Analysis
-
max time kernel
231s -
max time network
332s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-11-2024 13:05
Static task
static1
Behavioral task
behavioral1
Sample
Oneclick-V6.7.bat
Resource
win11-20241007-en
General
-
Target
Oneclick-V6.7.bat
-
Size
202KB
-
MD5
4acd7d1e7294d4ab4e9db8977d5135e4
-
SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284
-
SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
-
SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
-
SSDEEP
1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
OOSU10.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 5316 powershell.exe 3624 powershell.exe 5296 powershell.exe 5520 5840 4244 1340 5676 powershell.exe 3368 powershell.exe 5616 powershell.exe 5828 powershell.exe 2920 5556 powershell.exe 5876 5128 powershell.exe 5984 powershell.exe 3688 powershell.exe 1164 powershell.exe 1068 powershell.exe 6044 powershell.exe 5480 2696 powershell.exe 2716 powershell.exe 5660 5412 5856 powershell.exe 4376 powershell.exe 5756 powershell.exe 5736 powershell.exe 5308 6516 4188 powershell.exe 4748 powershell.exe 5768 powershell.exe 5608 1340 powershell.exe 5212 1416 powershell.exe 2380 powershell.exe 2892 powershell.exe 4484 powershell.exe 5908 powershell.exe 2092 2324 5420 4784 996 powershell.exe 5908 powershell.exe 5964 5792 powershell.exe 1840 powershell.exe 4744 powershell.exe 1092 powershell.exe 2388 powershell.exe 4360 3984 powershell.exe 5184 powershell.exe 6020 powershell.exe 5332 powershell.exe 5788 6356 6988 3204 powershell.exe 2804 powershell.exe -
Downloads MZ/PE file
-
Possible privilege escalation attempt 13 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 4876 icacls.exe 3896 takeown.exe 536 takeown.exe 2760 icacls.exe 2528 takeown.exe 3176 icacls.exe 1232 icacls.exe 2844 takeown.exe 4752 icacls.exe 2948 icacls.exe 3944 takeown.exe 3432 icacls.exe 1244 takeown.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 4 IoCs
Processes:
OOSU10.exeNSudoLG.exeNSudoLG.exepid process 624 OOSU10.exe 4940 NSudoLG.exe 2084 NSudoLG.exe 5924 -
Modifies file permissions 1 TTPs 13 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exepid process 4876 icacls.exe 4752 icacls.exe 536 takeown.exe 2760 icacls.exe 2948 icacls.exe 3944 takeown.exe 1244 takeown.exe 2844 takeown.exe 3896 takeown.exe 2528 takeown.exe 3432 icacls.exe 3176 icacls.exe 1232 icacls.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console" Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\uejf7w reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates connected drives 3 TTPs 50 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SearchIndexer.exeexplorer.exedescription ioc process File opened (read-only) \??\T: SearchIndexer.exe File opened (read-only) \??\Z: SearchIndexer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: SearchIndexer.exe File opened (read-only) \??\h: SearchIndexer.exe File opened (read-only) \??\k: SearchIndexer.exe File opened (read-only) \??\Q: SearchIndexer.exe File opened (read-only) \??\t: SearchIndexer.exe File opened (read-only) \??\W: SearchIndexer.exe File opened (read-only) \??\j: SearchIndexer.exe File opened (read-only) \??\n: SearchIndexer.exe File opened (read-only) \??\q: SearchIndexer.exe File opened (read-only) \??\S: SearchIndexer.exe File opened (read-only) \??\m: SearchIndexer.exe File opened (read-only) \??\O: SearchIndexer.exe File opened (read-only) \??\U: SearchIndexer.exe File opened (read-only) \??\a: SearchIndexer.exe File opened (read-only) \??\J: SearchIndexer.exe File opened (read-only) \??\r: SearchIndexer.exe File opened (read-only) \??\w: SearchIndexer.exe File opened (read-only) \??\y: SearchIndexer.exe File opened (read-only) \??\Y: SearchIndexer.exe File opened (read-only) \??\z: SearchIndexer.exe File opened (read-only) \??\B: SearchIndexer.exe File opened (read-only) \??\M: SearchIndexer.exe File opened (read-only) \??\N: SearchIndexer.exe File opened (read-only) \??\X: SearchIndexer.exe File opened (read-only) \??\H: SearchIndexer.exe File opened (read-only) \??\i: SearchIndexer.exe File opened (read-only) \??\I: SearchIndexer.exe File opened (read-only) \??\s: SearchIndexer.exe File opened (read-only) \??\A: SearchIndexer.exe File opened (read-only) \??\e: SearchIndexer.exe File opened (read-only) \??\g: SearchIndexer.exe File opened (read-only) \??\G: SearchIndexer.exe File opened (read-only) \??\v: SearchIndexer.exe File opened (read-only) \??\b: SearchIndexer.exe File opened (read-only) \??\K: SearchIndexer.exe File opened (read-only) \??\o: SearchIndexer.exe File opened (read-only) \??\p: SearchIndexer.exe File opened (read-only) \??\P: SearchIndexer.exe File opened (read-only) \??\R: SearchIndexer.exe File opened (read-only) \??\u: SearchIndexer.exe File opened (read-only) \??\V: SearchIndexer.exe File opened (read-only) \??\D: SearchIndexer.exe File opened (read-only) \??\E: SearchIndexer.exe File opened (read-only) \??\l: SearchIndexer.exe File opened (read-only) \??\L: SearchIndexer.exe File opened (read-only) \??\x: SearchIndexer.exe File opened (read-only) \??\F: explorer.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 4 raw.githubusercontent.com 10 raw.githubusercontent.com 41 drive.google.com 43 drive.google.com 144 raw.githubusercontent.com 300 drive.google.com -
Power Settings 1 TTPs 25 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepid process 6260 6416 6464 6652 6688 6800 6192 5468 5744 5436 6708 6776 6660 6888 6836 2512 powercfg.exe 6276 5704 6428 6704 5404 3036 6372 6696 3472 -
Drops file in System32 directory 9 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d0f9719f-3c53-47e6-bd0b-43e20030a528}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d0f9719f-3c53-47e6-bd0b-43e20030a528}\snapshot.etl svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1537126222-899333903-2037027349-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1537126222-899333903-2037027349-1000_UserData.bin svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
pid process 3604 3604 -
Drops file in Windows directory 10 IoCs
Processes:
TiWorker.exesvchost.exechrome.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\ svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\ svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat svchost.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-System.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-1537126222-899333903-2037027349-1000.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-FontSet-S-1-5-21-1537126222-899333903-2037027349-1000.dat svchost.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
Processes:
powershell.exepowershell.exepowershell.exepid process 4880 powershell.exe 2220 powershell.exe 704 powershell.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1668 sc.exe 1128 sc.exe 3076 sc.exe 4364 sc.exe 2980 sc.exe 3504 sc.exe 5060 sc.exe 2956 sc.exe 1680 sc.exe 3844 sc.exe 3476 sc.exe 4000 sc.exe 4472 sc.exe 1328 sc.exe 868 sc.exe 872 sc.exe 3016 sc.exe 864 sc.exe 2924 sc.exe 2756 sc.exe 868 sc.exe 4164 sc.exe 5040 sc.exe 3080 sc.exe 4372 sc.exe 3864 sc.exe 328 sc.exe 3496 sc.exe 1236 sc.exe 688 sc.exe 3944 sc.exe 4244 sc.exe 3476 sc.exe 3916 sc.exe 2704 sc.exe 1852 sc.exe 1464 sc.exe 3804 sc.exe 4656 sc.exe 4820 sc.exe 3140 sc.exe 4484 sc.exe 4928 sc.exe 2092 sc.exe 4528 sc.exe 3172 sc.exe 2092 sc.exe 1396 sc.exe 3160 sc.exe 4948 sc.exe 2232 sc.exe 2300 sc.exe 984 sc.exe 3152 sc.exe 1140 sc.exe 4752 sc.exe 760 sc.exe 3552 sc.exe 676 sc.exe 2224 sc.exe 2356 sc.exe 4544 sc.exe 3204 sc.exe 5104 sc.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exeTaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 64 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 5008 timeout.exe 1332 timeout.exe 4180 timeout.exe 3824 timeout.exe 4808 timeout.exe 1228 timeout.exe 6080 864 timeout.exe 3496 timeout.exe 1136 timeout.exe 5524 5284 4224 timeout.exe 2132 timeout.exe 2584 timeout.exe 2252 timeout.exe 1452 timeout.exe 1388 timeout.exe 6832 1308 timeout.exe 1648 timeout.exe 6204 4168 timeout.exe 964 timeout.exe 3616 timeout.exe 6952 4476 timeout.exe 764 timeout.exe 4444 timeout.exe 2956 timeout.exe 4960 timeout.exe 4224 timeout.exe 1528 timeout.exe 4048 timeout.exe 2368 timeout.exe 4724 timeout.exe 3212 timeout.exe 2308 timeout.exe 1092 timeout.exe 3868 timeout.exe 2696 timeout.exe 3792 timeout.exe 2300 timeout.exe 4000 timeout.exe 4180 5092 2840 timeout.exe 4888 timeout.exe 6872 856 timeout.exe 4796 timeout.exe 4484 timeout.exe 4376 timeout.exe 2116 timeout.exe 5116 timeout.exe 5608 5856 6908 4864 timeout.exe 3200 timeout.exe 3016 timeout.exe 5072 timeout.exe 2536 timeout.exe 4468 timeout.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6068 2036 taskkill.exe 4000 taskkill.exe 2092 taskkill.exe 3680 taskkill.exe 1384 taskkill.exe 5904 2852 taskkill.exe 1700 taskkill.exe 3080 taskkill.exe 6080 5980 6724 -
Modifies Control Panel 1 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" OOSU10.exe -
Processes:
SearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exesvchost.exeSearchFilterHost.exereg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000339b8429df31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\ConfigExpiration = "133761496324011480" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\FontSetGeneration = "3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdf79d27df31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012038726df31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f7de527df31db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b965a28df31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb949b27df31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\OpenWithList SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" reg.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6c6aa26df31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe -
Modifies registry class 58 IoCs
Processes:
SearchHost.exeexplorer.exeStartMenuExperienceHost.exepowershell.exeBackgroundTransferHost.exeOOSU10.exereg.exereg.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14734" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000100000014000000494c200601000400440010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000001000000040000001c0000000100000000000000 explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1537126222-899333903-2037027349-1000\{1A68A3F0-A084-48D6-AAFF-9A12CB6DF959} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "1000" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} powershell.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "967" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\EnableCortana = "0" OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14767" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID powershell.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoftwindows.client.cbs SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a00410062006700200066007600740061007200710020007600610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030de99adb018db01000000000000000000000000420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "967" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no" OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 powershell.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "1000" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\AllUsers\{93C2563A-6DA3-4254-92F0-AC1AFFA92A34} svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0" OOSU10.exe Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ShowSearchSuggestionsGlobal = "0" OOSU10.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727759429371813" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory\ = "0" OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead OOSU10.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeNSudoLG.exeNSudoLG.exepowershell.exeexplorer.exepowershell.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2716 powershell.exe 2716 powershell.exe 4880 powershell.exe 4880 powershell.exe 4636 powershell.exe 4636 powershell.exe 3140 powershell.exe 3140 powershell.exe 1388 powershell.exe 1388 powershell.exe 2520 powershell.exe 2520 powershell.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 2220 powershell.exe 2220 powershell.exe 2504 powershell.exe 2504 powershell.exe 5056 powershell.exe 5056 powershell.exe 704 powershell.exe 704 powershell.exe 964 svchost.exe 964 svchost.exe 964 svchost.exe 964 svchost.exe 4940 NSudoLG.exe 4940 NSudoLG.exe 2084 NSudoLG.exe 2084 NSudoLG.exe 4188 powershell.exe 4188 powershell.exe 4188 powershell.exe 5036 explorer.exe 5036 explorer.exe 3808 powershell.exe 3808 powershell.exe 3808 powershell.exe 4984 chrome.exe 4984 chrome.exe 3984 powershell.exe 3984 powershell.exe 3984 powershell.exe 1092 powershell.exe 1092 powershell.exe 1092 powershell.exe 2696 powershell.exe 2696 powershell.exe 2696 powershell.exe 1340 powershell.exe 1340 powershell.exe 1340 powershell.exe 1984 powershell.exe 1984 powershell.exe 1984 powershell.exe 2852 powershell.exe 2852 powershell.exe 2852 powershell.exe 1164 powershell.exe 1164 powershell.exe 1164 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
chrome.exepid process 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exedescription pid process Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeBackupPrivilege 1020 TiWorker.exe Token: SeRestorePrivilege 1020 TiWorker.exe Token: SeSecurityPrivilege 1020 TiWorker.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 4880 powershell.exe Token: SeDebugPrivilege 4636 powershell.exe Token: SeDebugPrivilege 3140 powershell.exe Token: SeShutdownPrivilege 2512 powercfg.exe Token: SeCreatePagefilePrivilege 2512 powercfg.exe Token: SeShutdownPrivilege 2512 powercfg.exe Token: SeCreatePagefilePrivilege 2512 powercfg.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeIncreaseQuotaPrivilege 1388 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Taskmgr.exeexplorer.exechrome.exepid process 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe 4984 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exeexplorer.exepid process 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5112 Taskmgr.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe 5036 explorer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
