Analysis
-
max time kernel
1794s -
max time network
423s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-11-2024 13:10
Static task
static1
Behavioral task
behavioral1
Sample
Oneclick-V6.7.bat
Resource
win11-20241007-en
General
-
Target
Oneclick-V6.7.bat
-
Size
202KB
-
MD5
4acd7d1e7294d4ab4e9db8977d5135e4
-
SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284
-
SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
-
SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
-
SSDEEP
1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
OOSU10.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell to get system information.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2900 powershell.exe 3580 powershell.exe 2764 powershell.exe 4792 powershell.exe 1868 powershell.exe 228 powershell.exe 5048 powershell.exe 2068 powershell.exe 4376 powershell.exe 4816 powershell.exe 3332 powershell.exe -
Downloads MZ/PE file
-
Possible privilege escalation attempt 13 IoCs
Processes:
icacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 4964 icacls.exe 3612 icacls.exe 1444 icacls.exe 2284 takeown.exe 3544 takeown.exe 3424 icacls.exe 3408 takeown.exe 3504 takeown.exe 2948 takeown.exe 1276 icacls.exe 4900 icacls.exe 4408 icacls.exe 1176 takeown.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 3 IoCs
Processes:
OOSU10.exeNSudoLG.exeNSudoLG.exepid process 3396 OOSU10.exe 1652 NSudoLG.exe 2704 NSudoLG.exe -
Modifies file permissions 1 TTPs 13 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exepid process 4964 icacls.exe 3504 takeown.exe 1444 icacls.exe 2284 takeown.exe 4900 icacls.exe 3544 takeown.exe 3424 icacls.exe 3408 takeown.exe 4408 icacls.exe 1176 takeown.exe 2948 takeown.exe 1276 icacls.exe 3612 icacls.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 12 raw.githubusercontent.com 17 drive.google.com 21 drive.google.com 4 raw.githubusercontent.com -
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 9 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{62772446-1cb0-4cb6-b025-9ca24479f1ec}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{62772446-1cb0-4cb6-b025-9ca24479f1ec}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-4018527317-446799424-2810249686-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4018527317-446799424-2810249686-1000_UserData.bin svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
Processes:
powershell.exepowershell.exepowershell.exepid process 5048 powershell.exe 1644 powershell.exe 3332 powershell.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1984 sc.exe 4464 sc.exe 1732 sc.exe 2576 sc.exe 4632 sc.exe 3092 sc.exe 1828 sc.exe 4832 sc.exe 4984 sc.exe 2712 sc.exe 1556 sc.exe 4364 sc.exe 1080 sc.exe 1444 sc.exe 1112 sc.exe 1344 sc.exe 1440 sc.exe 4980 sc.exe 2868 sc.exe 2692 sc.exe 4180 sc.exe 2488 sc.exe 5016 sc.exe 2500 sc.exe 2180 sc.exe 4428 sc.exe 4996 sc.exe 2644 sc.exe 2704 sc.exe 4984 sc.exe 2072 sc.exe 4656 sc.exe 4172 sc.exe 2008 sc.exe 1084 sc.exe 3568 sc.exe 3204 sc.exe 4440 sc.exe 4304 sc.exe 4172 sc.exe 3652 sc.exe 4952 sc.exe 4352 sc.exe 2832 sc.exe 2792 sc.exe 1084 sc.exe 5048 sc.exe 1084 sc.exe 2292 sc.exe 384 sc.exe 2920 sc.exe 2028 sc.exe 3088 sc.exe 4484 sc.exe 4296 sc.exe 3044 sc.exe 4788 sc.exe 3188 sc.exe 5000 sc.exe 4072 sc.exe 2356 sc.exe 1204 sc.exe 2644 sc.exe 3576 sc.exe -
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exeTaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 57 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 3364 timeout.exe 3392 timeout.exe 4888 timeout.exe 4868 timeout.exe 932 timeout.exe 4732 timeout.exe 4148 timeout.exe 2080 timeout.exe 1136 timeout.exe 2764 timeout.exe 1452 timeout.exe 1556 timeout.exe 2412 timeout.exe 3164 timeout.exe 2596 timeout.exe 1148 timeout.exe 3388 timeout.exe 972 timeout.exe 1084 timeout.exe 3008 timeout.exe 3352 timeout.exe 936 timeout.exe 3656 timeout.exe 4992 timeout.exe 1908 timeout.exe 1200 timeout.exe 2244 timeout.exe 1324 timeout.exe 1228 timeout.exe 3968 timeout.exe 1648 timeout.exe 1648 timeout.exe 1892 timeout.exe 5012 timeout.exe 3308 timeout.exe 1992 timeout.exe 2356 timeout.exe 1280 timeout.exe 2152 timeout.exe 4172 timeout.exe 3712 timeout.exe 3036 timeout.exe 4144 timeout.exe 3712 timeout.exe 2128 timeout.exe 1084 timeout.exe 2952 timeout.exe 2632 timeout.exe 1116 timeout.exe 900 timeout.exe 4412 timeout.exe 3208 timeout.exe 4348 timeout.exe 3488 timeout.exe 1524 timeout.exe 2188 timeout.exe 2920 timeout.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4792 taskkill.exe 4204 taskkill.exe 244 taskkill.exe 348 taskkill.exe 4756 taskkill.exe 2828 taskkill.exe 3572 taskkill.exe 460 taskkill.exe -
Modifies Control Panel 1 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" OOSU10.exe -
Processes:
SearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" reg.exe -
Modifies registry class 54 IoCs
Processes:
SearchHost.exeexplorer.exepowershell.exeOOSU10.exeStartMenuExperienceHost.exesvchost.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "967" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ShowSearchSuggestionsGlobal = "0" OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no" OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13395" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "1000" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\AllUsers\{BFCA5F96-24A1-42B3-A9C3-0E898E56AB44} svchost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoftwindows.client.cbs SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "967" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "1000" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0" OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\EnableCortana = "0" OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400440010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727761486664525" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13362" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000f9e3da1ab118db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 powershell.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory\ = "0" OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} reg.exe Set value (data) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" reg.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\MuiCache SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} powershell.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge OOSU10.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{5806EA84-379A-4BC7-A7B3-472FB09C636B} explorer.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs SearchHost.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTaskmgr.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exeNSudoLG.exeNSudoLG.exepowershell.exeexplorer.exepowershell.exepid process 2764 powershell.exe 2764 powershell.exe 5048 powershell.exe 5048 powershell.exe 2068 powershell.exe 2068 powershell.exe 4376 powershell.exe 4376 powershell.exe 4792 powershell.exe 4792 powershell.exe 228 powershell.exe 228 powershell.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 1644 powershell.exe 1644 powershell.exe 2900 powershell.exe 2900 powershell.exe 4816 powershell.exe 4816 powershell.exe 3332 powershell.exe 3332 powershell.exe 1652 NSudoLG.exe 1652 NSudoLG.exe 2704 NSudoLG.exe 2704 NSudoLG.exe 1868 powershell.exe 1868 powershell.exe 4636 explorer.exe 4636 explorer.exe 3580 powershell.exe 3580 powershell.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4636 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowershell.exedescription pid process Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeBackupPrivilege 4060 TiWorker.exe Token: SeRestorePrivilege 4060 TiWorker.exe Token: SeSecurityPrivilege 4060 TiWorker.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeDebugPrivilege 4376 powershell.exe Token: SeShutdownPrivilege 2100 powercfg.exe Token: SeCreatePagefilePrivilege 2100 powercfg.exe Token: SeShutdownPrivilege 2100 powercfg.exe Token: SeCreatePagefilePrivilege 2100 powercfg.exe Token: SeDebugPrivilege 4792 powershell.exe Token: SeIncreaseQuotaPrivilege 4792 powershell.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
Processes:
Taskmgr.exeexplorer.exepid process 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exeexplorer.exepid process 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 2252 Taskmgr.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe 4636 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
