eafb6f590165d5f47e0c2a72f096d74cccb
-
Filesize
6KB
MD5474f601c2de483908332bd38ab55c5bf
SHA133038f08c65da089dc9adeeab49ebfbe7b6922c9
SHA25661d378ee9b509949f4bcabdfdebf8738e3eaf64a3b3efd12ba7b27be47d9526a
SHA512dbb0989137ba766ff467eb310c173bd24327a925154f74131567bbc425c815e8f65178b13a9f928053f60cc6bb4762d971be6082b8e55fcb40d3645feaf2461c
-
Filesize
6KB
MD5ced586e08484eb45e7a177a52fc6f3d2
SHA1581a543bcf3a19bd5eb7e2545c114c9a8e8684d9
SHA256b08963841f1ebbf57e45efec0ddcbb655bd29db29c4c8877d7be3551e378c92e
SHA51287cb0c78f3994d11d36e122b0d97acb0f9161081f6e6828d28bfd061e80824e7b98d4d2a5ba2e519f0b12931599d346919708f9ecffc85295b06dc8a1060c41b
-
Filesize
5KB
MD557e3919b8bf69bce109cd988eee52b8a
SHA13933c37c8bcb4c376e5b1dcfb7f7eeac14cf5f68
SHA256521a06a95ae838ff6049926f2b859e066aef11bf11932b1b0dd9e03703515ec8
SHA512ef01b56d9490bb903641e23e01880fbc6fd23fea0b481cf821d06e3000ecf0aca5b56e6fbe8d2791e9a26fb53835983803fb8ea0d5a0ca67bb1ea4d415ec71d7
-
Filesize
6KB
MD553be6d230fee87ba615bf94ec9fd1033
SHA199fe0174c91510e0670c1d1371dbb8209b7f2303
SHA25686624ed4436bec7f01cd814eb2cf6cd0838f9eb8ce189c7feac807cfb1cd17aa
SHA512ba934b65983e8bb5372bdd573f87ee2630a64f71321645328625708485fef93138410611af21807ffd332ea6dc0334a3c2564bcdca7f77dc2ca4f3e13bffe805
-
Filesize
1KB
MD562bafbd3c8f283b5e75e732036d3ef78
SHA1ffe882a24cab77308c5268fd4904612cff2570f1
SHA2569aec52e7c2daac67288a5f934cdd3b967a2b0afde323ea4375dfafeda2c77e63
SHA5123658a31dec4100789c96dfa7f4fb01831673b332fa80155aa56e042e673dba3ad264be99cd52a64f815f9f7fd698fba65b9d34b6bbd3fc8538c476e09d50e6af
-
Filesize
1KB
MD5fda604a6335c7449251959f4737093b0
SHA1b3b1fa25b0270dbad138382d08ebefb108fc1ade
SHA256638fbfbbccdc0ad034c21e2263edd9a53d0ac7ba90250e2a918d6eb1a2e6a1dd
SHA5129dad51d6ec6ff80f682cb4db025be8119876358de630d9175c9208c2e3bd3dc2920aba1d6ed3ba67f6da7ac6022ec8e8316d3e95e30c70f320dc27b171d0ba9a
-
Filesize
1KB
MD5854a1c3b85850b208de3905c76a35717
SHA144fa87acb6f004f2892b33f191df8bd92b5aab07
SHA25639afa504f89086999abc0d9f7258f436bb8f11435164b7b50941e2aceaeffa28
SHA5127121c76c9a0a724e2c5c668ff9596de6e61b688a1300d7c83c0eb5ad3dd8f62610af1e8d096c57dac699a21c5532b144770d197b1e4cc0ea06518d8ea9f977d5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5dbee2abcde33e39597ceac978345103a
SHA15145e06d593f2fec876e0bc645e0dbf604f187f7
SHA25611245d7a247df12a645694c2fefea35a6b20995c0ea2e190868cdcc5230119d2
SHA512a02ac79558ab3805ad610f6bfa353dbd8c3c9aa20c64aa1bcb751fd033e460385f18b345d896b11a6ad9ed04df805b4c37298429f91b1c8e1129fd2e5b01fca7
-
Filesize
10KB
MD5c33fb6f93ce9799e35bb956cbdcbfd3b
SHA1673b1f65ad28a22277706d0b9f188910786d64cf
SHA256f2ae55e1d231dff82631858d4ed675ec9b62345d59de4411301a27cef67ca215
SHA512b2c57bdae8c7ab4684c3c2777bba9abd01533847fbd4ec0ea392af794abf42670f5846f8bb58d8fe09b7eafb6a974493da035e11b4787b4d3a52227742e1ce35
-
Filesize
10KB
MD59550de33b8192f3f660b6643fb35ef7c
SHA1d5b558cbe1b7cb70f21ada5a5dea974e73dd05c0
SHA256f8e0cb3047066e40854ea027878badc8c53192db469de294e86aa644ad40e490
SHA512a7ad72e8271d97206021135cc1f81308868c88ffd4826ae3fdac0b56f200ed002eed494bb94978bfdcc9158d30b1ee0ec0474ed354c90425e728e440f96dbb6e