explorer.exeSearchHost.exeStartMenuExperienceHost.exepid process 5036 explorer.exe 2224 SearchHost.exe 624 StartMenuExperienceHost.exe 5036 explorer.exe 5036 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 4952 wrote to memory of 3612 4952 cmd.exe fltMC.exe PID 4952 wrote to memory of 3612 4952 cmd.exe fltMC.exe PID 4952 wrote to memory of 936 4952 cmd.exe sc.exe PID 4952 wrote to memory of 936 4952 cmd.exe sc.exe PID 4952 wrote to memory of 1384 4952 cmd.exe find.exe PID 4952 wrote to memory of 1384 4952 cmd.exe find.exe PID 4952 wrote to memory of 3568 4952 cmd.exe find.exe PID 4952 wrote to memory of 3568 4952 cmd.exe find.exe PID 4952 wrote to memory of 2544 4952 cmd.exe sc.exe PID 4952 wrote to memory of 2544 4952 cmd.exe sc.exe PID 4952 wrote to memory of 1228 4952 cmd.exe find.exe PID 4952 wrote to memory of 1228 4952 cmd.exe find.exe PID 4952 wrote to memory of 4364 4952 cmd.exe find.exe PID 4952 wrote to memory of 4364 4952 cmd.exe find.exe PID 4952 wrote to memory of 2040 4952 cmd.exe sc.exe PID 4952 wrote to memory of 2040 4952 cmd.exe sc.exe PID 4952 wrote to memory of 5092 4952 cmd.exe net.exe PID 4952 wrote to memory of 5092 4952 cmd.exe net.exe PID 5092 wrote to memory of 3896 5092 net.exe net1.exe PID 5092 wrote to memory of 3896 5092 net.exe net1.exe PID 4952 wrote to memory of 3116 4952 cmd.exe curl.exe PID 4952 wrote to memory of 3116 4952 cmd.exe curl.exe PID 4952 wrote to memory of 5008 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 5008 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 1376 4952 cmd.exe tar.exe PID 4952 wrote to memory of 1376 4952 cmd.exe tar.exe PID 4952 wrote to memory of 1236 4952 cmd.exe chcp.com PID 4952 wrote to memory of 1236 4952 cmd.exe chcp.com PID 4952 wrote to memory of 2368 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 2368 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 2476 4952 cmd.exe chcp.com PID 4952 wrote to memory of 2476 4952 cmd.exe chcp.com PID 4952 wrote to memory of 2504 4952 cmd.exe chcp.com PID 4952 wrote to memory of 2504 4952 cmd.exe chcp.com PID 4952 wrote to memory of 2716 4952 cmd.exe powershell.exe PID 4952 wrote to memory of 2716 4952 cmd.exe powershell.exe PID 4952 wrote to memory of 4224 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 4224 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 4608 4952 cmd.exe chcp.com PID 4952 wrote to memory of 4608 4952 cmd.exe chcp.com PID 4952 wrote to memory of 2696 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 2696 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 1404 4952 cmd.exe chcp.com PID 4952 wrote to memory of 1404 4952 cmd.exe chcp.com PID 4952 wrote to memory of 3492 4952 cmd.exe reg.exe PID 4952 wrote to memory of 3492 4952 cmd.exe reg.exe PID 4952 wrote to memory of 3552 4952 cmd.exe reg.exe PID 4952 wrote to memory of 3552 4952 cmd.exe reg.exe PID 4952 wrote to memory of 4852 4952 cmd.exe reg.exe PID 4952 wrote to memory of 4852 4952 cmd.exe reg.exe PID 4952 wrote to memory of 2840 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 2840 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 3380 4952 cmd.exe reg.exe PID 4952 wrote to memory of 3380 4952 cmd.exe reg.exe PID 4952 wrote to memory of 1964 4952 cmd.exe reg.exe PID 4952 wrote to memory of 1964 4952 cmd.exe reg.exe PID 4952 wrote to memory of 4704 4952 cmd.exe reg.exe PID 4952 wrote to memory of 4704 4952 cmd.exe reg.exe PID 4952 wrote to memory of 2192 4952 cmd.exe reg.exe PID 4952 wrote to memory of 2192 4952 cmd.exe reg.exe PID 4952 wrote to memory of 4468 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 4468 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 1632 4952 cmd.exe reg.exe PID 4952 wrote to memory of 1632 4952 cmd.exe reg.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" OOSU10.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:3612
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵PID:936
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:1384
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:3568
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵PID:2544
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:1228
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:4364
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=auto2⤵PID:2040
-
C:\Windows\system32\net.exenet start TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TrustedInstaller3⤵PID:3896
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵PID:3116
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5008 -
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵PID:1376
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:1236
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:2368 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2476
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:2504
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:4224 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4608
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2696 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1404
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f2⤵PID:3492
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵PID:3552
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f2⤵PID:4852
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2840 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3380
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f2⤵PID:4704
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f2⤵PID:2192
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4468 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f2⤵PID:1632
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f2⤵PID:3188
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4880 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4864 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f2⤵PID:5068
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4724 -
C:\Windows\system32\reg.exereg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f2⤵
- Modifies data under HKEY_USERS
PID:4008 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4888 -
C:\Windows\system32\reg.exereg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:3940 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4376 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f2⤵PID:984
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2132 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:3864
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:864 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f2⤵PID:4656
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f2⤵PID:648
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f2⤵PID:4808
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f2⤵PID:4764
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f2⤵PID:4668
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f2⤵PID:2436
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f2⤵PID:2236
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f2⤵PID:936
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f2⤵PID:2284
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f2⤵PID:1500
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f2⤵PID:1228
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f2⤵PID:4364
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f2⤵PID:868
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:964 -
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f2⤵PID:4920
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f2⤵PID:1948
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f2⤵PID:1020
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f2⤵PID:4708
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f2⤵PID:3144
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f2⤵PID:3872
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵PID:5012
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3496 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f2⤵PID:4164
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f2⤵PID:972
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3212 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f2⤵PID:2296
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4476 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
PID:4760 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3200 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f2⤵PID:4896
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f2⤵PID:2600
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f2⤵PID:420
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:1940
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f2⤵PID:4660
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f2⤵PID:1848
-
C:\Windows\system32\powercfg.exepowercfg.exe /hibernate off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:2224
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:4884
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵
- Launches sc.exe
PID:3804 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3016 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:2816
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:644
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2308 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f2⤵PID:2912
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1092 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f2⤵PID:1120
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:3852
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 02⤵
- UAC bypass
PID:3792 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2584 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:4720
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1332 -
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵
- Launches sc.exe
PID:5104 -
C:\Windows\system32\sc.exesc config ALG start=demand2⤵PID:4864
-
C:\Windows\system32\sc.exesc config AppIDSvc start=demand2⤵PID:5068
-
C:\Windows\system32\sc.exesc config AppMgmt start=demand2⤵PID:3572
-
C:\Windows\system32\sc.exesc config AppReadiness start=demand2⤵PID:456
-
C:\Windows\system32\sc.exesc config AppVClient start=disabled2⤵PID:4640
-
C:\Windows\system32\sc.exesc config AppXSvc start=demand2⤵PID:4168
-
C:\Windows\system32\sc.exesc config Appinfo start=demand2⤵PID:1512
-
C:\Windows\system32\sc.exesc config AssignedAccessManagerSvc start=disabled2⤵PID:2324
-
C:\Windows\system32\sc.exesc config AudioEndpointBuilder start=auto2⤵PID:1000
-
C:\Windows\system32\sc.exesc config AudioSrv start=auto2⤵PID:3076
-
C:\Windows\system32\sc.exesc config Audiosrv start=auto2⤵PID:5020
-
C:\Windows\system32\sc.exesc config AxInstSV start=demand2⤵PID:1244
-
C:\Windows\system32\sc.exesc config BDESVC start=demand2⤵PID:2412
-
C:\Windows\system32\sc.exesc config BFE start=auto2⤵
- Launches sc.exe
PID:2756 -
C:\Windows\system32\sc.exesc config BITS start=delayed-auto2⤵PID:3352
-
C:\Windows\system32\sc.exesc config BTAGService start=demand2⤵PID:4516
-
C:\Windows\system32\sc.exesc config BcastDVRUserService_dc2a4 start=demand2⤵PID:3940
-
C:\Windows\system32\sc.exesc config BluetoothUserService_dc2a4 start=demand2⤵PID:2304
-
C:\Windows\system32\sc.exesc config BrokerInfrastructure start=auto2⤵PID:4984
-
C:\Windows\system32\sc.exesc config Browser start=demand2⤵
- Launches sc.exe
PID:1128 -
C:\Windows\system32\sc.exesc config BthAvctpSvc start=auto2⤵PID:2140
-
C:\Windows\system32\sc.exesc config BthHFSrv start=auto2⤵PID:224
-
C:\Windows\system32\sc.exesc config CDPSvc start=demand2⤵PID:3840
-
C:\Windows\system32\sc.exesc config CDPUserSvc_dc2a4 start=auto2⤵PID:4112
-
C:\Windows\system32\sc.exesc config COMSysApp start=demand2⤵PID:2416
-
C:\Windows\system32\sc.exesc config CaptureService_dc2a4 start=demand2⤵PID:4524
-
C:\Windows\system32\sc.exesc config CertPropSvc start=demand2⤵
- Launches sc.exe
PID:688 -
C:\Windows\system32\sc.exesc config ClipSVC start=demand2⤵PID:4808
-
C:\Windows\system32\sc.exesc config ConsentUxUserSvc_dc2a4 start=demand2⤵PID:3612
-
C:\Windows\system32\sc.exesc config CoreMessagingRegistrar start=auto2⤵
- Launches sc.exe
PID:1328 -
C:\Windows\system32\sc.exesc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand2⤵PID:4488
-
C:\Windows\system32\sc.exesc config CryptSvc start=auto2⤵
- Launches sc.exe
PID:676 -
C:\Windows\system32\sc.exesc config CscService start=demand2⤵PID:4204
-
C:\Windows\system32\sc.exesc config DPS start=auto2⤵PID:4544
-
C:\Windows\system32\sc.exesc config DcomLaunch start=auto2⤵PID:4768
-
C:\Windows\system32\sc.exesc config DcpSvc start=demand2⤵PID:4960
-
C:\Windows\system32\sc.exesc config DevQueryBroker start=demand2⤵PID:4364
-
C:\Windows\system32\sc.exesc config DeviceAssociationBrokerSvc_dc2a4 start=demand2⤵
- Launches sc.exe
PID:868 -
C:\Windows\system32\sc.exesc config DeviceAssociationService start=demand2⤵
- Launches sc.exe
PID:872 -
C:\Windows\system32\sc.exesc config DeviceInstall start=demand2⤵PID:1852
-
C:\Windows\system32\sc.exesc config DevicePickerUserSvc_dc2a4 start=demand2⤵PID:3952
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_dc2a4 start=demand2⤵PID:464
-
C:\Windows\system32\sc.exesc config Dhcp start=auto2⤵PID:764
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:3896
-
C:\Windows\system32\sc.exesc config DialogBlockingService start=disabled2⤵PID:3956
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start=auto2⤵
- Launches sc.exe
PID:3140 -
C:\Windows\system32\sc.exesc config DisplayEnhancementService start=demand2⤵PID:1744
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=demand2⤵PID:3080
-
C:\Windows\system32\sc.exesc config Dnscache start=auto2⤵PID:560
-
C:\Windows\system32\sc.exesc config DoSvc start=delayed-auto2⤵PID:3160
-
C:\Windows\system32\sc.exesc config DsSvc start=demand2⤵PID:3412
-
C:\Windows\system32\sc.exesc config DsmSvc start=demand2⤵PID:4708
-
C:\Windows\system32\sc.exesc config DusmSvc start=auto2⤵PID:1932
-
C:\Windows\system32\sc.exesc config EFS start=demand2⤵PID:3144