explorer.exeSearchHost.exeStartMenuExperienceHost.exepid process 4636 explorer.exe 1576 SearchHost.exe 2068 StartMenuExperienceHost.exe 4636 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 1160 wrote to memory of 4936 1160 cmd.exe fltMC.exe PID 1160 wrote to memory of 4936 1160 cmd.exe fltMC.exe PID 1160 wrote to memory of 4228 1160 cmd.exe sc.exe PID 1160 wrote to memory of 4228 1160 cmd.exe sc.exe PID 1160 wrote to memory of 4332 1160 cmd.exe find.exe PID 1160 wrote to memory of 4332 1160 cmd.exe find.exe PID 1160 wrote to memory of 3280 1160 cmd.exe find.exe PID 1160 wrote to memory of 3280 1160 cmd.exe find.exe PID 1160 wrote to memory of 2052 1160 cmd.exe sc.exe PID 1160 wrote to memory of 2052 1160 cmd.exe sc.exe PID 1160 wrote to memory of 388 1160 cmd.exe find.exe PID 1160 wrote to memory of 388 1160 cmd.exe find.exe PID 1160 wrote to memory of 4916 1160 cmd.exe find.exe PID 1160 wrote to memory of 4916 1160 cmd.exe find.exe PID 1160 wrote to memory of 2312 1160 cmd.exe sc.exe PID 1160 wrote to memory of 2312 1160 cmd.exe sc.exe PID 1160 wrote to memory of 4368 1160 cmd.exe net.exe PID 1160 wrote to memory of 4368 1160 cmd.exe net.exe PID 4368 wrote to memory of 2888 4368 net.exe net1.exe PID 4368 wrote to memory of 2888 4368 net.exe net1.exe PID 1160 wrote to memory of 4428 1160 cmd.exe curl.exe PID 1160 wrote to memory of 4428 1160 cmd.exe curl.exe PID 1160 wrote to memory of 900 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 900 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 1788 1160 cmd.exe tar.exe PID 1160 wrote to memory of 1788 1160 cmd.exe tar.exe PID 1160 wrote to memory of 2548 1160 cmd.exe chcp.com PID 1160 wrote to memory of 2548 1160 cmd.exe chcp.com PID 1160 wrote to memory of 932 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 932 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 4788 1160 cmd.exe chcp.com PID 1160 wrote to memory of 4788 1160 cmd.exe chcp.com PID 1160 wrote to memory of 3748 1160 cmd.exe chcp.com PID 1160 wrote to memory of 3748 1160 cmd.exe chcp.com PID 1160 wrote to memory of 2764 1160 cmd.exe powershell.exe PID 1160 wrote to memory of 2764 1160 cmd.exe powershell.exe PID 1160 wrote to memory of 1280 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 1280 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 4636 1160 cmd.exe chcp.com PID 1160 wrote to memory of 4636 1160 cmd.exe chcp.com PID 1160 wrote to memory of 4992 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 4992 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 3428 1160 cmd.exe chcp.com PID 1160 wrote to memory of 3428 1160 cmd.exe chcp.com PID 1160 wrote to memory of 2676 1160 cmd.exe reg.exe PID 1160 wrote to memory of 2676 1160 cmd.exe reg.exe PID 1160 wrote to memory of 4488 1160 cmd.exe reg.exe PID 1160 wrote to memory of 4488 1160 cmd.exe reg.exe PID 1160 wrote to memory of 636 1160 cmd.exe reg.exe PID 1160 wrote to memory of 636 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1524 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 1524 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 4056 1160 cmd.exe reg.exe PID 1160 wrote to memory of 4056 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1120 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1120 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1084 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1084 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1684 1160 cmd.exe reg.exe PID 1160 wrote to memory of 1684 1160 cmd.exe reg.exe PID 1160 wrote to memory of 4144 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 4144 1160 cmd.exe timeout.exe PID 1160 wrote to memory of 4480 1160 cmd.exe reg.exe PID 1160 wrote to memory of 4480 1160 cmd.exe reg.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" OOSU10.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:4936
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵PID:4228
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:4332
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:3280
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵PID:2052
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:388
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:4916
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=auto2⤵PID:2312
-
C:\Windows\system32\net.exenet start TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TrustedInstaller3⤵PID:2888
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵PID:4428
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:900 -
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵PID:1788
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2548
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:932 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4788
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:1280 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4636
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4992 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:3428
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f2⤵PID:2676
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵PID:4488
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f2⤵PID:636
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1524 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:4056
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f2⤵PID:1120
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f2⤵PID:1084
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f2⤵PID:1684
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4144 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f2⤵PID:4480
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f2⤵PID:1432
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4348 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f2⤵PID:1212
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4412 -
C:\Windows\system32\reg.exereg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f2⤵
- Modifies data under HKEY_USERS
PID:2868 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2080 -
C:\Windows\system32\reg.exereg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:3980 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3712 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f2⤵PID:3560
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2188 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:1412
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2152 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f2⤵PID:2820
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f2⤵PID:2844
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f2⤵PID:1828
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f2⤵PID:4892
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f2⤵PID:4352
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f2⤵PID:4940
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f2⤵PID:3184
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f2⤵PID:3136
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f2⤵PID:2900
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f2⤵PID:792
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f2⤵PID:5100
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f2⤵PID:1456
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f2⤵PID:4192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1136 -
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f2⤵PID:3152
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f2⤵PID:848
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f2⤵PID:4660
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f2⤵PID:3940
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f2⤵PID:1392
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f2⤵PID:4304
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵PID:3092
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4172 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f2⤵PID:240
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f2⤵PID:388
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1892 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f2⤵PID:4664
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2244 -
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
PID:1236 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3388 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f2⤵PID:684
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f2⤵PID:3120
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f2⤵PID:2712
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3392 -
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f2⤵PID:1204
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f2⤵PID:2672
-
C:\Windows\system32\powercfg.exepowercfg.exe /hibernate off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4732 -
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:3568
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:1604
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3208 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:3396
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:1344
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1200 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f2⤵PID:1996
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:972 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f2⤵PID:1296
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4888 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 02⤵
- UAC bypass
PID:3724 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1452 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1120
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1084 -
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:1684
-
C:\Windows\system32\sc.exesc config ALG start=demand2⤵PID:1984
-
C:\Windows\system32\sc.exesc config AppIDSvc start=demand2⤵PID:4280
-
C:\Windows\system32\sc.exesc config AppMgmt start=demand2⤵PID:2816
-
C:\Windows\system32\sc.exesc config AppReadiness start=demand2⤵PID:1432
-
C:\Windows\system32\sc.exesc config AppVClient start=disabled2⤵PID:2056
-
C:\Windows\system32\sc.exesc config AppXSvc start=demand2⤵PID:1508
-
C:\Windows\system32\sc.exesc config Appinfo start=demand2⤵PID:4556
-
C:\Windows\system32\sc.exesc config AssignedAccessManagerSvc start=disabled2⤵PID:3572
-
C:\Windows\system32\sc.exesc config AudioEndpointBuilder start=auto2⤵PID:1320
-
C:\Windows\system32\sc.exesc config AudioSrv start=auto2⤵PID:1928
-
C:\Windows\system32\sc.exesc config Audiosrv start=auto2⤵PID:4036
-
C:\Windows\system32\sc.exesc config AxInstSV start=demand2⤵PID:2388
-
C:\Windows\system32\sc.exesc config BDESVC start=demand2⤵PID:4048
-
C:\Windows\system32\sc.exesc config BFE start=auto2⤵PID:652
-
C:\Windows\system32\sc.exesc config BITS start=delayed-auto2⤵PID:5048
-
C:\Windows\system32\sc.exesc config BTAGService start=demand2⤵PID:4348
-
C:\Windows\system32\sc.exesc config BcastDVRUserService_dc2a4 start=demand2⤵PID:3328
-
C:\Windows\system32\sc.exesc config BluetoothUserService_dc2a4 start=demand2⤵PID:2160
-