-
Filesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FKEP33TV\microsoft.windows[1].xml
Filesize96B
MD5dcfd0f22889d8b3a982fbe019d01d543
SHA1fe866022f3fdf8fba4d3bd366ff0e2683fe58e59
SHA2562337927b5b24c83c8ab37dfc0fe7ddcd832ffb16d0cee5d50344478218893f5b
SHA51211b59e18705c1d95508e298938525f931c12c9010cdc03fad15f5585bc503713670d93739668d886ed9446d528c3dc7ac8cbc8e52198eb85ea6557821a124cc8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize24KB
MD5940dcd95a1c6f9a23a4fbc099c8efc00
SHA11498652de4952e3fceee7ec946b6debef91598a8
SHA25646bc0156219c1b0f1dd9b0ecca15fb323e7f258d9b5a23244fd35049886659e9
SHA512316998dada195a2e35d464fe610dd4c76a8a9a5e9de572f20a65dc2c870b6024e905f29c23d0673bb2282dabb50e8348d08d3f64156fe0c3278da82fe3c78bd1
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
1KB
MD537e13ff000d5e6525a73883e06e4e014
SHA18fb2855ecbd27e5c46f7d4aecde40d081ccedd89
SHA256a219307ba6fa1f783801a985f4efa80c10b3a7e2436c9eebe96f09dca1083989
SHA512c1d2e73803ed916ccdea5b932ad2ece58c24332308bc4bc37cc93cf032bc36f1d49c2ac6881870208974ff6818bfa033761514f6baf1b8f68b8bf20eec1a0869
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD5b874dd88e19a762253c4522957783943
SHA1905a7fa75eedfed81d506ad53a5fe45efa3fe1e7
SHA2565eb56e7db3bc09ddd81b31ed2a3487f82d813a0b0a868e8d58a053fd389d026a
SHA51251a3f4dc2c177dedab357f044155c96aef9cf769ceaa96b7b80a1c39a8d438dc0c003ebaffe2d6aa6db608f056eb8835cc3995e551459746cfafdae1c4196a3b
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.3MB
MD5d8dc00ed1b4565dc180ceacd4b44ced3
SHA1623cd693f170780c1859bc6d9f8c693e8d1b5cfa
SHA2563b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21
SHA512b77d52184a9b40fab368e4e67179c5fc71825a3895dc665ded380dc1c5a44d7da12be97c5637ef2c35e8ae73cd1354a7a40e54947c5aa5dbdba1c76820c51a83
-
Filesize
5.3MB
MD5cc25bc2f1b5dec7e9e7ab3289ed92cc7
SHA1449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2
SHA25625aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313
SHA512e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a
-
Filesize
652B
MD5bca950304b3dd58603299fc2827ff6bc
SHA1ad757dc6f77b11387aac17007104ac865947a255
SHA2566a0f5d1c38fb2982d37ad6b1eae94dac76cbf405d8221db0744c2a25461733a2
SHA51210753941b3bd27d08a33daeb1da961f7693bf75de908a031c387079e923232f73b51a1538df94a92d7a3b8d289512a7cc7352dc9ffbb955aedf2c9a7820bd19c
-
Filesize
1KB
MD566ca8de746bd5bc09574b9b5d72a91bb
SHA1ae5b33f83239264d6202d1b9fdff566e851b85e4
SHA2568221e96e5aef72f45e31a858a97638c7f2fc0bad68f6a21d92edb26cfba20f2b
SHA51280d6b675b08acc1bdd65da19938c2a30a0bdb4ba75459d2677e56345720a5ce5590ace5aae48f2ca1bb14315cd73c40adb841af0ff917799a6a8e5963871e74a
-
Filesize
369B
MD59ebaf72cd6b2f98e0e34975522b66eff
SHA1ba124e877022efeadb51ce151f3eec0be193bd86
SHA256a40642ede8b73996b6887f5a18928ace7b661cbf8e1115b1676685fad499b274
SHA512efe7a994620f28e2c1465a0d33dbf4942115184650417e6348b20ffe9ed24844ec5c8c4e30a3a667627c3ea628f0c00ef2ade757e3673d51da46b6023a9c71f5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e