-
C:\Windows\system32\sc.exesc config EapHost start=demand2⤵PID:4500
-
C:\Windows\system32\sc.exesc config EntAppSvc start=demand2⤵PID:1636
-
C:\Windows\system32\sc.exesc config EventLog start=auto2⤵PID:3496
-
C:\Windows\system32\sc.exesc config EventSystem start=auto2⤵
- Launches sc.exe
PID:4164 -
C:\Windows\system32\sc.exesc config FDResPub start=demand2⤵PID:972
-
C:\Windows\system32\sc.exesc config Fax start=demand2⤵PID:3212
-
C:\Windows\system32\sc.exesc config FontCache start=auto2⤵PID:2296
-
C:\Windows\system32\sc.exesc config FrameServer start=demand2⤵PID:4476
-
C:\Windows\system32\sc.exesc config FrameServerMonitor start=demand2⤵PID:4760
-
C:\Windows\system32\sc.exesc config GraphicsPerfSvc start=demand2⤵PID:4740
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:5084
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:1300
-
C:\Windows\system32\sc.exesc config HvHost start=demand2⤵
- Launches sc.exe
PID:4528 -
C:\Windows\system32\sc.exesc config IEEtwCollectorService start=demand2⤵PID:2036
-
C:\Windows\system32\sc.exesc config IKEEXT start=demand2⤵PID:1364
-
C:\Windows\system32\sc.exesc config InstallService start=demand2⤵PID:3372
-
C:\Windows\system32\sc.exesc config InventorySvc start=demand2⤵PID:5008
-
C:\Windows\system32\sc.exesc config IpxlatCfgSvc start=demand2⤵PID:636
-
C:\Windows\system32\sc.exesc config KeyIso start=auto2⤵PID:4964
-
C:\Windows\system32\sc.exesc config KtmRm start=demand2⤵PID:1408
-
C:\Windows\system32\sc.exesc config LSM start=auto2⤵PID:2224
-
C:\Windows\system32\sc.exesc config LanmanServer start=auto2⤵PID:4884
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start=auto2⤵PID:3804
-
C:\Windows\system32\sc.exesc config LicenseManager start=demand2⤵PID:1072
-
C:\Windows\system32\sc.exesc config LxpSvc start=demand2⤵PID:828
-
C:\Windows\system32\sc.exesc config MSDTC start=demand2⤵PID:4972
-
C:\Windows\system32\sc.exesc config MSiSCSI start=demand2⤵PID:2860
-
C:\Windows\system32\sc.exesc config MapsBroker start=delayed-auto2⤵PID:644
-
C:\Windows\system32\sc.exesc config McpManagementService start=demand2⤵PID:2308
-
C:\Windows\system32\sc.exesc config MessagingService_dc2a4 start=demand2⤵PID:3336
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start=demand2⤵PID:3760
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start=demand2⤵PID:4824
-
C:\Windows\system32\sc.exesc config MpsSvc start=auto2⤵PID:1320
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start=demand2⤵PID:2376
-
C:\Windows\system32\sc.exesc config NPSMSvc_dc2a4 start=demand2⤵
- Launches sc.exe
PID:3172 -
C:\Windows\system32\sc.exesc config NaturalAuthentication start=demand2⤵PID:4424
-
C:\Windows\system32\sc.exesc config NcaSvc start=demand2⤵PID:2464
-
C:\Windows\system32\sc.exesc config NcbService start=demand2⤵PID:2340
-
C:\Windows\system32\sc.exesc config NcdAutoSetup start=demand2⤵PID:4940
-
C:\Windows\system32\sc.exesc config NetSetupSvc start=demand2⤵PID:2920
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start=disabled2⤵PID:2396
-
C:\Windows\system32\sc.exesc config Netlogon start=demand2⤵PID:1164
-
C:\Windows\system32\sc.exesc config Netman start=demand2⤵PID:4716
-
C:\Windows\system32\sc.exesc config NgcCtnrSvc start=demand2⤵PID:1388
-
C:\Windows\system32\sc.exesc config NgcSvc start=demand2⤵PID:3852
-
C:\Windows\system32\sc.exesc config NlaSvc start=demand2⤵PID:3792
-
C:\Windows\system32\sc.exesc config OneSyncSvc_dc2a4 start=auto2⤵PID:2584
-
C:\Windows\system32\sc.exesc config P9RdrService_dc2a4 start=demand2⤵
- Launches sc.exe
PID:4948 -
C:\Windows\system32\sc.exesc config PNRPAutoReg start=demand2⤵
- Launches sc.exe
PID:4484 -
C:\Windows\system32\sc.exesc config PNRPsvc start=demand2⤵PID:2240
-
C:\Windows\system32\sc.exesc config PcaSvc start=demand2⤵
- Launches sc.exe
PID:2232 -
C:\Windows\system32\sc.exesc config PeerDistSvc start=demand2⤵
- Launches sc.exe
PID:4752 -
C:\Windows\system32\sc.exesc config PenService_dc2a4 start=demand2⤵PID:5068
-
C:\Windows\system32\sc.exesc config PerfHost start=demand2⤵
- Launches sc.exe
PID:5040 -
C:\Windows\system32\sc.exesc config PhoneSvc start=demand2⤵PID:3192
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_dc2a4 start=demand2⤵PID:3424
-
C:\Windows\system32\sc.exesc config PlugPlay start=demand2⤵PID:5060
-
C:\Windows\system32\sc.exesc config PolicyAgent start=demand2⤵PID:4992
-
C:\Windows\system32\sc.exesc config Power start=auto2⤵PID:2708
-
C:\Windows\system32\sc.exesc config PrintNotify start=demand2⤵
- Launches sc.exe
PID:3076 -
C:\Windows\system32\sc.exesc config PrintWorkflowUserSvc_dc2a4 start=demand2⤵PID:3616
-
C:\Windows\system32\sc.exesc config ProfSvc start=auto2⤵PID:1936
-
C:\Windows\system32\sc.exesc config PushToInstall start=demand2⤵PID:572
-
C:\Windows\system32\sc.exesc config QWAVE start=demand2⤵PID:3824
-
C:\Windows\system32\sc.exesc config RasAuto start=demand2⤵PID:4516
-
C:\Windows\system32\sc.exesc config RasMan start=demand2⤵PID:3940
-
C:\Windows\system32\sc.exesc config RemoteAccess start=disabled2⤵PID:2304
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:4984
-
C:\Windows\system32\sc.exesc config RetailDemo start=demand2⤵PID:428
-
C:\Windows\system32\sc.exesc config RmSvc start=demand2⤵PID:2132
-
C:\Windows\system32\sc.exesc config RpcEptMapper start=auto2⤵
- Launches sc.exe
PID:3864 -
C:\Windows\system32\sc.exesc config RpcLocator start=demand2⤵PID:3888
-
C:\Windows\system32\sc.exesc config RpcSs start=auto2⤵
- Launches sc.exe
PID:4656 -
C:\Windows\system32\sc.exesc config SCPolicySvc start=demand2⤵PID:648
-
C:\Windows\system32\sc.exesc config SCardSvr start=demand2⤵PID:4644
-
C:\Windows\system32\sc.exesc config SDRSVC start=demand2⤵PID:2620
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=demand2⤵PID:4776
-
C:\Windows\system32\sc.exesc config SENS start=auto2⤵PID:2668
-
C:\Windows\system32\sc.exesc config SNMPTRAP start=demand2⤵
- Launches sc.exe
PID:3916 -
C:\Windows\system32\sc.exesc config SNMPTrap start=demand2⤵PID:1384
-
C:\Windows\system32\sc.exesc config SSDPSRV start=demand2⤵PID:2560
-
C:\Windows\system32\sc.exesc config SamSs start=auto2⤵
- Launches sc.exe
PID:2704 -
C:\Windows\system32\sc.exesc config ScDeviceEnum start=demand2⤵PID:412
-
C:\Windows\system32\sc.exesc config Schedule start=auto2⤵PID:2284
-
C:\Windows\system32\sc.exesc config SecurityHealthService start=demand2⤵PID:2544
-
C:\Windows\system32\sc.exesc config Sense start=demand2⤵PID:2040
-
C:\Windows\system32\sc.exesc config SensorDataService start=demand2⤵PID:4592
-
C:\Windows\system32\sc.exesc config SensorService start=demand2⤵PID:940
-
C:\Windows\system32\sc.exesc config SensrSvc start=demand2⤵
- Launches sc.exe
PID:868 -
C:\Windows\system32\sc.exesc config SessionEnv start=demand2⤵PID:872
-
C:\Windows\system32\sc.exesc config SgrmBroker start=auto2⤵
- Launches sc.exe
PID:1852 -
C:\Windows\system32\sc.exesc config SharedAccess start=demand2⤵PID:4820
-
C:\Windows\system32\sc.exesc config SharedRealitySvc start=demand2⤵PID:464
-
C:\Windows\system32\sc.exesc config ShellHWDetection start=auto2⤵PID:3048
-
C:\Windows\system32\sc.exesc config SmsRouter start=demand2⤵PID:4496
-
C:\Windows\system32\sc.exesc config Spooler start=auto2⤵
- Launches sc.exe
PID:1680 -
C:\Windows\system32\sc.exesc config SstpSvc start=demand2⤵PID:4448
-
C:\Windows\system32\sc.exesc config StateRepository start=demand2⤵
- Launches sc.exe
PID:4928 -
C:\Windows\system32\sc.exesc config StiSvc start=demand2⤵PID:1744
-
C:\Windows\system32\sc.exesc config StorSvc start=demand2⤵
- Launches sc.exe
PID:3152 -
C:\Windows\system32\sc.exesc config SysMain start=auto2⤵PID:1220
-
C:\Windows\system32\sc.exesc config SystemEventsBroker start=auto2⤵PID:4140
-
C:\Windows\system32\sc.exesc config TabletInputService start=demand2⤵PID:3060
-
C:\Windows\system32\sc.exesc config TapiSrv start=demand2⤵PID:1932
-
C:\Windows\system32\sc.exesc config TermService start=auto2⤵PID:5012
-
C:\Windows\system32\sc.exesc config TextInputManagementService start=demand2⤵PID:4688
-
C:\Windows\system32\sc.exesc config Themes start=auto2⤵PID:4536
-
C:\Windows\system32\sc.exesc config TieringEngineService start=demand2⤵PID:2980
-
C:\Windows\system32\sc.exesc config TimeBroker start=demand2⤵PID:3756
-
C:\Windows\system32\sc.exesc config TimeBrokerSvc start=demand2⤵PID:1240
-
C:\Windows\system32\sc.exesc config TokenBroker start=demand2⤵PID:3212
-
C:\Windows\system32\sc.exesc config TrkWks start=auto2⤵PID:1452
-
C:\Windows\system32\sc.exesc config TroubleshootingSvc start=demand2⤵PID:2424
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=demand2⤵
- Launches sc.exe
PID:2300 -
C:\Windows\system32\sc.exesc config UI0Detect start=demand2⤵
- Launches sc.exe
PID:2092 -
C:\Windows\system32\sc.exesc config UdkUserSvc_dc2a4 start=demand2⤵PID:3828
-
C:\Windows\system32\sc.exesc config UevAgentService start=disabled2⤵PID:2276
-
C:\Windows\system32\sc.exesc config UmRdpService start=demand2⤵PID:420
-
C:\Windows\system32\sc.exesc config UnistoreSvc_dc2a4 start=demand2⤵PID:3712
-
C:\Windows\system32\sc.exesc config UserDataSvc_dc2a4 start=demand2⤵PID:3116
-
C:\Windows\system32\sc.exesc config UserManager start=auto2⤵PID:4660
-
C:\Windows\system32\sc.exesc config UsoSvc start=demand2⤵PID:5008
-
C:\Windows\system32\sc.exesc config VGAuthService start=auto2⤵PID:1748
-
C:\Windows\system32\sc.exesc config VMTools start=auto2⤵PID:2084
-
C:\Windows\system32\sc.exesc config VSS start=demand2⤵PID:1068
-
C:\Windows\system32\sc.exesc config VacSvc start=demand2⤵PID:2220
-
C:\Windows\system32\sc.exesc config VaultSvc start=auto2⤵PID:3136
-
C:\Windows\system32\sc.exesc config W32Time start=demand2⤵PID:1476
-
C:\Windows\system32\sc.exesc config WEPHOSTSVC start=demand2⤵PID:3732
-
C:\Windows\system32\sc.exesc config WFDSConMgrSvc start=demand2⤵
- Launches sc.exe
PID:3016 -
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=demand2⤵PID:4972
-
C:\Windows\system32\sc.exesc config WManSvc start=demand2⤵PID:2476
-
C:\Windows\system32\sc.exesc config WPDBusEnum start=demand2⤵PID:3020
-
C:\Windows\system32\sc.exesc config WSService start=demand2⤵PID:2308
-
C:\Windows\system32\sc.exesc config WSearch start=delayed-auto2⤵PID:3336
-
C:\Windows\system32\sc.exesc config WaaSMedicSvc start=demand2⤵PID:3760
-
C:\Windows\system32\sc.exesc config WalletService start=demand2⤵PID:4824
-
C:\Windows\system32\sc.exesc config WarpJITSvc start=demand2⤵PID:624
-
C:\Windows\system32\sc.exesc config WbioSrvc start=demand2⤵
- Launches sc.exe
PID:3844 -
C:\Windows\system32\sc.exesc config Wcmsvc start=auto2⤵PID:4620
-
C:\Windows\system32\sc.exesc config WcsPlugInService start=demand2⤵PID:3176
-
C:\Windows\system32\sc.exesc config WdNisSvc start=demand2⤵PID:5096
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=demand2⤵PID:3720
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=demand2⤵PID:2056
-
C:\Windows\system32\sc.exesc config WebClient start=demand2⤵PID:4604
-
C:\Windows\system32\sc.exesc config Wecsvc start=demand2⤵PID:4224
-
C:\Windows\system32\sc.exesc config WerSvc start=demand2⤵PID:4716
-
C:\Windows\system32\sc.exesc config WiaRpc start=demand2⤵PID:2388
-
C:\Windows\system32\sc.exesc config WinDefend start=auto2⤵PID:2792
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start=demand2⤵PID:2128
-
C:\Windows\system32\sc.exesc config WinRM start=demand2⤵PID:1232
-
C:\Windows\system32\sc.exesc config Winmgmt start=auto2⤵PID:704
-
C:\Windows\system32\sc.exesc config WlanSvc start=auto2⤵PID:4948
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=demand2⤵PID:4484
-
C:\Windows\system32\sc.exesc config WpnService start=demand2⤵PID:3584
-
C:\Windows\system32\sc.exesc config WpnUserService_dc2a4 start=auto2⤵PID:2856
-
C:\Windows\system32\sc.exesc config WwanSvc start=demand2⤵PID:4724
-
C:\Windows\system32\sc.exesc config XblAuthManager start=demand2⤵PID:456
-
C:\Windows\system32\sc.exesc config XblGameSave start=demand2⤵PID:4360
-
C:\Windows\system32\sc.exesc config XboxGipSvc start=demand2⤵PID:4168
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=demand2⤵PID:3424
-
C:\Windows\system32\sc.exesc config autotimesvc start=demand2⤵PID:1512
-
C:\Windows\system32\sc.exesc config bthserv start=demand2⤵PID:720
-
C:\Windows\system32\sc.exesc config camsvc start=demand2⤵PID:2288
-
C:\Windows\system32\sc.exesc config cbdhsvc_dc2a4 start=demand2⤵PID:4520
-
C:\Windows\system32\sc.exesc config cloudidsvc start=demand2⤵PID:4872
-
C:\Windows\system32\sc.exesc config dcsvc start=demand2⤵PID:2412
-
C:\Windows\system32\sc.exesc config defragsvc start=demand2⤵PID:832
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=demand2⤵PID:3352
-
C:\Windows\system32\sc.exesc config diagsvc start=demand2⤵PID:4744
-
C:\Windows\system32\sc.exesc config dmwappushservice start=demand2⤵PID:4516
-
C:\Windows\system32\sc.exesc config dot3svc start=demand2⤵PID:3940
-
C:\Windows\system32\sc.exesc config edgeupdate start=demand2⤵PID:4836
-
C:\Windows\system32\sc.exesc config edgeupdatem start=demand2⤵
- Launches sc.exe
PID:984 -
C:\Windows\system32\sc.exesc config embeddedmode start=demand2⤵PID:2140
-
C:\Windows\system32\sc.exesc config fdPHost start=demand2⤵PID:4160
-
C:\Windows\system32\sc.exesc config fhsvc start=demand2⤵PID:5000
-
C:\Windows\system32\sc.exesc config gpsvc start=auto2⤵
- Launches sc.exe
PID:864 -
C:\Windows\system32\sc.exesc config hidserv start=demand2⤵
- Launches sc.exe
PID:328 -
C:\Windows\system32\sc.exesc config icssvc start=demand2⤵PID:4524
-
C:\Windows\system32\sc.exesc config iphlpsvc start=auto2⤵PID:4556
-
C:\Windows\system32\sc.exesc config lfsvc start=demand2⤵PID:4808
-
C:\Windows\system32\sc.exesc config lltdsvc start=demand2⤵PID:2328
-
C:\Windows\system32\sc.exesc config lmhosts start=demand2⤵PID:4560
-
C:\Windows\system32\sc.exesc config mpssvc start=auto2⤵PID:3612
-
C:\Windows\system32\sc.exesc config msiserver start=demand2⤵PID:1328
-
C:\Windows\system32\sc.exesc config netprofm start=demand2⤵PID:4488
-
C:\Windows\system32\sc.exesc config nsi start=auto2⤵PID:676
-
C:\Windows\system32\sc.exesc config p2pimsvc start=demand2⤵PID:4204
-
C:\Windows\system32\sc.exesc config p2psvc start=demand2⤵PID:1228
-
C:\Windows\system32\sc.exesc config perceptionsimulation start=demand2⤵PID:2284