C:\Windows\system32\sc.exesc config BrokerInfrastructure start=auto2⤵
- Launches sc.exe
PID:1080 -
C:\Windows\system32\sc.exesc config Browser start=demand2⤵
- Launches sc.exe
PID:2868 -
C:\Windows\system32\sc.exesc config BthAvctpSvc start=auto2⤵PID:5112
-
C:\Windows\system32\sc.exesc config BthHFSrv start=auto2⤵PID:2852
-
C:\Windows\system32\sc.exesc config CDPSvc start=demand2⤵PID:2728
-
C:\Windows\system32\sc.exesc config CDPUserSvc_dc2a4 start=auto2⤵PID:1132
-
C:\Windows\system32\sc.exesc config COMSysApp start=demand2⤵PID:3336
-
C:\Windows\system32\sc.exesc config CaptureService_dc2a4 start=demand2⤵PID:4860
-
C:\Windows\system32\sc.exesc config CertPropSvc start=demand2⤵PID:2632
-
C:\Windows\system32\sc.exesc config ClipSVC start=demand2⤵PID:4948
-
C:\Windows\system32\sc.exesc config ConsentUxUserSvc_dc2a4 start=demand2⤵PID:4464
-
C:\Windows\system32\sc.exesc config CoreMessagingRegistrar start=auto2⤵PID:3160
-
C:\Windows\system32\sc.exesc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand2⤵PID:856
-
C:\Windows\system32\sc.exesc config CryptSvc start=auto2⤵PID:3980
-
C:\Windows\system32\sc.exesc config CscService start=demand2⤵PID:4760
-
C:\Windows\system32\sc.exesc config DPS start=auto2⤵PID:3712
-
C:\Windows\system32\sc.exesc config DcomLaunch start=auto2⤵PID:420
-
C:\Windows\system32\sc.exesc config DcpSvc start=demand2⤵PID:4956
-
C:\Windows\system32\sc.exesc config DevQueryBroker start=demand2⤵PID:1748
-
C:\Windows\system32\sc.exesc config DeviceAssociationBrokerSvc_dc2a4 start=demand2⤵PID:1644
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=demand2⤵PID:2800
-
C:\Windows\system32\sc.exesc config DeviceInstall start=demand2⤵
- Launches sc.exe
PID:2576 -
C:\Windows\system32\sc.exesc config DevicePickerUserSvc_dc2a4 start=demand2⤵PID:1632
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_dc2a4 start=demand2⤵PID:4296
-
C:\Windows\system32\sc.exesc config Dhcp start=auto2⤵PID:4892
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:3996
-
C:\Windows\system32\sc.exesc config DialogBlockingService start=disabled2⤵PID:3172
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start=auto2⤵
- Launches sc.exe
PID:2292 -
C:\Windows\system32\sc.exesc config DisplayEnhancementService start=demand2⤵PID:4352
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=demand2⤵PID:3136
-
C:\Windows\system32\sc.exesc config Dnscache start=auto2⤵
- Launches sc.exe
PID:2704 -
C:\Windows\system32\sc.exesc config DoSvc start=delayed-auto2⤵PID:1496
-
C:\Windows\system32\sc.exesc config DsSvc start=demand2⤵PID:792
-
C:\Windows\system32\sc.exesc config DsmSvc start=demand2⤵PID:1736
-
C:\Windows\system32\sc.exesc config DusmSvc start=auto2⤵PID:4960
-
C:\Windows\system32\sc.exesc config EFS start=demand2⤵PID:768
-
C:\Windows\system32\sc.exesc config EapHost start=demand2⤵
- Launches sc.exe
PID:3188 -
C:\Windows\system32\sc.exesc config EntAppSvc start=demand2⤵PID:936
-
C:\Windows\system32\sc.exesc config EventLog start=auto2⤵PID:3592
-
C:\Windows\system32\sc.exesc config EventSystem start=auto2⤵
- Launches sc.exe
PID:5016 -
C:\Windows\system32\sc.exesc config FDResPub start=demand2⤵PID:4816
-
C:\Windows\system32\sc.exesc config Fax start=demand2⤵PID:1668
-
C:\Windows\system32\sc.exesc config FontCache start=auto2⤵PID:4844
-
C:\Windows\system32\sc.exesc config FrameServer start=demand2⤵PID:2864
-
C:\Windows\system32\sc.exesc config FrameServerMonitor start=demand2⤵
- Launches sc.exe
PID:4984 -
C:\Windows\system32\sc.exesc config GraphicsPerfSvc start=demand2⤵PID:3180
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:4652
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:4388
-
C:\Windows\system32\sc.exesc config HvHost start=demand2⤵PID:848
-
C:\Windows\system32\sc.exesc config IEEtwCollectorService start=demand2⤵PID:4628
-
C:\Windows\system32\sc.exesc config IKEEXT start=demand2⤵PID:3356
-
C:\Windows\system32\sc.exesc config InstallService start=demand2⤵PID:3316
-
C:\Windows\system32\sc.exesc config InventorySvc start=demand2⤵PID:4228
-
C:\Windows\system32\sc.exesc config IpxlatCfgSvc start=demand2⤵
- Launches sc.exe
PID:3092 -
C:\Windows\system32\sc.exesc config KeyIso start=auto2⤵
- Launches sc.exe
PID:4172 -
C:\Windows\system32\sc.exesc config KtmRm start=demand2⤵PID:1240
-
C:\Windows\system32\sc.exesc config LSM start=auto2⤵PID:3788
-
C:\Windows\system32\sc.exesc config LanmanServer start=auto2⤵PID:3580
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start=auto2⤵PID:2312
-
C:\Windows\system32\sc.exesc config LicenseManager start=demand2⤵PID:4664
-
C:\Windows\system32\sc.exesc config LxpSvc start=demand2⤵PID:4508
-
C:\Windows\system32\sc.exesc config MSDTC start=demand2⤵
- Launches sc.exe
PID:384 -
C:\Windows\system32\sc.exesc config MSiSCSI start=demand2⤵
- Launches sc.exe
PID:3044 -
C:\Windows\system32\sc.exesc config MapsBroker start=delayed-auto2⤵
- Launches sc.exe
PID:2692 -
C:\Windows\system32\sc.exesc config McpManagementService start=demand2⤵PID:1236
-
C:\Windows\system32\sc.exesc config MessagingService_dc2a4 start=demand2⤵PID:1040
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start=demand2⤵PID:3888
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start=demand2⤵PID:2340
-
C:\Windows\system32\sc.exesc config MpsSvc start=auto2⤵PID:3696
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start=demand2⤵PID:1832
-
C:\Windows\system32\sc.exesc config NPSMSvc_dc2a4 start=demand2⤵PID:900
-
C:\Windows\system32\sc.exesc config NaturalAuthentication start=demand2⤵PID:1596
-
C:\Windows\system32\sc.exesc config NcaSvc start=demand2⤵PID:828
-
C:\Windows\system32\sc.exesc config NcbService start=demand2⤵PID:4568
-
C:\Windows\system32\sc.exesc config NcdAutoSetup start=demand2⤵PID:3088
-
C:\Windows\system32\sc.exesc config NetSetupSvc start=demand2⤵PID:4732
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start=disabled2⤵
- Launches sc.exe
PID:3568 -
C:\Windows\system32\sc.exesc config Netlogon start=demand2⤵PID:1604
-
C:\Windows\system32\sc.exesc config Netman start=demand2⤵PID:3208
-
C:\Windows\system32\sc.exesc config NgcCtnrSvc start=demand2⤵PID:3396
-
C:\Windows\system32\sc.exesc config NgcSvc start=demand2⤵
- Launches sc.exe
PID:1440 -
C:\Windows\system32\sc.exesc config NlaSvc start=demand2⤵PID:4432
-
C:\Windows\system32\sc.exesc config OneSyncSvc_dc2a4 start=auto2⤵
- Launches sc.exe
PID:2500 -
C:\Windows\system32\sc.exesc config P9RdrService_dc2a4 start=demand2⤵PID:3360
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=demand2⤵PID:972
-
C:\Windows\system32\sc.exesc config PNRPsvc start=demand2⤵PID:4788
-
C:\Windows\system32\sc.exesc config PcaSvc start=demand2⤵PID:1324
-
C:\Windows\system32\sc.exesc config PeerDistSvc start=demand2⤵PID:4476
-
C:\Windows\system32\sc.exesc config PenService_dc2a4 start=demand2⤵PID:924
-
C:\Windows\system32\sc.exesc config PerfHost start=demand2⤵PID:4776
-
C:\Windows\system32\sc.exesc config PhoneSvc start=demand2⤵PID:2596
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_dc2a4 start=demand2⤵PID:3748
-
C:\Windows\system32\sc.exesc config PlugPlay start=demand2⤵PID:4832
-
C:\Windows\system32\sc.exesc config PolicyAgent start=demand2⤵PID:4176
-
C:\Windows\system32\sc.exesc config Power start=auto2⤵PID:2420
-
C:\Windows\system32\sc.exesc config PrintNotify start=demand2⤵PID:4912
-
C:\Windows\system32\sc.exesc config PrintWorkflowUserSvc_dc2a4 start=demand2⤵
- Launches sc.exe
PID:2832 -
C:\Windows\system32\sc.exesc config ProfSvc start=auto2⤵PID:1524
-
C:\Windows\system32\sc.exesc config PushToInstall start=demand2⤵PID:3724
-
C:\Windows\system32\sc.exesc config QWAVE start=demand2⤵
- Launches sc.exe
PID:5000 -
C:\Windows\system32\sc.exesc config RasAuto start=demand2⤵
- Launches sc.exe
PID:4484 -
C:\Windows\system32\sc.exesc config RasMan start=demand2⤵PID:1292
-
C:\Windows\system32\sc.exesc config RemoteAccess start=disabled2⤵PID:4972
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:2036
-
C:\Windows\system32\sc.exesc config RetailDemo start=demand2⤵PID:2304
-
C:\Windows\system32\sc.exesc config RmSvc start=demand2⤵PID:4980
-
C:\Windows\system32\sc.exesc config RpcEptMapper start=auto2⤵PID:2720
-
C:\Windows\system32\sc.exesc config RpcLocator start=demand2⤵
- Launches sc.exe
PID:2072 -
C:\Windows\system32\sc.exesc config RpcSs start=auto2⤵PID:4136
-
C:\Windows\system32\sc.exesc config SCPolicySvc start=demand2⤵PID:4736
-
C:\Windows\system32\sc.exesc config SCardSvr start=demand2⤵PID:1908
-
C:\Windows\system32\sc.exesc config SDRSVC start=demand2⤵PID:4224
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=demand2⤵PID:2356
-
C:\Windows\system32\sc.exesc config SENS start=auto2⤵PID:3460
-
C:\Windows\system32\sc.exesc config SNMPTRAP start=demand2⤵PID:3056
-
C:\Windows\system32\sc.exesc config SNMPTrap start=demand2⤵PID:1928
-
C:\Windows\system32\sc.exesc config SSDPSRV start=demand2⤵PID:4036
-
C:\Windows\system32\sc.exesc config SamSs start=auto2⤵PID:3804
-
C:\Windows\system32\sc.exesc config ScDeviceEnum start=demand2⤵PID:4836
-
C:\Windows\system32\sc.exesc config Schedule start=auto2⤵PID:4000
-
C:\Windows\system32\sc.exesc config SecurityHealthService start=demand2⤵PID:2896
-
C:\Windows\system32\sc.exesc config Sense start=demand2⤵PID:1212
-
C:\Windows\system32\sc.exesc config SensorDataService start=demand2⤵PID:2456
-
C:\Windows\system32\sc.exesc config SensorService start=demand2⤵PID:1080
-
C:\Windows\system32\sc.exesc config SensrSvc start=demand2⤵PID:2868
-
C:\Windows\system32\sc.exesc config SessionEnv start=demand2⤵PID:2768
-
C:\Windows\system32\sc.exesc config SgrmBroker start=auto2⤵PID:2328
-
C:\Windows\system32\sc.exesc config SharedAccess start=demand2⤵PID:2728
-
C:\Windows\system32\sc.exesc config SharedRealitySvc start=demand2⤵PID:1132
-
C:\Windows\system32\sc.exesc config ShellHWDetection start=auto2⤵PID:3408
