Malware Analysis Report

2025-05-06 01:19

Sample ID 241109-1g4qkssgqb
Target Octo Free Tweaking Utility V1.0.bat
SHA256 bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31
Tags
execution persistence discovery privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bd035666f01df67518bf6a7976e58d019fe4281b7cc959bc623b5bbc8cb6aa31

Threat Level: Shows suspicious behavior

The file Octo Free Tweaking Utility V1.0.bat was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution persistence discovery privilege_escalation

Modifies system executable filetype association

Event Triggered Execution: Component Object Model Hijacking

Power Settings

Command and Scripting Interpreter: PowerShell

Drops desktop.ini file(s)

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:39

Platform

win7-20240903-en

Max time kernel

55s

Max time network

16s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

Signatures

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\helppane.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\helppane.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2256 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2256 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2196 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2196 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\powercfg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\findstr.exe

findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -setactive scheme_max

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg -h off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\findstr.exe

findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -setactive scheme_max

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg -h off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\findstr.exe

findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -setactive scheme_max

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg -h off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\findstr.exe

findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -setactive scheme_max

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg -h off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\findstr.exe

findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -monitor-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg -change -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

powercfg -setactive scheme_max

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMAX 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCTHROTTLEMIN 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk disk_idle 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_disk idle_time 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_usb selective_suspend 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video adaptive_display 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_display brightness 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_cpu idle_timeout 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_hybrid sleep 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_graphics adaptive_graphics 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PERFDISPLAY 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor PROCFREQUENCY 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_video dynamic_contrast 0

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_dvd video_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cooling_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system processor_power_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_memory standby_policy 1

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_system cpu_core 100

C:\Windows\system32\powercfg.exe

powercfg /setacvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg /setdcvalueindex scheme_max sub_processor clock_speed 100

C:\Windows\system32\powercfg.exe

powercfg -h off

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\findstr.exe

findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Get-CimInstance -ClassName Win32_StartupCommand | Remove-CimInstance"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-Service -Name "wuauserv" -StartupType Disabled # Windows Update Service"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-Service -Name "Spooler" -StartupType Disabled # Print Spooler"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-Service -Name "RemoteRegistry" -StartupType Disabled"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-Service -Name "Superfetch" -StartupType Disabled "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-Service -Name "WMPNetworkSvc" -StartupType Disabled Set-MpPreference -DisableRealtimeMonitoring $true"

Network

N/A

Files

memory/2332-0-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2332-14-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1880-19-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/1880-20-0x0000000002000000-0x0000000002008000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 ce36a2f713da848eaba3779dfe6b489c
SHA1 795bf16651611f67950dcf917b321cd452ac7392
SHA256 9db989accc8b0431f074bf6147a091662518d882ca4871f40dd2176de4362caf
SHA512 ed51ac72fe95e8719dbbd8f4ee4f3cf66ce8ac33c9133e134c4563eba27f6b36dbd4de162632210f4654d3897742935bf02fa2f1b84d6a3a8410906b96d32bd3

memory/2996-26-0x000000001B590000-0x000000001B872000-memory.dmp

memory/2996-27-0x0000000001F00000-0x0000000001F08000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:38

Reported

2024-11-09 21:39

Platform

win10v2004-20241007-en

Max time kernel

71s

Max time network

80s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\SysWOW64\OneDriveSetup.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Windows\SysWOW64\OneDriveSetup.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\BANNERNOTIFICATIONHANDLER.BANNERNOTIFICATIONHANDLER\CLSID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\CURVER C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\PROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{0D4E4444-CB20-4C2B-B8B2-94E5656ECAE8}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\VERSIONINDEPENDENTPROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\FileSyncClient.FileSyncClient C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\0\WIN32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\PROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\ODOPEN\DEFAULTICON C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{AF60000F-661D-472A-9588-F062F6DB7A0E}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\CLSID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_CLASSES\WOW6432NODE\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\FileSyncClient.AutoPlayHandler C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} C:\Windows\SysWOW64\OneDriveSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 384 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 384 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4520 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 384 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\OneDriveSetup.exe
PID 384 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\OneDriveSetup.exe
PID 384 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\SysWOW64\OneDriveSetup.exe
PID 1508 wrote to memory of 1568 N/A C:\Windows\SysWOW64\OneDriveSetup.exe C:\Windows\SysWOW64\OneDriveSetup.exe
PID 1508 wrote to memory of 1568 N/A C:\Windows\SysWOW64\OneDriveSetup.exe C:\Windows\SysWOW64\OneDriveSetup.exe
PID 1508 wrote to memory of 1568 N/A C:\Windows\SysWOW64\OneDriveSetup.exe C:\Windows\SysWOW64\OneDriveSetup.exe
PID 5092 wrote to memory of 3956 N/A C:\Windows\SysWOW64\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
PID 5092 wrote to memory of 3956 N/A C:\Windows\SysWOW64\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
PID 5092 wrote to memory of 3956 N/A C:\Windows\SysWOW64\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
PID 384 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 384 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\system32\findstr.exe

findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\Octo Free Tweaking Utility V1.0.bat"

C:\Windows\SysWOW64\OneDriveSetup.exe

C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall

C:\Windows\SysWOW64\OneDriveSetup.exe

"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /cusid:S-1-5-21-3227495264-2217614367-4027411560-1000

C:\Windows\SysWOW64\OneDriveSetup.exe

C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 92.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 21.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\tmp1B05.tmp

MD5 bd2866356868563bd9d92d902cf9cc5a
SHA1 c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b
SHA256 6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb
SHA512 5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27