-
C:\Windows\system32\sc.exesc config pla start=demand2⤵PID:4904
-
C:\Windows\system32\sc.exesc config seclogon start=demand2⤵
- Launches sc.exe
PID:4364 -
C:\Windows\system32\sc.exesc config shpamsvc start=disabled2⤵PID:3604
-
C:\Windows\system32\sc.exesc config smphost start=demand2⤵PID:2120
-
C:\Windows\system32\sc.exesc config spectrum start=demand2⤵PID:2880
-
C:\Windows\system32\sc.exesc config sppsvc start=delayed-auto2⤵PID:872
-
C:\Windows\system32\sc.exesc config ssh-agent start=disabled2⤵PID:1852
-
C:\Windows\system32\sc.exesc config svsvc start=demand2⤵
- Launches sc.exe
PID:4820 -
C:\Windows\system32\sc.exesc config swprv start=demand2⤵PID:464
-
C:\Windows\system32\sc.exesc config tiledatamodelsvc start=auto2⤵PID:5092
-
C:\Windows\system32\sc.exesc config tzautoupdate start=disabled2⤵PID:4496
-
C:\Windows\system32\sc.exesc config uhssvc start=disabled2⤵PID:1680
-
C:\Windows\system32\sc.exesc config upnphost start=demand2⤵PID:4448
-
C:\Windows\system32\sc.exesc config vds start=demand2⤵PID:4928
-
C:\Windows\system32\sc.exesc config vm3dservice start=demand2⤵PID:1584
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=demand2⤵PID:1948
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=demand2⤵
- Launches sc.exe
PID:3160 -
C:\Windows\system32\sc.exesc config vmickvpexchange start=demand2⤵PID:4944
-
C:\Windows\system32\sc.exesc config vmicrdv start=demand2⤵PID:4140
-
C:\Windows\system32\sc.exesc config vmicshutdown start=demand2⤵PID:3060
-
C:\Windows\system32\sc.exesc config vmictimesync start=demand2⤵PID:3872
-
C:\Windows\system32\sc.exesc config vmicvmsession start=demand2⤵PID:3272
-
C:\Windows\system32\sc.exesc config vmicvss start=demand2⤵PID:1480
-
C:\Windows\system32\sc.exesc config vmvss start=demand2⤵PID:2924
-
C:\Windows\system32\sc.exesc config wbengine start=demand2⤵PID:3868
-
C:\Windows\system32\sc.exesc config wcncsvc start=demand2⤵
- Launches sc.exe
PID:2980 -
C:\Windows\system32\sc.exesc config webthreatdefsvc start=demand2⤵PID:1400
-
C:\Windows\system32\sc.exesc config webthreatdefusersvc_dc2a4 start=auto2⤵PID:768
-
C:\Windows\system32\sc.exesc config wercplsupport start=demand2⤵PID:2776
-
C:\Windows\system32\sc.exesc config wisvc start=demand2⤵PID:4476
-
C:\Windows\system32\sc.exesc config wlidsvc start=demand2⤵PID:4760
-
C:\Windows\system32\sc.exesc config wlpasvc start=demand2⤵PID:1416
-
C:\Windows\system32\sc.exesc config wmiApSrv start=demand2⤵PID:5084
-
C:\Windows\system32\sc.exesc config workfolderssvc start=demand2⤵PID:3332
-
C:\Windows\system32\sc.exesc config wscsvc start=delayed-auto2⤵PID:4528
-
C:\Windows\system32\sc.exesc config wuauserv start=demand2⤵PID:1940
-
C:\Windows\system32\sc.exesc config wudfsvc start=demand2⤵PID:1364
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1308 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4180 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:2512
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:2084
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:3936
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:4884
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:640
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:1072
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:828
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:2368
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable2⤵PID:3148
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable2⤵PID:2504
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:3488
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:3944
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:3760
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:4824
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:624
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f2⤵PID:3844
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:4620
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:424
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f2⤵PID:4940
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:2920
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f2⤵PID:2396
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f2⤵PID:1164
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f2⤵PID:3296
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f2⤵PID:2388
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f2⤵PID:3792
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f2⤵PID:4880
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f2⤵PID:4948
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f2⤵PID:4484
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f2⤵PID:3584
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:4724
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f2⤵PID:4360
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f2⤵PID:5060
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f2⤵PID:2708
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f2⤵PID:4520
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f2⤵PID:4872
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f2⤵PID:2412
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f2⤵PID:832
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f2⤵PID:2180
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f2⤵PID:1652
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f2⤵PID:232
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f2⤵PID:1128
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f2⤵PID:4984
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f2⤵PID:428
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f2⤵PID:224
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f2⤵PID:2244
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f2⤵PID:864
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f2⤵PID:328
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f2⤵PID:4524
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f2⤵PID:4556
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f2⤵PID:3476
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f2⤵PID:2176
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f2⤵PID:5052
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:3108
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2252 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy Legacy2⤵
- Modifies boot configuration data using bcdedit
PID:3556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"2⤵PID:2436
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild3⤵PID:2236
-
C:\Windows\system32\findstr.exefindstr /r /c:"CurrentBuild"3⤵PID:2704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520 -
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5112 -
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
PID:764 -
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences2⤵PID:3332
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
PID:2036 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f2⤵PID:1068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"2⤵PID:3148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056 -
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:704 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3616 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4888
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:572
-
C:\Windows\system32\curl.execurl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"2⤵PID:3352
-
C:\Windows\system32\curl.execurl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"2⤵PID:5004
-
C:\Oneclick Tools\OOShutup10\OOSU10.exe"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet2⤵
- Modifies security service
- Executes dropped EXE
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:624 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4444 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4536
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4000 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4960
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3868 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:4900
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2092
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3620
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3936
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2924
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:1652
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:3932
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:856
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:1776
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:832
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵PID:2748
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:4784
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f2⤵PID:4432
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:1304
-
C:\Windows\system32\sc.exesc config wlidsvc start= disabled2⤵PID:4876
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start= disabled2⤵PID:3488
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵PID:1632
-
C:\Windows\system32\sc.exesc config DusmSvc start= disabled2⤵PID:4532
-
C:\Windows\system32\sc.exesc config TabletInputService start= disabled2⤵PID:3172
-
C:\Windows\system32\sc.exesc config RetailDemo start= disabled2⤵PID:2224
-
C:\Windows\system32\sc.exesc config Fax start= disabled2⤵PID:1464
-
C:\Windows\system32\sc.exesc config SharedAccess start= disabled2⤵PID:4288
-
C:\Windows\system32\sc.exesc config lfsvc start= disabled2⤵PID:2308
-
C:\Windows\system32\sc.exesc config WpcMonSvc start= disabled2⤵PID:5080
-
C:\Windows\system32\sc.exesc config SessionEnv start= disabled2⤵PID:4536
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start= disabled2⤵PID:2300
-
C:\Windows\system32\sc.exesc config edgeupdate start= disabled2⤵PID:3200
-
C:\Windows\system32\sc.exesc config edgeupdatem start= disabled2⤵PID:1648
-
C:\Windows\system32\sc.exesc config autotimesvc start= disabled2⤵PID:5092
-
C:\Windows\system32\sc.exesc config CscService start= disabled2⤵PID:380
-
C:\Windows\system32\sc.exesc config TermService start= disabled2⤵
- Launches sc.exe
PID:3080 -
C:\Windows\system32\sc.exesc config SensorDataService start= disabled2⤵
- Launches sc.exe
PID:2092 -
C:\Windows\system32\sc.exesc config SensorService start= disabled2⤵PID:3620
-
C:\Windows\system32\sc.exesc config SensrSvc start= disabled2⤵PID:2180
-
C:\Windows\system32\sc.exesc config shpamsvc start= disabled2⤵PID:2356
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵PID:2028
-
C:\Windows\system32\sc.exesc config PhoneSvc start= disabled2⤵PID:1652
-
C:\Windows\system32\sc.exesc config TapiSrv start= disabled2⤵PID:3932
-
C:\Windows\system32\sc.exesc config UevAgentService start= disabled2⤵
- Launches sc.exe
PID:3496 -
C:\Windows\system32\sc.exesc config WalletService start= disabled2⤵PID:1244
-
C:\Windows\system32\sc.exesc config TokenBroker start= disabled2⤵PID:4520
-
C:\Windows\system32\sc.exesc config WebClient start= disabled2⤵PID:832
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start= disabled2⤵PID:1712
-
C:\Windows\system32\sc.exesc config stisvc start= disabled2⤵PID:2760
-
C:\Windows\system32\sc.exesc config WbioSrvc start= disabled2⤵PID:3492
-
C:\Windows\system32\sc.exesc config icssvc start= disabled2⤵PID:5116
-
C:\Windows\system32\sc.exesc config Wecsvc start= disabled2⤵PID:1304
-
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵PID:3124
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵PID:4472
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵
- Launches sc.exe
PID:1140 -
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵PID:644
-
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled2⤵PID:3204
-
C:\Windows\system32\sc.exesc config iphlpsvc start= disabled2⤵PID:1332
-
C:\Windows\system32\sc.exesc config Backupper Service start= disabled2⤵
- Launches sc.exe
PID:2224 -
C:\Windows\system32\sc.exesc config BthAvctpSvc start= disabled2⤵PID:1464
-
C:\Windows\system32\sc.exesc config BDESVC start= disabled2⤵PID:2084
-
C:\Windows\system32\sc.exesc config cbdhsvc start= disabled2⤵PID:108
-
C:\Windows\system32\sc.exesc config CDPSvc start= disabled2⤵PID:5080
-
C:\Windows\system32\sc.exesc config CDPUserSvc start= disabled2⤵PID:3136
-
C:\Windows\system32\sc.exesc config DevQueryBroker start= disabled2⤵PID:3940
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc start= disabled2⤵PID:3200
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵PID:1648
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start= disabled2⤵PID:1072
-
C:\Windows\system32\sc.exesc config TrkWks start= disabled2⤵PID:556
-
C:\Windows\system32\sc.exesc config dLauncherLoopback start= disabled2⤵PID:1496
-
C:\Windows\system32\sc.exesc config EFS start= disabled2⤵PID:4164
-
C:\Windows\system32\sc.exesc config fdPHost start= disabled2⤵PID:1236
-
C:\Windows\system32\sc.exesc config FDResPub start= disabled2⤵PID:2924
-
C:\Windows\system32\sc.exesc config IKEEXT start= disabled2⤵PID:2028
-
C:\Windows\system32\sc.exesc config NPSMSvc start= disabled2⤵PID:1652
-
C:\Windows\system32\sc.exesc config WPDBusEnum start= disabled2⤵PID:760
-
C:\Windows\system32\sc.exesc config PcaSvc start= disabled2⤵PID:2256
-
C:\Windows\system32\sc.exesc config RasMan start= disabled2⤵PID:1244
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:4520
-
C:\Windows\system32\sc.exesc config SstpSvc start=disabled2⤵PID:832
-
C:\Windows\system32\sc.exesc config ShellHWDetection start= disabled2⤵PID:1712
-
C:\Windows\system32\sc.exesc config SSDPSRV start= disabled2⤵PID:4852
-
C:\Windows\system32\sc.exesc config SysMain start= disabled2⤵PID:4628
-
C:\Windows\system32\sc.exesc config OneSyncSvc start= disabled2⤵PID:3176
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:3124
-
C:\Windows\system32\sc.exesc config UserDataSvc start= disabled2⤵PID:4472
-
C:\Windows\system32\sc.exesc config UnistoreSvc start= disabled2⤵PID:1140
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:1476
-
C:\Windows\system32\sc.exesc config FontCache start= disabled2⤵PID:3172
-
C:\Windows\system32\sc.exesc config W32Time start= disabled2⤵PID:1332
-