-
C:\Windows\system32\sc.exesc config SmsRouter start=demand2⤵PID:852
-
C:\Windows\system32\sc.exesc config Spooler start=auto2⤵PID:4772
-
C:\Windows\system32\sc.exesc config SstpSvc start=demand2⤵PID:4180
-
C:\Windows\system32\sc.exesc config StateRepository start=demand2⤵PID:4372
-
C:\Windows\system32\sc.exesc config StiSvc start=demand2⤵PID:5024
-
C:\Windows\system32\sc.exesc config StorSvc start=demand2⤵PID:656
-
C:\Windows\system32\sc.exesc config SysMain start=auto2⤵PID:856
-
C:\Windows\system32\sc.exesc config SystemEventsBroker start=auto2⤵PID:3980
-
C:\Windows\system32\sc.exesc config TabletInputService start=demand2⤵PID:1756
-
C:\Windows\system32\sc.exesc config TapiSrv start=demand2⤵
- Launches sc.exe
PID:2920 -
C:\Windows\system32\sc.exesc config TermService start=auto2⤵PID:420
-
C:\Windows\system32\sc.exesc config TextInputManagementService start=demand2⤵PID:4956
-
C:\Windows\system32\sc.exesc config Themes start=auto2⤵PID:1748
-
C:\Windows\system32\sc.exesc config TieringEngineService start=demand2⤵PID:2152
-
C:\Windows\system32\sc.exesc config TimeBroker start=demand2⤵PID:2800
-
C:\Windows\system32\sc.exesc config TimeBrokerSvc start=demand2⤵PID:2576
-
C:\Windows\system32\sc.exesc config TokenBroker start=demand2⤵PID:1916
-
C:\Windows\system32\sc.exesc config TrkWks start=auto2⤵
- Launches sc.exe
PID:4296 -
C:\Windows\system32\sc.exesc config TroubleshootingSvc start=demand2⤵PID:4676
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=demand2⤵PID:3344
-
C:\Windows\system32\sc.exesc config UI0Detect start=demand2⤵PID:3172
-
C:\Windows\system32\sc.exesc config UdkUserSvc_dc2a4 start=demand2⤵PID:2292
-
C:\Windows\system32\sc.exesc config UevAgentService start=disabled2⤵PID:4352
-
C:\Windows\system32\sc.exesc config UmRdpService start=demand2⤵
- Launches sc.exe
PID:4072 -
C:\Windows\system32\sc.exesc config UnistoreSvc_dc2a4 start=demand2⤵PID:880
-
C:\Windows\system32\sc.exesc config UserDataSvc_dc2a4 start=demand2⤵PID:1496
-
C:\Windows\system32\sc.exesc config UserManager start=auto2⤵PID:1456
-
C:\Windows\system32\sc.exesc config UsoSvc start=demand2⤵PID:4192
-
C:\Windows\system32\sc.exesc config VGAuthService start=auto2⤵PID:4960
-
C:\Windows\system32\sc.exesc config VMTools start=auto2⤵PID:4864
-
C:\Windows\system32\sc.exesc config VSS start=demand2⤵PID:3576
-
C:\Windows\system32\sc.exesc config VacSvc start=demand2⤵PID:4364
-
C:\Windows\system32\sc.exesc config VaultSvc start=auto2⤵PID:4988
-
C:\Windows\system32\sc.exesc config W32Time start=demand2⤵PID:3896
-
C:\Windows\system32\sc.exesc config WEPHOSTSVC start=demand2⤵
- Launches sc.exe
PID:4656 -
C:\Windows\system32\sc.exesc config WFDSConMgrSvc start=demand2⤵
- Launches sc.exe
PID:2180 -
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=demand2⤵PID:4376
-
C:\Windows\system32\sc.exesc config WManSvc start=demand2⤵PID:2044
-
C:\Windows\system32\sc.exesc config WPDBusEnum start=demand2⤵
- Launches sc.exe
PID:4984 -
C:\Windows\system32\sc.exesc config WSService start=demand2⤵PID:3180
-
C:\Windows\system32\sc.exesc config WSearch start=delayed-auto2⤵PID:3860
-
C:\Windows\system32\sc.exesc config WaaSMedicSvc start=demand2⤵PID:4388
-
C:\Windows\system32\sc.exesc config WalletService start=demand2⤵PID:848
-
C:\Windows\system32\sc.exesc config WarpJITSvc start=demand2⤵
- Launches sc.exe
PID:1444 -
C:\Windows\system32\sc.exesc config WbioSrvc start=demand2⤵PID:3356
-
C:\Windows\system32\sc.exesc config Wcmsvc start=auto2⤵PID:3316
-
C:\Windows\system32\sc.exesc config WcsPlugInService start=demand2⤵PID:4228
-
C:\Windows\system32\sc.exesc config WdNisSvc start=demand2⤵PID:2380
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=demand2⤵
- Launches sc.exe
PID:4172 -
C:\Windows\system32\sc.exesc config WdiSystemHost start=demand2⤵PID:1920
-
C:\Windows\system32\sc.exesc config WebClient start=demand2⤵PID:388
-
C:\Windows\system32\sc.exesc config Wecsvc start=demand2⤵PID:3580
-
C:\Windows\system32\sc.exesc config WerSvc start=demand2⤵PID:3200
-
C:\Windows\system32\sc.exesc config WiaRpc start=demand2⤵PID:1772
-
C:\Windows\system32\sc.exesc config WinDefend start=auto2⤵PID:3064
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start=demand2⤵PID:4904
-
C:\Windows\system32\sc.exesc config WinRM start=demand2⤵PID:2772
-
C:\Windows\system32\sc.exesc config Winmgmt start=auto2⤵PID:3132
-
C:\Windows\system32\sc.exesc config WlanSvc start=auto2⤵PID:3388
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=demand2⤵PID:3524
-
C:\Windows\system32\sc.exesc config WpnService start=demand2⤵PID:2952
-
C:\Windows\system32\sc.exesc config WpnUserService_dc2a4 start=auto2⤵PID:2340
-
C:\Windows\system32\sc.exesc config WwanSvc start=demand2⤵
- Launches sc.exe
PID:2712 -
C:\Windows\system32\sc.exesc config XblAuthManager start=demand2⤵PID:4428
-
C:\Windows\system32\sc.exesc config XblGameSave start=demand2⤵PID:4448
-
C:\Windows\system32\sc.exesc config XboxGipSvc start=demand2⤵PID:1492
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=demand2⤵PID:1204
-
C:\Windows\system32\sc.exesc config autotimesvc start=demand2⤵PID:2448
-
C:\Windows\system32\sc.exesc config bthserv start=demand2⤵PID:2716
-
C:\Windows\system32\sc.exesc config camsvc start=demand2⤵PID:3088
-
C:\Windows\system32\sc.exesc config cbdhsvc_dc2a4 start=demand2⤵PID:4732
-
C:\Windows\system32\sc.exesc config cloudidsvc start=demand2⤵PID:3568
-
C:\Windows\system32\sc.exesc config dcsvc start=demand2⤵
- Launches sc.exe
PID:4632 -
C:\Windows\system32\sc.exesc config defragsvc start=demand2⤵PID:2196
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=demand2⤵PID:1692
-
C:\Windows\system32\sc.exesc config diagsvc start=demand2⤵PID:2416
-
C:\Windows\system32\sc.exesc config dmwappushservice start=demand2⤵PID:1200
-
C:\Windows\system32\sc.exesc config dot3svc start=demand2⤵PID:3480
-
C:\Windows\system32\sc.exesc config edgeupdate start=demand2⤵
- Launches sc.exe
PID:2792 -
C:\Windows\system32\sc.exesc config edgeupdatem start=demand2⤵PID:1868
-
C:\Windows\system32\sc.exesc config embeddedmode start=demand2⤵PID:1296
-
C:\Windows\system32\sc.exesc config fdPHost start=demand2⤵PID:4976
-
C:\Windows\system32\sc.exesc config fhsvc start=demand2⤵PID:1324
-
C:\Windows\system32\sc.exesc config gpsvc start=auto2⤵PID:4476
-
C:\Windows\system32\sc.exesc config hidserv start=demand2⤵PID:924
-
C:\Windows\system32\sc.exesc config icssvc start=demand2⤵PID:4776
-
C:\Windows\system32\sc.exesc config iphlpsvc start=auto2⤵PID:3752
-
C:\Windows\system32\sc.exesc config lfsvc start=demand2⤵PID:3748
-
C:\Windows\system32\sc.exesc config lltdsvc start=demand2⤵PID:4832
-
C:\Windows\system32\sc.exesc config lmhosts start=demand2⤵PID:228
-
C:\Windows\system32\sc.exesc config mpssvc start=auto2⤵PID:2220
-
C:\Windows\system32\sc.exesc config msiserver start=demand2⤵PID:4620
-
C:\Windows\system32\sc.exesc config netprofm start=demand2⤵PID:4888
-
C:\Windows\system32\sc.exesc config nsi start=auto2⤵PID:1648
-
C:\Windows\system32\sc.exesc config p2pimsvc start=demand2⤵PID:2256
-
C:\Windows\system32\sc.exesc config p2psvc start=demand2⤵PID:2224
-
C:\Windows\system32\sc.exesc config perceptionsimulation start=demand2⤵PID:2848
-
C:\Windows\system32\sc.exesc config pla start=demand2⤵PID:1452
-
C:\Windows\system32\sc.exesc config seclogon start=demand2⤵PID:4972
-
C:\Windows\system32\sc.exesc config shpamsvc start=disabled2⤵
- Launches sc.exe
PID:2008 -
C:\Windows\system32\sc.exesc config smphost start=demand2⤵
- Launches sc.exe
PID:1084 -
C:\Windows\system32\sc.exesc config spectrum start=demand2⤵PID:1684
-
C:\Windows\system32\sc.exesc config sppsvc start=delayed-auto2⤵PID:1984
-
C:\Windows\system32\sc.exesc config ssh-agent start=disabled2⤵PID:4064
-
C:\Windows\system32\sc.exesc config svsvc start=demand2⤵PID:4444
-
C:\Windows\system32\sc.exesc config swprv start=demand2⤵PID:3464
-
C:\Windows\system32\sc.exesc config tiledatamodelsvc start=auto2⤵PID:4624
-
C:\Windows\system32\sc.exesc config tzautoupdate start=disabled2⤵PID:2552
-
C:\Windows\system32\sc.exesc config uhssvc start=disabled2⤵PID:4224
-
C:\Windows\system32\sc.exesc config upnphost start=demand2⤵
- Launches sc.exe
PID:2356 -
C:\Windows\system32\sc.exesc config vds start=demand2⤵PID:3572
-
C:\Windows\system32\sc.exesc config vm3dservice start=demand2⤵PID:4696
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=demand2⤵PID:1352
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=demand2⤵PID:3932
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=demand2⤵PID:4048
-
C:\Windows\system32\sc.exesc config vmicrdv start=demand2⤵PID:652
-
C:\Windows\system32\sc.exesc config vmicshutdown start=demand2⤵
- Launches sc.exe
PID:5048 -
C:\Windows\system32\sc.exesc config vmictimesync start=demand2⤵PID:2116
-
C:\Windows\system32\sc.exesc config vmicvmsession start=demand2⤵PID:4412
-
C:\Windows\system32\sc.exesc config vmicvss start=demand2⤵PID:2160
-
C:\Windows\system32\sc.exesc config vmvss start=demand2⤵PID:4240
-
C:\Windows\system32\sc.exesc config wbengine start=demand2⤵PID:1148
-
C:\Windows\system32\sc.exesc config wcncsvc start=demand2⤵PID:2768
-
C:\Windows\system32\sc.exesc config webthreatdefsvc start=demand2⤵PID:2328
-
C:\Windows\system32\sc.exesc config webthreatdefusersvc_dc2a4 start=auto2⤵PID:2728
-
C:\Windows\system32\sc.exesc config wercplsupport start=demand2⤵PID:1132
-
C:\Windows\system32\sc.exesc config wisvc start=demand2⤵PID:4860
-
C:\Windows\system32\sc.exesc config wlidsvc start=demand2⤵PID:2632
-
C:\Windows\system32\sc.exesc config wlpasvc start=demand2⤵PID:4948
-
C:\Windows\system32\sc.exesc config wmiApSrv start=demand2⤵PID:4464
-
C:\Windows\system32\sc.exesc config workfolderssvc start=demand2⤵PID:3160
-
C:\Windows\system32\sc.exesc config wscsvc start=delayed-auto2⤵PID:2068
-
C:\Windows\system32\sc.exesc config wuauserv start=demand2⤵PID:3168
-
C:\Windows\system32\sc.exesc config wudfsvc start=demand2⤵PID:2616
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3712 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2920 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:1412
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:3012
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:1644
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:2812
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:2576
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:2844
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:3996
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:4344
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable2⤵PID:3172
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable2⤵PID:2292
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:1336
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:2704
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:792
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:1736
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:4192
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f2⤵PID:4960
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:4864
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:3544
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f2⤵PID:824
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:4816
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f2⤵PID:2180
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f2⤵PID:2028
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f2⤵PID:3204
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f2⤵PID:3180
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f2⤵PID:2556
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f2⤵PID:3940
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f2⤵PID:1392
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f2⤵PID:3356
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f2⤵PID:3280
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:240
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f2⤵PID:388
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f2⤵PID:1780
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f2⤵PID:384
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f2⤵PID:3756
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f2⤵PID:1040
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f2⤵PID:3120
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f2⤵PID:2228
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f2⤵PID:2712
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f2⤵PID:2652
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f2⤵PID:1204
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f2⤵PID:2128
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f2⤵PID:2996
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f2⤵PID:4732
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f2⤵PID:1604
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f2⤵PID:3208
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f2⤵PID:1344
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f2⤵PID:2416
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f2⤵PID:1180
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f2⤵PID:5040
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f2⤵PID:4536
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f2⤵PID:1296
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:3284
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2412 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy Legacy2⤵
- Modifies boot configuration data using bcdedit
PID:924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"2⤵PID:4776
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild3⤵PID:2624
-
C:\Windows\system32\findstr.exefindstr /r /c:"CurrentBuild"3⤵PID:3748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:228 -
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2252 -
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
PID:1084 -
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences2⤵PID:3160
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
PID:4756 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f2⤵PID:3012
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1644 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"2⤵PID:4452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4816 -
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1444 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:3332 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2952 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:3696
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:1832
-
C:\Windows\system32\curl.execurl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"2⤵PID:4448
-
C:\Windows\system32\curl.execurl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"2⤵PID:2100
-
C:\Oneclick Tools\OOShutup10\OOSU10.exe"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet2⤵
- Modifies security service
- Executes dropped EXE
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:3396 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1324 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:400
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1228 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:4832
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:5012 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1564
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5000
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1652
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3748
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2008
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:2220
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:3724
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:1656
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:2036
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:636
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵PID:1212
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:2316
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f2⤵PID:2564
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:4996
-
C:\Windows\system32\sc.exesc config wlidsvc start= disabled2⤵PID:3408
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start= disabled2⤵PID:2632
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵
- Launches sc.exe
PID:4180 -
C:\Windows\system32\sc.exesc config DusmSvc start= disabled2⤵PID:1848
-
C:\Windows\system32\sc.exesc config TabletInputService start= disabled2⤵PID:744
-
C:\Windows\system32\sc.exesc config RetailDemo start= disabled2⤵
- Launches sc.exe
PID:1084 -
C:\Windows\system32\sc.exesc config Fax start= disabled2⤵PID:4152
-
C:\Windows\system32\sc.exesc config SharedAccess start= disabled2⤵PID:3980
-
C:\Windows\system32\sc.exesc config lfsvc start= disabled2⤵PID:3384
-
C:\Windows\system32\sc.exesc config WpcMonSvc start= disabled2⤵
- Launches sc.exe
PID:1984 -
C:\Windows\system32\sc.exesc config SessionEnv start= disabled2⤵PID:4480
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start= disabled2⤵PID:4412
-
C:\Windows\system32\sc.exesc config edgeupdate start= disabled2⤵PID:2816
-
C:\Windows\system32\sc.exesc config edgeupdatem start= disabled2⤵PID:856
-
C:\Windows\system32\sc.exesc config autotimesvc start= disabled2⤵PID:1080
-
C:\Windows\system32\sc.exesc config CscService start= disabled2⤵
- Launches sc.exe
PID:2644 -
C:\Windows\system32\sc.exesc config TermService start= disabled2⤵PID:3184
-
C:\Windows\system32\sc.exesc config SensorDataService start= disabled2⤵PID:4344
-
C:\Windows\system32\sc.exesc config SensorService start= disabled2⤵PID:3832
-
C:\Windows\system32\sc.exesc config SensrSvc start= disabled2⤵PID:4296
-
C:\Windows\system32\sc.exesc config shpamsvc start= disabled2⤵
- Launches sc.exe
PID:3652 -
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵PID:2844
-
C:\Windows\system32\sc.exesc config PhoneSvc start= disabled2⤵PID:4892
-
C:\Windows\system32\sc.exesc config TapiSrv start= disabled2⤵PID:4352
-
C:\Windows\system32\sc.exesc config UevAgentService start= disabled2⤵
- Launches sc.exe
PID:1828 -
C:\Windows\system32\sc.exesc config WalletService start= disabled2⤵PID:4896
-
C:\Windows\system32\sc.exesc config TokenBroker start= disabled2⤵PID:936
-
C:\Windows\system32\sc.exesc config WebClient start= disabled2⤵
- Launches sc.exe
PID:1556 -
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start= disabled2⤵PID:1456
-
C:\Windows\system32\sc.exesc config stisvc start= disabled2⤵PID:3768
-
C:\Windows\system32\sc.exesc config WbioSrvc start= disabled2⤵PID:1736
-
C:\Windows\system32\sc.exesc config icssvc start= disabled2⤵PID:4864
-
C:\Windows\system32\sc.exesc config Wecsvc start= disabled2⤵PID:4364
-
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵PID:892
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵PID:3136
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵PID:4648
-
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵
- Launches sc.exe
PID:3204 -
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled2⤵PID:4660
-
C:\Windows\system32\sc.exesc config iphlpsvc start= disabled2⤵PID:3152
-
C:\Windows\system32\sc.exesc config Backupper Service start= disabled2⤵PID:3324
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start= disabled2⤵PID:2864
-
C:\Windows\system32\sc.exesc config BDESVC start= disabled2⤵PID:1136
-
C:\Windows\system32\sc.exesc config cbdhsvc start= disabled2⤵PID:3940
-
C:\Windows\system32\sc.exesc config CDPSvc start= disabled2⤵PID:4816
-
C:\Windows\system32\sc.exesc config CDPUserSvc start= disabled2⤵PID:3316
-