C:\Windows\system32\sc.exesc config tzautoupdate start= disabled2⤵PID:2224
-
C:\Windows\system32\sc.exesc config DsSvc start= disabled2⤵
- Launches sc.exe
PID:1464 -
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_5f1ad start= disabled2⤵PID:4640
-
C:\Windows\system32\sc.exesc config diagsvc start= disabled2⤵PID:4352
-
C:\Windows\system32\sc.exesc config DialogBlockingService start= disabled2⤵PID:5080
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_5f1ad start= disabled2⤵PID:4944
-
C:\Windows\system32\sc.exesc config MessagingService_5f1ad start= disabled2⤵PID:1452
-
C:\Windows\system32\sc.exesc config AppVClient start= disabled2⤵PID:4572
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start= disabled2⤵PID:764
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start= disabled2⤵PID:1252
-
C:\Windows\system32\sc.exesc config ssh-agent start= disabled2⤵PID:4900
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled2⤵PID:2116
-
C:\Windows\system32\sc.exesc config OneSyncSvc_5f1ad start= disabled2⤵PID:3960
-
C:\Windows\system32\sc.exesc config wercplsupport start= disabled2⤵PID:3620
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start= disabled2⤵PID:2180
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled2⤵
- Launches sc.exe
PID:2356 -
C:\Windows\system32\sc.exesc config WpnUserService_5f1ad start= disabled2⤵PID:4372
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= disabled2⤵PID:2028
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDInstallLauncher" /f2⤵PID:3400
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDLinkUpdate" /f2⤵PID:760
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f2⤵PID:2256
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "Driver Easy Scheduled Scan" /f2⤵PID:1244
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵PID:2340
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "SoftMakerUpdater" /f2⤵PID:2760
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartCN" /f2⤵PID:4432
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartDVR" /f2⤵PID:3432
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:1716
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:3488
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:4940
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:1140
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:4648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:2368
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:1700
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable2⤵PID:4288
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable2⤵PID:4800
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable2⤵PID:624
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable2⤵PID:1416
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable2⤵PID:4944
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable2⤵PID:1452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:5092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable2⤵PID:1648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable2⤵PID:1072
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:2116
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable2⤵PID:4164
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:3300
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:2924
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable2⤵PID:3284
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable2⤵PID:2028
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable2⤵PID:3400
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable2⤵PID:760
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable2⤵PID:2256
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable2⤵PID:1244
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable2⤵PID:3944
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable2⤵PID:4784
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable2⤵PID:4852
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable2⤵PID:4628
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable2⤵PID:4876
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable2⤵PID:3124
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable2⤵PID:4472
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:2428
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:3172
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable2⤵PID:2464
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable2⤵PID:4444
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable2⤵PID:2084
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable2⤵PID:108
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:1048
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable2⤵PID:4352
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable2⤵PID:3136
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable2⤵PID:3940
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable2⤵PID:4572
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable2⤵PID:2864
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable2⤵PID:380
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable2⤵PID:556
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable2⤵PID:3960
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable2⤵PID:3276
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable2⤵PID:2180
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable2⤵PID:4856
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable2⤵PID:3476
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:1652
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:3496
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable2⤵PID:3824
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable2⤵PID:1688
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable2⤵PID:832
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable2⤵PID:1712
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable2⤵PID:1396
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable2⤵PID:1304
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable2⤵PID:3552
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable2⤵PID:1632
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable2⤵PID:4532
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable2⤵PID:1476
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable2⤵PID:3956
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable2⤵PID:4648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable2⤵PID:2368
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable2⤵PID:1700
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable2⤵PID:2308
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable2⤵PID:4800
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable2⤵PID:5084
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable2⤵PID:1636
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable2⤵PID:1416
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable2⤵PID:4944
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable2⤵PID:1452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable2⤵PID:5092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable2⤵PID:1648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable2⤵PID:1072
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2116 -
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:3620
-
C:\Windows\system32\sc.exesc stop upfc2⤵PID:3300
-
C:\Windows\system32\sc.exesc stop PushToInstall2⤵PID:2180
-
C:\Windows\system32\sc.exesc stop BITS2⤵PID:916
-
C:\Windows\system32\sc.exesc stop InstallService2⤵PID:2696
-
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:3636
-
C:\Windows\system32\sc.exesc stop UsoSvc2⤵PID:1828
-
C:\Windows\system32\sc.exesc stop wuauserv2⤵PID:2028
-
C:\Windows\system32\sc.exesc stop LanmanServer2⤵PID:3400
-
C:\Windows\system32\sc.exesc config BITS start= disabled2⤵
- Launches sc.exe
PID:760 -
C:\Windows\system32\sc.exesc config InstallService start= disabled2⤵PID:4520
-
C:\Windows\system32\sc.exesc config uhssvc start= disabled2⤵PID:3504
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled2⤵
- Launches sc.exe
PID:3944 -
C:\Windows\system32\sc.exesc config wuauserv start= disabled2⤵PID:4784
-
C:\Windows\system32\sc.exesc config LanmanServer start= disabled2⤵PID:1396
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1304
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f2⤵PID:3552
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1632
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f2⤵
- Modifies security service
PID:4532 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1476
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f2⤵PID:3956
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f2⤵PID:4648
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f2⤵PID:2368
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f2⤵PID:2308
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f2⤵PID:4800
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f2⤵PID:5084
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f2⤵PID:1636
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable2⤵PID:1416
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable2⤵PID:4944
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable2⤵PID:1452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable2⤵PID:5092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable2⤵PID:1648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable2⤵PID:1072
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable2⤵PID:2116
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable2⤵PID:3620
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable2⤵PID:2356
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable2⤵PID:1404
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable2⤵PID:2388
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable2⤵PID:4224
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:3284
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled2⤵PID:3472
-
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled2⤵PID:3476
-
C:\Windows\system32\sc.exesc config WinRM start= disabled2⤵PID:3048
-
C:\Windows\system32\sc.exesc config RmSvc start= disabled2⤵PID:1652
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:856 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:940
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵
- Launches sc.exe
PID:1668 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable2⤵PID:3056
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable2⤵PID:2624
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2956 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:868
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵PID:4560
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3824 -
C:\Windows\system32\sc.exesc config NlaSvc start= disabled2⤵PID:1136
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start= disabled2⤵PID:1688
-
C:\Windows\system32\sc.exesc config BFE start= demand2⤵PID:832
-
C:\Windows\system32\sc.exesc config Dnscache start= demand2⤵PID:1712
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= demand2⤵PID:2760
-
C:\Windows\system32\sc.exesc config Dhcp start= auto2⤵PID:4432
-
C:\Windows\system32\sc.exesc config DPS start= auto2⤵PID:5116
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:3176
-
C:\Windows\system32\sc.exesc config nsi start= auto2⤵PID:3488
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵
- Launches sc.exe
PID:4472 -
C:\Windows\system32\sc.exesc config Winmgmt start= auto2⤵PID:4532
-
C:\Windows\system32\sc.exesc config WlanSvc start= demand2⤵PID:1476
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f2⤵PID:3204
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f2⤵PID:1332
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable2⤵PID:424
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable2⤵PID:4288
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable2⤵PID:108
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:1048
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2300 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:5080
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4960 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4944
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1452 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:5092
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1648 -
C:\Windows\system32\sc.exesc config ALG start=disabled2⤵PID:3960
-
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:3276
-
C:\Windows\system32\sc.exesc config XblAuthManager start=disabled2⤵
- Launches sc.exe
PID:1236 -
C:\Windows\system32\sc.exesc config XblGameSave start=disabled2⤵
- Launches sc.exe
PID:2924 -
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=disabled2⤵PID:1852
-
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵PID:2920
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵
- Launches sc.exe
PID:4244 -
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:5020
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:4360
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=disabled2⤵PID:4372
-
C:\Windows\system32\sc.exesc config SCardSvr start=disabled2⤵PID:3472
-
C:\Windows\system32\sc.exesc config Netlogon start=disabled2⤵
- Launches sc.exe
PID:3476 -
C:\Windows\system32\sc.exesc config CscService start=disabled2⤵PID:3048
-
C:\Windows\system32\sc.exesc config icssvc start=disabled2⤵PID:1652
-
C:\Windows\system32\sc.exesc config wisvc start=disabled2⤵PID:1028
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵
- Launches sc.exe
PID:4544 -
C:\Windows\system32\sc.exesc config WalletService start=disabled2⤵PID:1388
-
C:\Windows\system32\sc.exesc config Fax start=disabled2⤵PID:1668
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:3056
-
C:\Windows\system32\sc.exesc config iphlpsvc start=disabled2⤵PID:2624
-
C:\Windows\system32\sc.exesc config wcncsvc start=disabled2⤵PID:2948
-
C:\Windows\system32\sc.exesc config fhsvc start=disabled2⤵PID:2928
-
C:\Windows\system32\sc.exesc config PhoneSvc start=disabled2⤵PID:4560
-
C:\Windows\system32\sc.exesc config seclogon start=disabled2⤵PID:3824
-