C:\Windows\system32\sc.exesc config DevQueryBroker start= disabled2⤵PID:2244
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc start= disabled2⤵PID:384
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵PID:1444
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start= disabled2⤵PID:4416
-
C:\Windows\system32\sc.exesc config TrkWks start= disabled2⤵PID:4228
-
C:\Windows\system32\sc.exesc config dLauncherLoopback start= disabled2⤵PID:3044
-
C:\Windows\system32\sc.exesc config EFS start= disabled2⤵PID:3388
-
C:\Windows\system32\sc.exesc config fdPHost start= disabled2⤵PID:1040
-
C:\Windows\system32\sc.exesc config FDResPub start= disabled2⤵PID:3120
-
C:\Windows\system32\sc.exesc config IKEEXT start= disabled2⤵PID:2228
-
C:\Windows\system32\sc.exesc config NPSMSvc start= disabled2⤵PID:900
-
C:\Windows\system32\sc.exesc config WPDBusEnum start= disabled2⤵PID:3332
-
C:\Windows\system32\sc.exesc config PcaSvc start= disabled2⤵PID:2448
-
C:\Windows\system32\sc.exesc config RasMan start= disabled2⤵PID:2652
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:2928
-
C:\Windows\system32\sc.exesc config SstpSvc start=disabled2⤵PID:2200
-
C:\Windows\system32\sc.exesc config ShellHWDetection start= disabled2⤵PID:1604
-
C:\Windows\system32\sc.exesc config SSDPSRV start= disabled2⤵
- Launches sc.exe
PID:1204 -
C:\Windows\system32\sc.exesc config SysMain start= disabled2⤵PID:1692
-
C:\Windows\system32\sc.exesc config OneSyncSvc start= disabled2⤵PID:1144
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:1180
-
C:\Windows\system32\sc.exesc config UserDataSvc start= disabled2⤵PID:2416
-
C:\Windows\system32\sc.exesc config UnistoreSvc start= disabled2⤵PID:1996
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:3360
-
C:\Windows\system32\sc.exesc config FontCache start= disabled2⤵PID:2988
-
C:\Windows\system32\sc.exesc config W32Time start= disabled2⤵PID:4788
-
C:\Windows\system32\sc.exesc config tzautoupdate start= disabled2⤵PID:4724
-
C:\Windows\system32\sc.exesc config DsSvc start= disabled2⤵PID:2412
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_5f1ad start= disabled2⤵PID:924
-
C:\Windows\system32\sc.exesc config diagsvc start= disabled2⤵PID:4176
-
C:\Windows\system32\sc.exesc config DialogBlockingService start= disabled2⤵
- Launches sc.exe
PID:4832 -
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_5f1ad start= disabled2⤵PID:4460
-
C:\Windows\system32\sc.exesc config MessagingService_5f1ad start= disabled2⤵
- Launches sc.exe
PID:1112 -
C:\Windows\system32\sc.exesc config AppVClient start= disabled2⤵PID:5012
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start= disabled2⤵PID:1564
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start= disabled2⤵PID:4056
-
C:\Windows\system32\sc.exesc config ssh-agent start= disabled2⤵
- Launches sc.exe
PID:4952 -
C:\Windows\system32\sc.exesc config SstpSvc start= disabled2⤵PID:4620
-
C:\Windows\system32\sc.exesc config OneSyncSvc_5f1ad start= disabled2⤵PID:4792
-
C:\Windows\system32\sc.exesc config wercplsupport start= disabled2⤵PID:4384
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start= disabled2⤵PID:2220
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled2⤵PID:1864
-
C:\Windows\system32\sc.exesc config WpnUserService_5f1ad start= disabled2⤵PID:1120
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= disabled2⤵PID:4160
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDInstallLauncher" /f2⤵PID:5112
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDLinkUpdate" /f2⤵PID:1536
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f2⤵PID:3156
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "Driver Easy Scheduled Scan" /f2⤵PID:4360
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵PID:1560
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "SoftMakerUpdater" /f2⤵PID:3692
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartCN" /f2⤵PID:2632
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartDVR" /f2⤵PID:2664
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:4144
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:2068
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:2072
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:3980
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:1432
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:4280
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:1884
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable2⤵PID:1580
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable2⤵PID:4756
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable2⤵PID:2152
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable2⤵PID:4676
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable2⤵PID:3184
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable2⤵PID:3312
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:2588
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable2⤵PID:1632
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable2⤵PID:3192
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:4892
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable2⤵PID:2608
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:4192
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:3576
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable2⤵PID:4988
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable2⤵PID:1496
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable2⤵PID:792
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable2⤵PID:4088
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable2⤵PID:4864
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable2⤵PID:3368
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable2⤵PID:4644
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable2⤵PID:3860
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable2⤵PID:3204
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable2⤵PID:4660
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable2⤵PID:3964
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable2⤵PID:2044
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable2⤵PID:4936
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:4304
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:4332
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable2⤵PID:1780
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable2⤵PID:388
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable2⤵PID:3132
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable2⤵PID:4112
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:4416
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable2⤵PID:2312
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable2⤵PID:2340
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable2⤵PID:3008
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable2⤵PID:2228
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable2⤵PID:1788
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable2⤵PID:1492
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable2⤵PID:3088
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable2⤵PID:4436
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable2⤵PID:2128
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable2⤵PID:3208
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable2⤵PID:1692
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable2⤵PID:4976
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:1440
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:1996
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable2⤵PID:972
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable2⤵PID:3428
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable2⤵PID:1324
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable2⤵PID:400
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable2⤵PID:1228
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable2⤵PID:4176
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable2⤵PID:4832
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable2⤵PID:4460
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable2⤵PID:2132
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable2⤵PID:2224
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable2⤵PID:3528
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable2⤵PID:4952
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable2⤵PID:4620
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable2⤵PID:4792
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable2⤵PID:1292
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable2⤵PID:1452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable2⤵PID:3724
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable2⤵PID:2036
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable2⤵PID:4240
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable2⤵PID:1536
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable2⤵PID:3156
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable2⤵PID:4360
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable2⤵PID:1560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable2⤵PID:3692
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2632 -
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:744
-
C:\Windows\system32\sc.exesc stop upfc2⤵PID:4144
-
C:\Windows\system32\sc.exesc stop PushToInstall2⤵PID:1084
-
C:\Windows\system32\sc.exesc stop BITS2⤵PID:4152
-
C:\Windows\system32\sc.exesc stop InstallService2⤵PID:2304
-
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:4000
-
C:\Windows\system32\sc.exesc stop UsoSvc2⤵PID:1432
-
C:\Windows\system32\sc.exesc stop wuauserv2⤵PID:4736
-
C:\Windows\system32\sc.exesc stop LanmanServer2⤵PID:4412
-
C:\Windows\system32\sc.exesc config BITS start= disabled2⤵PID:2384
-
C:\Windows\system32\sc.exesc config InstallService start= disabled2⤵PID:856
-
C:\Windows\system32\sc.exesc config uhssvc start= disabled2⤵PID:3996
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled2⤵PID:2644
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled2⤵
- Launches sc.exe
PID:4440 -
C:\Windows\system32\sc.exesc config LanmanServer start= disabled2⤵PID:2292
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:2800
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f2⤵PID:2576
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:2844
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f2⤵
- Modifies security service
PID:4604 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f2⤵PID:768
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f2⤵PID:4960
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f2⤵PID:936
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f2⤵PID:3896
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f2⤵PID:2704
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f2⤵PID:3768
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f2⤵PID:1736
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f2⤵PID:3000
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f2⤵PID:1336
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable2⤵PID:4072
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable2⤵PID:4652
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable2⤵PID:4628
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable2⤵PID:4376
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable2⤵PID:4844
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable2⤵PID:4984
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable2⤵PID:3776
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable2⤵PID:4656
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable2⤵PID:4816
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable2⤵PID:3316
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable2⤵PID:2244
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable2⤵PID:384
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3308 -
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled2⤵PID:1920
-
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled2⤵PID:3356
-
C:\Windows\system32\sc.exesc config WinRM start= disabled2⤵
- Launches sc.exe
PID:4428 -
C:\Windows\system32\sc.exesc config RmSvc start= disabled2⤵PID:2340
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3008 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:2228
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵PID:2448
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable2⤵PID:2996
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable2⤵PID:828
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3968 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:2200
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵PID:2548
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1992 -
C:\Windows\system32\sc.exesc config NlaSvc start= disabled2⤵PID:1144
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start= disabled2⤵
- Launches sc.exe
PID:1344 -
C:\Windows\system32\sc.exesc config BFE start= demand2⤵PID:4976
-
C:\Windows\system32\sc.exesc config Dnscache start= demand2⤵PID:1440
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= demand2⤵PID:2792
-
C:\Windows\system32\sc.exesc config Dhcp start= auto2⤵PID:2516
-
C:\Windows\system32\sc.exesc config DPS start= auto2⤵
- Launches sc.exe
PID:4788 -
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:2360
-
C:\Windows\system32\sc.exesc config nsi start= auto2⤵PID:1324
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:984
-
C:\Windows\system32\sc.exesc config Winmgmt start= auto2⤵PID:924
-
C:\Windows\system32\sc.exesc config WlanSvc start= demand2⤵PID:4200
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f2⤵PID:4176
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f2⤵PID:4832
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable2⤵PID:4460
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable2⤵PID:2132
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable2⤵PID:2224
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:4484
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4868 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2420
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1648 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:2220
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3352 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1120
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3364 -
C:\Windows\system32\sc.exesc config ALG start=disabled2⤵PID:1148
-
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:1536
-
C:\Windows\system32\sc.exesc config XblAuthManager start=disabled2⤵PID:3156
-
C:\Windows\system32\sc.exesc config XblGameSave start=disabled2⤵
- Launches sc.exe
PID:4996 -
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=disabled2⤵PID:4772
-
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵
- Launches sc.exe
PID:4464 -
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵PID:3692
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:2632
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵
- Launches sc.exe
PID:4980 -
C:\Windows\system32\sc.exesc config SEMgrSvc start=disabled2⤵PID:4144
-
C:\Windows\system32\sc.exesc config SCardSvr start=disabled2⤵
- Launches sc.exe
PID:1084 -
C:\Windows\system32\sc.exesc config Netlogon start=disabled2⤵PID:4152
-
C:\Windows\system32\sc.exesc config CscService start=disabled2⤵PID:2304
-
C:\Windows\system32\sc.exesc config icssvc start=disabled2⤵PID:4000
-
C:\Windows\system32\sc.exesc config wisvc start=disabled2⤵PID:1432
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:4736
-
C:\Windows\system32\sc.exesc config WalletService start=disabled2⤵PID:4412
-
C:\Windows\system32\sc.exesc config Fax start=disabled2⤵PID:2976
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:1580
-
C:\Windows\system32\sc.exesc config iphlpsvc start=disabled2⤵PID:2932
-
C:\Windows\system32\sc.exesc config wcncsvc start=disabled2⤵PID:4760
-
C:\Windows\system32\sc.exesc config fhsvc start=disabled2⤵PID:412
-
C:\Windows\system32\sc.exesc config PhoneSvc start=disabled2⤵PID:856
-
C:\Windows\system32\sc.exesc config seclogon start=disabled2⤵PID:3996
-
C:\Windows\system32\sc.exesc config FrameServer start=disabled2⤵
- Launches sc.exe
PID:2644 -
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:3184
-
C:\Windows\system32\sc.exesc config StiSvc start=disabled2⤵PID:4296
-
C:\Windows\system32\sc.exesc config PcaSvc start=disabled2⤵
- Launches sc.exe
PID:2488 -
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:1412
-
C:\Windows\system32\sc.exesc config MapsBroker start=disabled2⤵
- Launches sc.exe
PID:4352 -
C:\Windows\system32\sc.exesc config bthserv start=disabled2⤵PID:1828
-
C:\Windows\system32\sc.exesc config BDESVC start=disabled2⤵PID:2608
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=disabled2⤵PID:4604
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:4192
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵
- Launches sc.exe
PID:3576 -
C:\Windows\system32\sc.exesc config CertPropSvc start=disabled2⤵PID:4988
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=disabled2⤵PID:1456
-
C:\Windows\system32\sc.exesc config lmhosts start=disabled2⤵PID:5016
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=disabled2⤵
- Launches sc.exe
PID:4364 -
C:\Windows\system32\sc.exesc config TrkWks start=disabled2⤵PID:824
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled2⤵PID:3000
-
C:\Windows\system32\sc.exesc config TabletInputService start=disabled2⤵PID:3368
-
C:\Windows\system32\sc.exesc config EntAppSvc start=disabled2⤵PID:4452
-
C:\Windows\system32\sc.exesc config Spooler start=disabled2⤵PID:4388
-
C:\Windows\system32\sc.exesc config BcastDVRUserService start=disabled2⤵PID:4652
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=disabled2⤵PID:2092
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=disabled2⤵PID:4660
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=disabled2⤵PID:1668
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=disabled2⤵
- Launches sc.exe
PID:2028 -
C:\Windows\system32\sc.exesc config wlidsvc start=disabled2⤵PID:4936
-
C:\Windows\system32\sc.exesc config AXInstSV start=disabled2⤵
- Launches sc.exe
PID:4304 -
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵PID:4332
-
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:1780
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=disabled2⤵PID:4172
-
C:\Windows\system32\sc.exesc config StorSvc start=disabled2⤵PID:2244
-
C:\Windows\system32\sc.exesc config TieringEngineService start=disabled2⤵PID:384
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:3308
-
C:\Windows\system32\sc.exesc config Themes start=disabled2⤵PID:3280
-
C:\Windows\system32\sc.exesc config AppReadiness start=disabled2⤵PID:3388
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3164 -
C:\Windows\system32\sc.exesc config HvHost start=disabled2⤵PID:2672
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=disabled2⤵PID:900
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=disabled2⤵PID:3008
-
C:\Windows\system32\sc.exesc config vmicshutdown start=disabled2⤵PID:2228
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=disabled2⤵PID:2448
-
C:\Windows\system32\sc.exesc config vmicvmsession start=disabled2⤵PID:4448
-
C:\Windows\system32\sc.exesc config vmicrdv start=disabled2⤵PID:3568
-
C:\Windows\system32\sc.exesc config vmictimesync start=disabled2⤵
- Launches sc.exe
PID:3088 -
C:\Windows\system32\sc.exesc config vmicvss start=disabled2⤵PID:5028
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2128 -
C:\Windows\system32\sc.exesc config edgeupdate start=disabled2⤵