C:\Windows\system32\sc.exesc config FrameServer start=disabled2⤵PID:3896
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:4752
-
C:\Windows\system32\sc.exesc config StiSvc start=disabled2⤵PID:2668
-
C:\Windows\system32\sc.exesc config PcaSvc start=disabled2⤵PID:3504
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:2340
-
C:\Windows\system32\sc.exesc config MapsBroker start=disabled2⤵PID:4784
-
C:\Windows\system32\sc.exesc config bthserv start=disabled2⤵PID:4628
-
C:\Windows\system32\sc.exesc config BDESVC start=disabled2⤵PID:4876
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=disabled2⤵PID:3124
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:1632
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:2428
-
C:\Windows\system32\sc.exesc config CertPropSvc start=disabled2⤵PID:644
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=disabled2⤵PID:3188
-
C:\Windows\system32\sc.exesc config lmhosts start=disabled2⤵PID:3956
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=disabled2⤵
- Launches sc.exe
PID:3204 -
C:\Windows\system32\sc.exesc config TrkWks start=disabled2⤵PID:4648
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled2⤵PID:2368
-
C:\Windows\system32\sc.exesc config TabletInputService start=disabled2⤵PID:4640
-
C:\Windows\system32\sc.exesc config EntAppSvc start=disabled2⤵PID:2308
-
C:\Windows\system32\sc.exesc config Spooler start=disabled2⤵PID:4800
-
C:\Windows\system32\sc.exesc config BcastDVRUserService start=disabled2⤵
- Launches sc.exe
PID:4000 -
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=disabled2⤵PID:3940
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=disabled2⤵PID:5080
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=disabled2⤵PID:4960
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=disabled2⤵PID:4944
-
C:\Windows\system32\sc.exesc config wlidsvc start=disabled2⤵PID:380
-
C:\Windows\system32\sc.exesc config AXInstSV start=disabled2⤵PID:4900
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵PID:5092
-
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:1648
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=disabled2⤵PID:3960
-
C:\Windows\system32\sc.exesc config StorSvc start=disabled2⤵PID:3276
-
C:\Windows\system32\sc.exesc config TieringEngineService start=disabled2⤵PID:4820
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:2924
-
C:\Windows\system32\sc.exesc config Themes start=disabled2⤵PID:1164
-
C:\Windows\system32\sc.exesc config AppReadiness start=disabled2⤵PID:2912
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4224 -
C:\Windows\system32\sc.exesc config HvHost start=disabled2⤵PID:3560
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=disabled2⤵
- Launches sc.exe
PID:5060 -
C:\Windows\system32\sc.exesc config vmicguestinterface start=disabled2⤵PID:3636
-
C:\Windows\system32\sc.exesc config vmicshutdown start=disabled2⤵
- Launches sc.exe
PID:4372 -
C:\Windows\system32\sc.exesc config vmicheartbeat start=disabled2⤵PID:3140
-
C:\Windows\system32\sc.exesc config vmicvmsession start=disabled2⤵
- Launches sc.exe
PID:3476 -
C:\Windows\system32\sc.exesc config vmicrdv start=disabled2⤵PID:3756
-
C:\Windows\system32\sc.exesc config vmictimesync start=disabled2⤵PID:856
-
C:\Windows\system32\sc.exesc config vmicvss start=disabled2⤵PID:1028
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1388 -
C:\Windows\system32\sc.exesc config edgeupdate start=disabled2⤵PID:1668
-
C:\Windows\system32\sc.exesc config edgeupdatem start=disabled2⤵PID:2960
-
C:\Windows\system32\sc.exesc config GoogleChromeElevationService start=disabled2⤵PID:2952
-
C:\Windows\system32\sc.exesc config gupdate start=disabled2⤵
- Launches sc.exe
PID:2956 -
C:\Windows\system32\sc.exesc config gupdatem start=disabled2⤵PID:760
-
C:\Windows\system32\sc.exesc config BraveElevationService start=disabled2⤵PID:1528
-
C:\Windows\system32\sc.exesc config brave start=disabled2⤵PID:1124
-
C:\Windows\system32\sc.exesc config bravem start=disabled2⤵PID:3824
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:3896
-
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:4752
-
C:\Windows\system32\sc.exesc config jhi_service start=disabled2⤵PID:716
-
C:\Windows\system32\sc.exesc config WMIRegistrationService start=disabled2⤵
- Launches sc.exe
PID:3504 -
C:\Windows\system32\sc.exesc config "Intel(R) TPM Provisioning Service" start=disabled2⤵PID:3944
-
C:\Windows\system32\sc.exesc config ipfsvc start=disabled2⤵PID:3432
-
C:\Windows\system32\sc.exesc config igccservice start=disabled2⤵
- Launches sc.exe
PID:1396 -
C:\Windows\system32\sc.exesc config cplspcon start=disabled2⤵PID:1304
-
C:\Windows\system32\sc.exesc config esifsvc start=disabled2⤵
- Launches sc.exe
PID:3552 -
C:\Windows\system32\sc.exesc config LMS start=disabled2⤵PID:3488
-
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4940 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4808 -
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2084 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable2⤵PID:624
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable2⤵PID:4800
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable2⤵PID:4796
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable2⤵PID:3200
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable2⤵PID:764
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleaner Update" /Disable2⤵PID:3864
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerCrashReporting" /Disable2⤵PID:1452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable2⤵PID:4900
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable2⤵PID:5092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable2⤵PID:1648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:3960
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:4856
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable2⤵PID:4820
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable2⤵PID:2860
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable2⤵PID:2388
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable2⤵PID:4244
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable2⤵PID:2696
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable2⤵PID:5060
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable2⤵PID:1828
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable2⤵PID:3472
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable2⤵PID:3048
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable2⤵PID:1408
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F2⤵PID:856
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F2⤵PID:4716
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F2⤵PID:2304
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F2⤵PID:1436
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F2⤵PID:1388
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleaner Update" /F2⤵PID:1984
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerCrashReporting" /F2⤵PID:3352
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F2⤵PID:2948
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F2⤵PID:2648
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4188 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5116 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2844 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4876 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:4472
-
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe2⤵
- Kills process with taskkill
PID:2852 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:1700 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:4000 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4796 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "OneDrive.exe"2⤵
- Kills process with taskkill
PID:3080 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "explorer.exe"2⤵
- Kills process with taskkill
PID:2092 -
C:\Windows\system32\reg.exereg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
- Modifies registry class
PID:4900 -
C:\Windows\system32\reg.exereg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
- Modifies registry class
PID:1404 -
C:\Windows\system32\reg.exereg load "hku\Default" "C:\Users\Default\NTUSER.DAT"2⤵PID:4864
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f2⤵PID:2912
-
C:\Windows\system32\reg.exereg unload "hku\Default"2⤵PID:4224
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "OneDrive*" /f2⤵PID:3560
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5036 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe8,0x108,0x7ffc74d7cc40,0x7ffc74d7cc4c,0x7ffc74d7cc584⤵PID:3048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:24⤵PID:3896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1744,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:34⤵PID:4520
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:84⤵PID:1136
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:14⤵PID:3480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:14⤵PID:4220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:14⤵PID:1852
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4296 /prefetch:84⤵PID:3780
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:84⤵PID:2256
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4836,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:14⤵PID:3644
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5088,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:84⤵PID:4940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3488,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:84⤵PID:2700
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:84⤵PID:3640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:84⤵PID:4792
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:84⤵PID:1164
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3120,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:84⤵PID:4940
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4484,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:24⤵PID:2536
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1228 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\UsoClient.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3896 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4752 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:536 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2760 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5072 -
C:\Windows\system32\taskkill.exetaskkill /F /IM WidgetService.exe2⤵
- Kills process with taskkill
PID:3680 -
C:\Windows\system32\taskkill.exetaskkill /F /IM Widgets.exe2⤵
- Kills process with taskkill
PID:1384 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:4948
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:4372
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1136 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\smartscreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2528 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2948 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3944 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3432 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4048 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1244 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3176 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:4532
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:1788
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808 -
C:\Windows\system32\timeout.exetimeout 22⤵PID:424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic startup get caption /format:list2⤵PID:764
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption /format:list3⤵PID:1840
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:3808 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:4792 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "uejf7w " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:2256 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:2536 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:4236 -
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:3644 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f2⤵PID:4940
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:3468 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:1092 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:3880 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f2⤵PID:424
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:4244 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4484 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:2256
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1340 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1164 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"2⤵PID:3344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"2⤵PID:3328
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"2⤵PID:2828
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"2⤵PID:3004
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"2⤵PID:2368
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"2⤵PID:1968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"2⤵PID:4820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"2⤵PID:4236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"2⤵PID:3668
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"2⤵PID:2852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"2⤵PID:764
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"2⤵PID:1140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"2⤵PID:2920
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"2⤵PID:3784
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"2⤵PID:1524
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"2⤵PID:3800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"2⤵PID:5424
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5676 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:6044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5128 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"2⤵PID:3636
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5184 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵PID:5340
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"2⤵PID:5460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"2⤵PID:5612
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"2⤵PID:5284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"2⤵PID:5536
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5616 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5768 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:6020 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"2⤵PID:5124
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"2⤵PID:2440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"2⤵PID:2868
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"2⤵PID:5236
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"2⤵PID:5632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"2⤵PID:5600
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4744 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"2⤵PID:5968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"2⤵PID:1840
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *PandoraMediaInc.29680B314EFC2* | Remove-AppxPackage"2⤵PID:2860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *46928bounde.EclipseManager* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ActiproSoftwareLLC.562882FEEB491* | Remove-AppxPackage"2⤵PID:5324
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
- Modifies registry class
PID:5068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:688
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Enumerates connected drives
PID:4888 -
C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:1392 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 824 2816 2808 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}2⤵
- Modifies data under HKEY_USERS
PID:324 -
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 824 2876 2872 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}2⤵PID:3728
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:2756
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2224
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:624
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4936
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:1968
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564KB
MD5d2be90c23063c07c5bf6e02c9400ac35
SHA1c2ca99de035c17ba9b7912c26725efffe290b1db
SHA2569422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA51213935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e
-
Filesize
174KB
MD5423129ddb24fb923f35b2dd5787b13dd
SHA1575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA2565094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce
-
Filesize
1.9MB
MD54803e06db91fdb8b6d1b65c0010d2f87
SHA1f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6
-
Filesize
2KB
MD5109f47ced5da3f92362c49069fc4624e
SHA179b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA2562508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA51255a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
228KB
MD5d627069eecac74bf9506b4e9e665e01c
SHA18c5691da35b6ed34cdfc3687ee804c0f99b15f64
SHA2564bdf6b57748f301c07367d0c0c0f3b66f445f6840f987023b7ebc3dcee0ba4ad
SHA51220d150a6ed521511d492a7c2b45d36da3ba3bfee8ce622345d6ff931ab915a26b1930a2fcc5112e28361167f50d822ae5c6799bb366dad090922ef024468f729
-
Filesize
649B
MD5eb2fd399e2ed9df7e4166465bde58cc2
SHA18edbdd427f3dea06717b6927ab6b9a82b0e5c233
SHA2560adad9f24a6c9019740340b99711d16035b517221aa15842caab2d719b092f70
SHA512793fe0ef55fe5c63493fa2987921763bede92c145d9c9fd8d443b083981a7bf9173a8b13b0b1f981fd918dc0b34d62d317efb67b700274fac48415eace96a432
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
41KB
MD5503766d5e5838b4fcadf8c3f72e43605
SHA16c8b2fa17150d77929b7dc183d8363f12ff81f59
SHA256c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9
SHA5125ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4
-
Filesize
2KB
MD5358df9b7ee9faea6d3ac4a0494e46dd4
SHA124dd15d9e86273c7c25638112f9b3fa2036542b8
SHA25610351fe5d022a825cebdaf5627d42e8444fe1233da9bfc551d12bf3c65c91db2
SHA512c4849dbbbf1f1cf58e911aee9c02563dd9287905bae2eccb10cb99c1d1c29b393b0a2bafc4c825a38a39b3a31589136c7f9cbe0f2290d256ca09a61a3aedfd3c
-
Filesize
216B
MD56bcfec05a98424961b3bd28a6f782114
SHA1d9ae1a038a67e740d13a4c0ce55f2b6290038433
SHA256ae41df7561249983165bc3f7d36a62e05cc4dc43fdbefa43af5306081091ab35
SHA51217870a87d10bd76948851400b0f799ca7f8417a4d3d8bea8e38ae87cf8b1835fe4728ab961213ba548cb02ae407eb968ff9622e77ca20283c26ce973c86bc0f5
-
Filesize
2KB
MD5a851b24f09b6d28a4b2b093a47e456f1
SHA1ece9b80722c71c175484ff976d414ff68531088d
SHA25654e75da9bc4ed32d97395b0be949f24527cb53b8b6fd0dfd6662309473fe82c3
SHA5122b202b0c5b6b0c83c29e5e925f7c38fa5f063b43be6a4f82bd46fa7a79a32563f39625caaf9cf704244659d183fc4a51cb8947f1f47247568e86d63edbf304e7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_open.spotify.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
3KB
MD5104a6e42d94baec0b11771554ccc50d9
SHA1f905f82b109b54c420a70b76e2aaaead5a66b83f
SHA256e678c02ab9f1b77f751cabf43981fc77c73c734b186f663ea336270cca3ff4d9
SHA512dc1d792102aee808399562060d2d7d6e30b0a48845367c423685b30ba84fd5a3ceb92191190a6a028b719a8a51c9c71ea52eb9adda89e3e44641dec55dc5bbe8
-
Filesize
14KB
MD5b4315fbe5a70820b9105471073de1f59
SHA1eeb70bcd35c8afcd08edd433f4daaeb762cf3a71
SHA2564a1b8980cce3bf81b05af117f877538ed6da580c9d902f95c3b019c5983b42eb
SHA5128f821f482b04e81e4ff957396870fc981fb5a0a0b030092fa3e23062ad7f32aeae15c96934fe3290e226217a844c52053540afc4ebac134c3634a7ec88370272
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5aba9335e9c1369506487e652f00a2349
SHA1bc69fc2fed46922970d690b1c6ec8ef1af17376a
SHA2567208fca13898a0cd4ec12de0f842c3ea8c584259c45b1d7749035cada35f9d7b
SHA5123a06aca65ba3714aaf26d83d8bd525129d0a33d22080df26793cdcbe7869331c0d2ad0a8a454df009490b11bf782e772f0e8531bcf15a012e04c833b8bda1347
-
Filesize
524B
MD5a553f848e040e1e40ed198734eeb1d86
SHA162dc2edfec896ddb0dc262362447fb1fe3b51355
SHA2566e1ce61188546100cea344858023d0d6ed035fcbdc03f1dc2fc7b0c405a0ca43
SHA51269f97bdc00aff2e5a0a4ca64d7d926de97db3dbbda6c741a49e7fc2527230d3a62d60a099d36d96b8e3f7a3bbb6590cba2dd10eee9d56d6d38bb99384bf7efe8
-
Filesize
6KB
MD50f67248d2d38d83c01deaadaa3c2f637
SHA1c94dee4eebe089095e877f557f18464f0aadb085
SHA2567e2ce8bdf5371390dd741376a606f87581c20c7638a82ec0b8a94ce00e531fb4
SHA5126848a8b73cffe32d9cb2652bed7a4b3033be960f6b972344a3482fc2d269f20619f6d706d4bc9d6c034dfb7f692e7e3c0331a316c3440ad8bfef359b1658f7d7
-
Filesize
3KB
MD53df8d99210ac09ece9b1426e61bf94f2
SHA1c624e67e85d164d610110eeb41973e94c8344245
SHA25678e2bbaab173ecf9f92833b4d2a4366fe722b345c77ce169dead95bb186a2862
SHA5123d7b1eba8eef67415d5556bb497a67bdb3efe0841b2805d10f6773925fdaf88d139a02905eb48fe5fbd487fe3a89d43bbef458107e75a5915a5b25019913d32d
-
Filesize
354B
MD5004ad7e31866ffadef271d947e3fbd3a
SHA1ff360c79e446f504114dfde2f7bc619c72b2d8fe
SHA25698f091af77181f4247765f73542768b2ca006b8d86858bdf4e68176e557df628
SHA51252fe62269f3f0059d60d3a34bfd8b5f74a4ff1a561a6afc549c4a920bb49e172e388379dd6e2654c0c49664f7c3fe9fc314733113d54dd04838272998dabe2a2
-
Filesize
354B
MD588c53e0b3a978337a5ac1df1645bc784
SHA1281b34e42ba6af4fb502fc571784c5aed25b285b
SHA256f913c428203afabf7b3a424c60d04b90ad400ae5eb1c9186fdaa5766a25cbb8d
SHA512a37f4bf077faa5f595aaa1fdeab41e8dbc888d8560fc3e5b1491120c2863a1ba8947c77fa4144040968b9947081706011528baf53feaf566398fba7bc4421efd
-
Filesize
6KB
MD5c8ea6b31a97be585929e46bf8931aea9
SHA1bc9f9969ffa7b0c60c48eb9d61cb73bd7adb369b
SHA256d0a1a180d9cb1265651466065d9aeaa1f1dbaa3a2842714dc40d9e26c3b101bc
SHA512802b8a8f2caccef14f552bcf86f753bbf4d9c54f34893b9991bc285e54dd0316d8fc63fec3a19ce75999392f87cca1d92ed1a771325caff951e3cf61cbe721e8
-
Filesize
6KB
MD5ae157b4459d73e199493ff1d7389a77e
SHA1f58436db6c917f9ed4efac3bcdacc3cdd890de1e
SHA2569e03f9f18e3526a12a0ffd892226fecfbcfcd324485dbc7956042227688164c0
SHA51237b7305991003e52a00752fe9f8daf90a22f7b3bfac2b7e31c977bbc980a8627a9e1267b3f6d8270f4f22578b0e5f8ccb6cea174a6bab21ab024ba050b5b21c1
-
Filesize
6KB
MD52c8bce885285ee6356ad41f40710ed08
SHA14360f6110d1f1f0325d324183f590394d7ea4c52
SHA2568987b1a2b7f0bcc672503e30255087b1e3a2b01034c725f5505e62cf57a4eb25
SHA5121ad35c3e077fa2175c611577a731160237bc0b47b30667a0f3fcaf7bebebbf558ffc91aa052b61afc7d499f966635ffc3e4a87d9875442ffac4d058d955effbf
-
Filesize
9KB
MD5fc7ad0397656d7185f5e04f70974aaa0
SHA1dad7df33764c8691f53c19dc0753742e02fe2d0a
SHA25697b2ca954ecddf065fbcd1e4ee46702c82c956d2da246386cb82a400098daee9
SHA512880023b14928b3943830607195e5feaf29e1d2f7f9655081ec02af223d2d46f543f0b9c515ef9fe44b7eec99ade1f1283176eb525bb8a2525da0edc26b2f3802
-
Filesize
9KB
MD576ddbcdee025f9c799993303a5a70d60
SHA14cf31c49b16be5da4ccd9155aa6a57fd042f41c5
SHA25674be88064ae5968a652ba332a1fae960e2cdb1b30e6b073b94ea6e80e38a130d
SHA512c6a01be1060f770218820c3c4dd07bc0f1da29bf6c0a3c472b657983736fd2e0ccddb1b8f1c30e079aa5accf09f96f3974f895219bdbdc3133516d3e7e0ad5dc
-
Filesize
9KB
MD5ba4bc3aa4b2a94d2d4a923db58464706
SHA1011d5a4483ab033133717dd85db47ba7597e9571
SHA25657b0c0043ed6714485c687fd94bb37ef521bb3660dfbb500ecc2fd4478339d23
SHA5127de306d2e4d2430a85b938f62028f4c9b6d0d3fd2a73327cf33de8ec80d810bba161095c82e4d7902d2ef34cdb7ec33a9539570c9b08404f13391cb0a12facff
-
Filesize
10KB
MD5116ccd3709805c6299179d210e16480d
SHA1a01030caa8ceae89a29db2a63bf314a56c48daa5
SHA256813ff2f26724d83146689fe823af847690f9932f46248f85647043a98c6eb60d
SHA512101b545edd113b7eede904c369a214fd14acb0fa68b67715eeb91f2988e9b03097d8dfd09a90020367cd12bcce04af4bcbdf5c82595b879c9982e311076c0e2e
-
Filesize
9KB
MD5dc4d0afa73e7b3486ab06aa4caf4d743
SHA15d250e2c02b5883f700c92cef7512e57ee340625
SHA256920ca8e6f57b0fac57fbd259aac826c4ce0ce86585f37644d535ee635060e606
SHA512b8e78cedf4ff66bc5fe9733b6ecbc4133ceff9d9ab9ca5af46268b84013934f86a82a29c94d2cf05d9356bdb0cd8f2d966000a8ca20997fbd0d351f2f0b74c60
-
Filesize
11KB
MD548e337ac132467395a58346ee3651f26
SHA1a369a619e783b8f14e4c1a214b50e59917e92130
SHA256bc5e9be041de467150c2635bc37ec8f7dcdfad8a30a8cb0fde644d210f2fbe1d
SHA512f427d9b0c5d6ee2393a4c34b87f9c49032e644260b1f06f2fa17ee232b1b7243d8bf1ddaeeefb53fea586d0575066249037cbb7c5ab34fbfeaae2b74d3402c85
-
Filesize
11KB
MD584c1854facd781f79c84b63508e2a844
SHA15bdb1073e510207a9dcaf768c7ba72aeeeb90f31
SHA25676111f0a6dcde413e0d5fcb3aa48882d3065a492e545441616b0a923b703b317
SHA512fca3d324af0722c0aaef37bf13c5990fcd1aaf0b942a78953f594c3cc61b255ad7c6d878eb98375dfe690015d6d17873e236c24d73cc56a61f07138f30c221f9
-
Filesize
9KB
MD59d1d365c84e0a861f48191c628555cb4
SHA1f07170d7f218148ebb35c6db865708df5318354e
SHA25643c652869865ce3705513e4284fdccd51a1b73fabe5cff7e9c6a1409018adfc1
SHA512719b9899c338909d1b9d3a273e59e036f6e0755b0a8166e6f57d5ee0628bdbcd0f7707b23724f63e4a7be94d3ad3b139821b894a4542e8e978eb0beec0d831aa
-
Filesize
9KB
MD5129c93c59e21dc08404c321b5838f209
SHA1fbb2b9d8b6f96a6c0308b810726507b2d371c136
SHA25672acbffc2c1cdd2fb76dabe29540ca15609a3810ad796390122ea017d4494c24
SHA512dfb6eb9de7ab0478f2be2f01a61a79f548053bebaaeba32733a972cd76282f32be3eec1fcada5090ecdec7fd40ac2ede908db82f8751eaafe0d198dda63548bc
-
Filesize
11KB
MD5b27c7b50b561f180e9521b6f6b150d8f
SHA1ed7725efc89974275de505be1819b115e73c7625
SHA256798d1213dc8b9cf36150af90bc3cceab9ee96fdf24f8585ce8385a54e753601c
SHA51210cc65aa3fc42bad5e06f52ff579e60f420a8b7d90e95f0a818805a993824386102aa80b54395912b7d40ac368b1a2aaec591c04e9e3dcd5a4bad5bac9502613
-
Filesize
11KB
MD51241fb31b2d2171799bac962894b393f
SHA17a466c212bbd475657d9b4c321267bb92e076a56
SHA2564cd8f3fda2bc169aed4660d6fb5119cb5ffad8dd92ac5fae725a5ace41d70d24
SHA5122352b23362f6e6b9ecb3726a98db6d25b1a5ba5a59329ba22a3f87ed7d85a9a568ab98807b426d6e955082981a08b3385aab8a86e3f00b42106a55c96565cdf6
-
Filesize
11KB
MD57aaccfa219c3cd21e5cb9b04a56098d9
SHA1aec4fb7a9b259262a20f641db91f6dcf5b689495
SHA2561d20b8bd3c23109a1c9f6554f808ff87a57ad05c7e5e4a207f3429ad5c61e320
SHA51244b39fe2a5f7eab2597d3b2e932cfc772c89e3bba657ee32aafd4b4098154762ccd0cf9b043dcdd5d52e5666be3415cead0ff2c76f09e8ecac03849bd1f4d093
-
Filesize
11KB
MD5e67395032ed163c58f891c42db1a900d
SHA1d9fda064df525de2bd1503d4941827571c02fa46
SHA256a96b8139b8abae00b0dd56c40f36b23fedba75df5ce8a43287f6049d3d063378
SHA512602d0fa0337352ee65bff1696e4b9738b9a1a2bf726ec9f93ae990278554c697f225e3475689f213bbda2cf438885427588510722da8a648b4547fe30ab0892c
-
Filesize
15KB
MD5971b0ff896f4dc0ab507b70aa093577f
SHA12c6d5dcef3224971463dbb5a249f9177599e2698
SHA2567cb1eb5755fefa2418bc77860420c6cca41e9b70d3a7a72a9063e4928d3f5d75
SHA51216bde382f4ebb8576ed01fa58650277a8b9788591b2957bdb3c08a354a3b0b518d34a9cfc4c77c279b05173833d632976c108070f2e07743e8271bf67f147f96
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\be040516-2203-4425-a037-0cfa63dc345d\index-dir\the-real-index
Filesize4KB
MD55eacff890e9cdf4c75c9b07b64f0986b
SHA1675b58f340b69c3ae67a89fe2167b6f7c12d171d
SHA2567d517bf854cf4db6e0d278ff80aac84f60858824625f8abccdb234037c62414b
SHA512c8ab093a5b5ac87ffba76bc477220c2083af68eb01933418e8fc05e87b32e3eae2fbe03ce1a6d934181abdb34cc7e45ba1a8f5a8bc20f8855df89e5b243ab91a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\be040516-2203-4425-a037-0cfa63dc345d\index-dir\the-real-index~RFe5b921b.TMP
Filesize48B
MD5be882afa46c8f883faed832b1b359378
SHA1bdeca47fe2caaf9b9ec3b43265aad654ca22285f
SHA256f7fd152a672bde64737cb76eee3241ba2a1ac1e309e800a14049838f51989259
SHA512d5280eaae4e6a45c53553f61bc33fb0909e3ad641a8e2cb9af55052de77c5a871c6531c91f9a5c79d845b1967711e469536232044db6522e65a4d93c88adad48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\index.txt
Filesize154B
MD559cdfaeaa94abad151b2e0114e401e79
SHA118cf03d0f3154af11624e9e8337aa1122c842caa
SHA256621887beed089af98678b09c3f432b10b3faf50c4033ad6183b3359e069d8448
SHA512891afacdcebc63828b2d0c10e81e757c900dfea734ee74db7d8e2cbc39aada2ef838ba1f438e292a1c8526953b6b6832a93769645620b2fe2761dc70563f8c02
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\index.txt~RFe5b924a.TMP
Filesize158B
MD5ee6d5e1247e789a3def15e035653bc10
SHA14e5a5996997903c6673d5a897de4eb51e0dce786
SHA256fb0f0ffd45069fb49b6b27b2d60ae8fd1470b70e94eea8955cce9316d61bd678
SHA512e43023d3eeb872789deeb7263e1e2884fdb33f4366e8377b7181df3e822904616d1d30afae84f4da892415fbcb65aaff8538ed1bd3f50b43b77dd939d9328c32
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD50fd737b7794cc272db174031dc14c366
SHA19e3f364088d474b2564f2d477e8e762b18e46cda
SHA256320623970d737073fdb5215752648e34077855c07ace6b7e44439fbfa9bb4be6
SHA512cc926df80203d51d2712a7264b69db69384acc17ca3b5b372b49ddbc472d06cba10642b5dbfa1f5cd1685b71a270e9a42c849dd7394692104f6049f2eb18cb1e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize120B
MD56bf549e696b85b85d6197697cabaac81
SHA1fa1467e5c9c36bc13762abe8f705e520b1101961
SHA256b066a24a1a5f521eba094a6ab552a984bd0dd3ae20e06ef2592914b03702ca7b
SHA5126686e28835077f8dc1ba5d11d06f307b06d31d5cb5ad93400c999876c5abf4f6d2f978891080951154bf5a45a3af2a4ac046dd986a1dc1b86a60a3972575f4ab
-
Filesize
76B
MD5a7a2f6dbe4e14a9267f786d0d5e06097
SHA15513aebb0bda58551acacbfc338d903316851a7b
SHA256dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc
SHA512aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5acae3.TMP
Filesize140B
MD58a1cb1df278f31732099f9c7d504d04d
SHA1a917c904cf24a8f0779682bb8c41254aa77795a4
SHA256093aeaa28e7457143c0dc47d742e11e306ea5ef3225dc455f94d2f81c5e750ad
SHA512b14d196885a00100845d89bf00041f8f1ed04a14add776dd84c568fc24db40c6e6d49c91898107f36c228f7941dd3d12f0bc24ca1492d9c65116b81e16211c58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
232KB
MD568549cca5eb98f6dbf4e71ea5838574d
SHA1bc12a0fe84395d61898561139f732aae82093b79
SHA25686a5f37f9307c3d357953aeb46c9282e7439f556b8029275f00f35ada4a5b42f
SHA51258c4a1656d3b6a9dcb75098d5cc0439fa240e86f8efa8d692fff0948d4900e5aedf9b8b1e2c37cb33e3a78348c43c4c765e5da625982fd769649bf495302ca62
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5ee5cdd314ce58e5083a22b5deb48c97c
SHA1992b5933b30935e935fd9546c98500b98622a4cd
SHA2564c1b8ddf62bba7bf5574c6cf419c04cc64a49df56098296796f8c52026aa109c
SHA512bfa16c231712474c4c3a8d94e70bd52cb0e2dc9e80e83554ea1e2497c396336e6710ff73802209e2654590dc93a2fcd470eb1eac260b515726ecce2450070edc
-
Filesize
1KB
MD5238f0a5701700be966cc85a76ecbfc19
SHA1c69446816c9c6c0657e8705ca08459440b6e1d53
SHA256cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b
SHA512791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1
-
Filesize
1KB
MD5cb1d69b71a38dfe81ac0d2020830faf9
SHA11f8baf6d137b5138ee40c725f9138e1cdd2a71fd
SHA2565ca132239020780c2a57681b9b6960880f23c03daa982d03cb3142cb923f5001
SHA512dba787451922e7bd2d863ba23774d80200acf58243617d0c54e5b3941fa4a47e2c7f8ba43ed91580fdc82884db7bb22bbaec0ee9ca286faab6c1d827b62896fe
-
Filesize
1KB
MD517a60c9cac37cf5412f4cd266c22a435
SHA1648aed53b8f323be19dfb75e1c61e9dd95fdd0fd
SHA256de36be11adf1651810ebee5d6214786e3a6045ac7ee51730036385f504d4653d
SHA51243c8160d5e32d6aeae36201e7580dfd2d47b53ceba28443b2aedefd32377448296ce805669b5136686378603af1348d58fb40a59b906c28aed2df6f7d98b4044
-
Filesize
948B
MD5bacdb75c4942e8d022b553029b82f734
SHA17b67186bcc7de347f46270f88ec7e98356477cbb
SHA256a85b3cde6a46b70c129741f0a8326bcb438a8124667082bd6701b351ddea9aa6
SHA512727814ce148bcc37cfe3c8ca78585261b61533021b0664c331292478d22ad01e5e968225a8f41879575c61b67166e4350c15f9f896822360f316f8542594322f
-
Filesize
64B
MD5f369fc29ba05fe1357a35e47f6a7654c
SHA1a43b41f3bc2a0d30c4e4d7a9694fc2e91ef3f924
SHA2561f22676e0c5895f9ba83fc073c61a177df3d38924ce37073b20c1b2e9c55e20e
SHA51218f62cb937949db9fb9fb3ed1f2bbf657b4204620184208fd62171da1c0b2e41ca35cc04d9e234e2b3205fd78df2ebd50ec632848077ec551728a510cfed74c7
-
Filesize
1KB
MD570c91e55fe182a7b11ff383b0dbdd172
SHA1b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6
SHA25620a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f
SHA5120f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e
-
Filesize
1KB
MD5e3a924916719c590c164e2306f5b3ad4
SHA16b99d5b4cadd988deb3f825c38d3b2ca62beed11
SHA256a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1
SHA51229ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be
-
Filesize
1KB
MD52233685206647f2e2c7236462bae6400
SHA178f1ac2f059679cb57ba05c4dfb3933d90a56162
SHA25698c68797e8154a920ff7e9e7ea35efa6e50cef3508a12e380771e9c29cfcfcb2
SHA51276cec5ec12b58c851749b50217c07b7d5536cb97afb8ca96d93c73b3e0543856c9405473f0ce6b900974b2c2f8d7bf9d7db53d912523746ca958ec4f84ee76bf
-
Filesize
1KB
MD57b31b9be50780705674235c018a23d81
SHA12fa05e84639f1ebbf69685b68a10476c1cd761b1
SHA2565d194e06e04bcd4858da2ee82b3c01d406a7654ddadc330e04e897ad9751bb41
SHA5124fe8ebcf42e159ae4b1b45ec3ed0de8592f3e2099e27133992ecae2ecd89e88d8d0a8c12229c5fbc663184a922721e4816cf61b720e21b0da66095d33e6ebf5c
-
Filesize
1KB
MD5f923e75424fbf0c90841a3ca0a7e2497
SHA1566b60eedeb8b2bb0faee8bb89ee6f13945d518f
SHA256cf30866990ad2a12e2184463bc9521b2557fa528fa5540e2ffc8cfc4df9b947f
SHA512297e424588ed9f532721fa03f36f9a355e56a20f50a3d4e47fe6417fbe82f455507ab2384644df878c4b2fddf4f663d2cff6237a99f74b41b42d84d5e93bc1b0
-
Filesize
1KB
MD51711f53722fd7a5b645e0fc44d33d25e
SHA14f6d00525bf4b243472e2968b190f4697f03384b
SHA256faea80f7d57e1c15a9d8acce99d52ac93f333ce9e63d15f10dfc1918025ed87d
SHA51236e1e1ff4f0545ef15ad3c8efa235abd6849604a59862e8477d41888fdba5035ee83f69eef6b10a37628e4f6e89b4020b1fe614d428999987ad035450433b0f2
-
Filesize
1KB
MD5abad006480085dfae3ac13c797965ae8
SHA1c239f025f3707985379f5ffd7265bee31fbb46f8
SHA2567dac25d578ddb243df8c7ac4267f0f5820467f9f55cc0e4a283946a42e6f3941
SHA512f719b236f63ff7d94eaf3bdc47a3f900a9f3f8a1dc04bbc8b5c4f989365882772feaff665447201c7302ee93b188866e8de4d41c178cba480fbcf4d90d486143
-
Filesize
1KB
MD528acdf407989ea0516a4775da3309308
SHA1d087e99fbfd27cfb18f33b8b8cdc35a8b579ecfb
SHA2564726ca29d1140c5ad252de8415a6a1ae887e7dbfa2dd762e9618b8775118eda0
SHA5125a2c6349dae4d5d0363598566e95366893c1808aca4eb55a1d84f7bfd3e456082425660241a1f80313f63249d38f54613fd08f68f41edec1e0884ab6d34306a2
-
Filesize
1KB
MD55a06365e87db621b11dcbd82f6da3f84
SHA18091eaa102a2cce702bbfe906af73031513be2a0
SHA2569e5264586c076a281fddb057dc508220ab0ed3ed2eef797124092bda50b281e0
SHA51276b7f3d2bb8234c8de598102ee7b6580c8f16988cc9bda1f3cb6b6c36186524a0635d515bb0cfcc6fb95292c6221c083fdb3a4b1704e6360152d8aef4537d091
-
Filesize
1KB
MD56c4c5a4b51ee58977ebe4065ddd888ee
SHA1bc2952aad53fe4db8d9e73463808f5db4d68e7e0
SHA2566db52d214ba4a615a68e750785857f5f4fa0b37aa36a032bac75ab0c9fec190e
SHA512c6607f07553a5361b182039772c389cadb00896e9993bd747dc4c8db01e0fe368e27b7d173d925fa0ae16bd3461bca6ab86f3467a92591cc068c37c98ab9e5c8
-
Filesize
1KB
MD52f6c3b62609822ff613ce392fe32043b
SHA1dc8e61fbc5341ef23c26a63a33e5d3c83a53c7a0
SHA2567d3ab280fb445e28907319c0733af0bfda5c59876958a203c7e44dfba8f326bc
SHA5123f0a3b1329c1fbeb7f0697a4bf4c91379458f7e0c8b54ef66d9bc5e1570b22c57a97c4d0ba5938ac5ff42c069b07923ddf951353b9b9880fd01d34fc2e696ff1
-
Filesize
1KB
MD51b67ba6324d15ab63fd7090538dcd24e
SHA1aaae307f15a92894b194d915ef4e5965f7d3aff2
SHA256b6f66a17d209e4e73de969ee7ce27b7d30bf20a10acc7469442845149a4696df
SHA51216dd7166472e2386e9488b8904e74eca0dd7468fd9b108b04c898ea55c02d30ee2464c6e906aaca8ba8bf29c84625d4f8b3fefefd3fb5d52a78948e6bb0123ad
-
Filesize
1KB
MD5f27596dcec47d5f158a6a8922bcdef2a
SHA135d2fd3368cc58629e4ab4593883c03df7343b8a
SHA256da3aec5f6c3ea0559e7b34a5897350ecf40f5dbc12b6bec6d6f969396185f047
SHA512614949003e3fa2b8b35466fc43310e3066dae476c43f4f9283dc0efbd3680e8496869802fc65b9f27a6a1d165274c43dda636669e20c3b2f43bdd3967eac8ffe
-
Filesize
1KB
MD5c27ef45da0f6ff28a4cb02697b65f598
SHA1b8d42b5954718a834289f97a01a7ebb7c8e1535e
SHA256b259c24e1c29620457f0545ad6ae7b1b232fe4c2f14a04c8c95800090b1f6fe1
SHA5120af497cdd2639530b829daf38db55f85649c3fe3a4d66fea45f6bc930f39decf6cdd3122ab5ed2cb892978e6dfecaa33141c83305c48982f494c3c697f3b3d78
-
Filesize
1KB
MD5d6c73e32041293864a9112b63fc31e30
SHA142b195b09dd1e26b4c595297cdd4353185c0072e
SHA2561c24eeb45a7d3f3fe93b21bc1fe64f800c97271626addba4d083216ee79c96fa
SHA51290905389b04e1c810a380b8dc577af3ba891313c95b66a4a5f7e2a9ceb3cca3198f0a4bdddf15de69a6353984787bfbebe807584100d1b67069f11bf87199960
-
Filesize
1KB
MD5018e2644e95c0cebe22cf3b01a2f04ef
SHA1f73e4974451213f79af0349aa82e8ed5bb51e730
SHA256917000a16bfb81b337ada47ace3fc17d2e3ec65ada9c593ed1416be767a7be9e
SHA5120f69ca949644f72a722fab3a42f847a7bfa0b8bede95d855258897461b184af5b6cbc6af5dfc27ee1dd3f502c99fdc142519b3416015658792f69715fde5cea1
-
Filesize
1KB
MD5d3cee1bb29ebd083a46b76b27b6956ac
SHA17fd95e00f1fb5cd238a33dc49ca654b0a26b1240
SHA25683a08747c880626fecba698a155d8e551ea8078be77c706e73632d383a3c69fa
SHA512978a255b4cf1115d10bc275921325da356174e38097f33efc85d0b768b6ff1fb4a371386b56734260106c06e3bcc1cc8f60da84dde7ec6dbe9cc7b9f2bb4b2be
-
Filesize
1KB
MD5f02ebef4174e1c8ad23a9ca33ceff0af
SHA1ab43e226b3e5ab7c9e635c79e24e4a83ba86c9d2
SHA256535644291f79de129eb33239d3650ad25e45a2c1ed20dc3590949d7008e00d3e
SHA512a60cac36efe422b7960077dbb31f0a6e1c2d66a666fd47899321fd52643bc773a8af89150d6833e15ae34d5a2cd5cd58f41bc4097fece489489cce063478b9db
-
Filesize
1KB
MD5546e5227fa36cd807c0269d46d2ff0ff
SHA156793531c722f305fdc9779098764955a5a2804e
SHA25633e5adf3985704ca2a26c74ce7faa0ed383ebd0402dcf90809e396c9bdd96a29
SHA5127066ea1fcf359bb913d21ee38386b0e859be3fb947e4aefd4407c25cf5c78f3e8fab63cc36967a030cb1475b85227cf2c08b3e693d069732b608d088020f7b5f
-
Filesize
1KB
MD5a6472a580676d60dd89de4d0c4ea92ff
SHA11b628eaf008b7b87ead73e964703b62e35953155
SHA2561be7146c53116b9c949ef8a21935a274d03c993d2c3aa5b11d2ff41711d93c94
SHA5122d93e363fa83015d1c5dc6fa2a0a300c9216dcf5a6b7786414b8cd0062fd994974c3a5280dea5e52668bac53635bce1220b7003e14eb83d61407a44b99da93ed
-
Filesize
1KB
MD56a953035a998f94820922125827d0728
SHA131a37b32f629948781803b64ae79e8448a0bcb30
SHA2563b4f2f1be922764962c95cae933fdf4267a89cd53670d0c14714fd8c3e6b4ac6
SHA5120647b07c6fff260435150b930ce0d474dbacee6bf5b9c9a359f3ff639139c37b532379a8096d25fe874ef7559a41516e6a6a5a5dee84bd3c9433b45212300b2c
-
Filesize
1KB
MD53648114c014ea179249cc8ff8c112b8a
SHA12f2f44accbd0cc2983537ab8b318fab2da8af7ec
SHA256e8809e07528cc4e7f05a7b83508812da2274768e0dc0503297e2f592d7795275
SHA5129a6fed5ae37b1c5b4d85c3365eeda8747e2ce3d87de6c10e336acec56bb0d9a5fe88cf48b9fac5501ab362dd3c2a8021fe4d2288f73e8bc6842bce335c36e02d
-
Filesize
1KB
MD5d6b0f4be3e62f288c7c7d280eb545713
SHA1c9b0bfeab5a96377f6c29cca317da41c3e4a67ff
SHA256169c9801b0441e445a7d1e99a4ccf2e4904e87b838c29752cdc198d74a81fd58
SHA5129a19b0359c4392a03199f7e1388347652c96fec1fc11c030c68b7579c54a21356918c270e34eec79b201eba9dd0975c94885114216d72b5aae0d83246cb48631
-
Filesize
1KB
MD5161717754da9a957d454696fe86ffa2c
SHA161db849a5b26228ccf830e77bcd5b7c9fc60a4e7
SHA256c27db1a92b50018669f98faeda2b581693110bc74b3cd01b34274ff461a0e1b9
SHA5126f5c053060f841c3c4a2078d10338f3bc22967656944a23a4545baf2eb7284f95cfcb63156ba88d4893aa9c4045af90f94259fa002c346a99c58443e419cb3b6
-
Filesize
1KB
MD52ebc299c7d6e1b329bd1656991fa227f
SHA14f01d9bb83239a2c52c66bccab83ab2bb3e533fc
SHA2564aaad22df815c9da61bfdbfe6433e59ba8b71b36ae5b793fa10905abc2c7955a
SHA51205e84ee4958feb9276ab9b416aca8d18efa0a339aea9bcf3dd1eae1354f74b634aa4e742cc5a4d060e0bf36bc9b3f2650b05a81594c0e0a15742ffca9f8680bb
-
Filesize
1KB
MD5a485f1ca7eb3c5018a0e24ef7df89afa
SHA1b926fd0aa9698e06ea76747e302e6f36543fc187
SHA2568cc21379ce9d15a0cde092e2cba97bb181ede4e9e8e6663b7429b829b2a69895
SHA5122eebc9e469c42ab2eaa6e2830fb9386c46111385f8a7bc4ef54b843406eb11ed0bdd19819a9e948a3d01bf589761422f538d895f9d7518403fe24395a1449a59
-
Filesize
1KB
MD5bb21ad74626136258de152fefac33542
SHA192cfae99772932e050be68c0bdbee14fc177b4b3
SHA256003b410901619bf09c74c426e4ad378d0b43ca51882bba731cf2bd81b5cac9da
SHA512f5ce5efdc9108d6d6f216742139d0124e266432eda3617b99e1c5836623a3de1c206aac97e6d73dcc0066466928c4136ef0c2ef00523e0c5bd210c5f8adad5c3
-
Filesize
1KB
MD5f7e517a513129d3efbbc8b99f0e620a2
SHA14520fe1fba2133e75a7066b1b20f65ccf6abdcfe
SHA2564b8679f30805a39cee65500429b18b117b9e97f7d9284b23083b99ca8c1b06b2
SHA51218c89d8e049ca99578991f080a9e346fd7353533bf41453b89a5f9a4e11d84505dc01307772ad2219437a8395c66dcaa4671fea46623801ac54b4ac558064891
-
Filesize
1KB
MD542cb809d7e6cbc260b981595bfaeff8a
SHA18e829bb8df1a5226da77cd1eafeea072ad79dbea
SHA25648f94b21af348d01054afbd5296217e58cf1b5e19c40a03582c881b07f4eb50a
SHA5125f0253b4683f61e79001b7ccaf4ef60e4e4f6a11db34daa5ceefb034f1cbef9f64ec40944f618bdd3f19ba84038a7229a92ed8718a9017cc8fffd3f888027c4c
-
Filesize
1KB
MD5f7ca416b30f3934e74bad24acc2081f6
SHA1a9eb34ad453ef05c0dfce51aa79b0867430e8032
SHA2560ef4b691fd9308624fbab7ab88e65fd03e91c87d56e3c46dab9375f9b685664d
SHA512c57b736e6a05a5d58275d97dcf221da3a89be25b2a5f251abd52e5132a1229a3ff7694fbff56889efebdcb8593bd2188988112136ead7043e15da033dbe25e4c
-
Filesize
1KB
MD559fc565c462e7c2ea191f5bcd07fc7f7
SHA182319a1561bf814d57909b2aabcc9cd694d28144
SHA25666af5b8a9dbbc021a788ff678f65505956f668993d948f0a8688c77225a007a4
SHA51272fd9b8208ac3603f1606038e91865d2399263d7d78c78bf94f1b08a72f4eae186a32f286ed2b6a61585254bf7596923ae0c355f4a582af71351465b56a9a2ff
-
Filesize
1KB
MD5a7cfaee7dbbdb26a004b0ab31953122e
SHA18807ac20333c5ccfc15ffe24073df4a724f4ccff
SHA2560419c5f97506b99bb52e1a871bfa106243472d4bbf7ec05290fa2f9ee853204f
SHA5124b824531d1e693e7dfd4a121a8c793d386527801ad7a887244802bcd350df26616e02c6fcee894e61e5f13ddcf7d215cf42f3f991e24029ffcbad82b805cf07b
-
Filesize
1KB
MD559d247f3dcef4b8065e5782588fa9994
SHA1c0d499337fac8d433498ff3a558ef0576aa0a462
SHA256a5d8ee69ea240bfc741a31d67484aead22f4a4333e6f7db6b2d6e41b5a43880c
SHA51279328ca89bf886c4e5244c9516cc18051ce106ac607e2f4626acd964edf8f5204040ca26ddbaad6f4d8d41e6a4affef42fad5c3171fa0c3c6ef6aad1ac383302
-
Filesize
1KB
MD5af4b0dad49ad8f7fedf208469d57964e
SHA19d06eaeccb3134899b67834ef74b39712a506d69
SHA256798ce95d8eaf80f62645eacbe9d63adc8ca99babcaa8052bc9f0cc9afae93ba0
SHA5128136211dfe281faf11fad11a3073a939f156bc54f87bfbd69264a0a3ac9b975b32524f03bf59a24536fcafb70159b53b6e316393bc4920adf8d0c6d579db3cc8
-
Filesize
64B
MD5dbf9fec0284459c885c695c96fdd4e67
SHA1f3530eb549137596bb53cde08a3e3cc1ea237faf
SHA2563cc2ef28f616ca2a6e5fb06da63d6bdb53b63e92701ecee38e84f98b7f56b38a
SHA51295a7858d009940a1c29f9c05c2bd2a6a03a3122fe749546d87e435b5d3172fd0d22dec099b450be3ea99c58b8681484eafd8ad00be1364d9085fc4a9f249f452
-
Filesize
1KB
MD5aebc892b67e02565ce1c843823a64767
SHA1e90b3d63138457f154bd814c97dbd7b910f67f8f
SHA2569f8d6a47c465e3650140f1b56885bc2ff833d927690555fed4457b3244c35e21
SHA512c9cb1c097a36daa450951d76038edd6871355a78f3d1a7433e93db3cbbca6623034411fc29147f28f64e2e708d4954bbd688596b262b1f4ccd622d53bb4a8b66
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e7eeff51-18c6-4013-a123-180ffca04c52.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e