- Launches sc.exe
PID:1732 -
C:\Windows\system32\sc.exesc config edgeupdatem start=disabled2⤵PID:2500
-
C:\Windows\system32\sc.exesc config GoogleChromeElevationService start=disabled2⤵PID:1692
-
C:\Windows\system32\sc.exesc config gupdate start=disabled2⤵PID:2764
-
C:\Windows\system32\sc.exesc config gupdatem start=disabled2⤵PID:2416
-
C:\Windows\system32\sc.exesc config BraveElevationService start=disabled2⤵PID:3360
-
C:\Windows\system32\sc.exesc config brave start=disabled2⤵PID:1996
-
C:\Windows\system32\sc.exesc config bravem start=disabled2⤵PID:3284
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2596 -
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:4476
-
C:\Windows\system32\sc.exesc config jhi_service start=disabled2⤵PID:1324
-
C:\Windows\system32\sc.exesc config WMIRegistrationService start=disabled2⤵PID:1228
-
C:\Windows\system32\sc.exesc config "Intel(R) TPM Provisioning Service" start=disabled2⤵PID:2888
-
C:\Windows\system32\sc.exesc config ipfsvc start=disabled2⤵PID:2376
-
C:\Windows\system32\sc.exesc config igccservice start=disabled2⤵PID:1112
-
C:\Windows\system32\sc.exesc config cplspcon start=disabled2⤵PID:4176
-
C:\Windows\system32\sc.exesc config esifsvc start=disabled2⤵PID:4776
-
C:\Windows\system32\sc.exesc config LMS start=disabled2⤵PID:1564
-
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1652 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1556 -
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2704 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable2⤵PID:892
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable2⤵PID:3136
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable2⤵PID:3368
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable2⤵PID:4648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable2⤵PID:2696
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleaner Update" /Disable2⤵PID:4564
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerCrashReporting" /Disable2⤵PID:4376
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable2⤵PID:4844
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable2⤵PID:2044
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable2⤵PID:2556
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:2192
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:4828
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable2⤵PID:3316
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable2⤵PID:2692
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable2⤵PID:1672
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable2⤵PID:3128
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable2⤵PID:3884
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable2⤵PID:3280
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable2⤵PID:3388
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable2⤵PID:3164
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable2⤵PID:2672
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable2⤵PID:3756
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F2⤵PID:1596
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F2⤵PID:1492
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F2⤵PID:4448
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F2⤵PID:3568
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F2⤵PID:2200
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleaner Update" /F2⤵PID:2016
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerCrashReporting" /F2⤵PID:2128
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F2⤵PID:4432
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F2⤵PID:1180
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1868 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2356 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2948 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1276 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3036 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe2⤵
- Kills process with taskkill
PID:2828 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:3572 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:460 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1648 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "OneDrive.exe"2⤵
- Kills process with taskkill
PID:4792 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "explorer.exe"2⤵
- Kills process with taskkill
PID:4204 -
C:\Windows\system32\reg.exereg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
- Modifies registry class
PID:396 -
C:\Windows\system32\reg.exereg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
- Modifies registry class
PID:1660 -
C:\Windows\system32\reg.exereg load "hku\Default" "C:\Users\Default\NTUSER.DAT"2⤵PID:376
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f2⤵PID:3540
-
C:\Windows\system32\reg.exereg unload "hku\Default"2⤵PID:4524
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "OneDrive*" /f2⤵PID:232
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4636 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3488 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\UsoClient.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2284 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4900 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3544 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3424 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1116 -
C:\Windows\system32\taskkill.exetaskkill /F /IM WidgetService.exe2⤵
- Kills process with taskkill
PID:244 -
C:\Windows\system32\taskkill.exetaskkill /F /IM Widgets.exe2⤵
- Kills process with taskkill
PID:348 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:3572
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:1648
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4148 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\smartscreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3408 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4408 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1176 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4964 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:936 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3504 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3612 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3656 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:2892
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3580
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
- Modifies registry class
PID:3092
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4136
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:4556
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2068
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1576
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564KB
MD5d2be90c23063c07c5bf6e02c9400ac35
SHA1c2ca99de035c17ba9b7912c26725efffe290b1db
SHA2569422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA51213935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e
-
Filesize
174KB
MD5423129ddb24fb923f35b2dd5787b13dd
SHA1575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA2565094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce
-
Filesize
1.9MB
MD54803e06db91fdb8b6d1b65c0010d2f87
SHA1f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6
-
Filesize
2KB
MD5109f47ced5da3f92362c49069fc4624e
SHA179b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA2562508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA51255a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774
-
Filesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5238f0a5701700be966cc85a76ecbfc19
SHA1c69446816c9c6c0657e8705ca08459440b6e1d53
SHA256cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b
SHA512791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1
-
Filesize
1KB
MD5775d23139d3bd8a6a218e575f614fb1a
SHA189311d2fb9a37e69ded8990e3e3b17af97a61316
SHA256c6fbdd15c15bdc1ebd0b53fc9568374f22c4bce5eb42339c766b15ea256f2afe
SHA512dfe8c37c39c5a8cefc3b28dfa461b51580dbfe168208556018bedab33554edf41b7bd3d3b8ecfc843b160d6b314d0ac252c067edd2197fdf2322323ea0c1fd67
-
Filesize
948B
MD5d70b0a49b2727a97cc322ea54d2a66c7
SHA157d984bd970307ad80665d97f5369ad644de8776
SHA256bc38ea6605142cb9ec440231b665a5c5a53c499c7e25a77a94eb6491efdd2a65
SHA51290790e506f7453a63d4915fb50c7694184c3bc5b836979d19c15a240c6145d9bbc33d393007f4b39a782e789f6259974a1824e79e960a64c5f8703e4797fdd0d
-
Filesize
1KB
MD512ff85d31d9e76455b77e6658cb06bf0
SHA145788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA2561c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f
-
Filesize
1KB
MD5c55100e7e1e2110933b1a746a5b67caf
SHA1c59aec1ef33720a37d4b53a543c18500622abd01
SHA2569514c92fe04ff67520b606fef8fd7ede93536bfdde1dd8fd2adebd7af76cb7a7
SHA51273d8d0b111a02ab5ed48fffc3be36030e4e43781710ab5f252c7be91499f91f8ee4a191c79b4b874ddf3fdcd4abbee6823005e10b7e8a091fc58adc242235565
-
Filesize
64B
MD566c4ecc8569e72360d2dd87b1a3e43d0
SHA10204696e8d18cbdf3d8ecfef0ffd3005eb170372
SHA2560211b10a9681e2efa4ed1da5b7dc0749953240aa431edfc21456a1c98357458f
SHA51267715718b6bf724cba7cd57e70c8c1d220da046bbcd0619200e4be99984115589ca49701096690bc4c10e5732e98fc0f3656696b18f3a55da3a12eb53635f7e1
-
Filesize
1KB
MD5e3a924916719c590c164e2306f5b3ad4
SHA16b99d5b4cadd988deb3f825c38d3b2ca62beed11
SHA256a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1
SHA51229ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be
-
Filesize
1KB
MD5c3c70d512dd3f5823d1843b174b15cd6
SHA1014accda56aa5efd4cdd3ce3dbe3badf6952d4bf
SHA256d8037878878bf3a871c26a233ff70f2666309b3622c368b7ab40431b21c2937b
SHA512d9f555f3550c5ca9fa8357a9281e9d5e05ca668cfac20c851142441de6ceae9ad40172d697627ff25121083d532be84ec32bb98d239d5be284feeb425f74367a
-
Filesize
1KB
MD56471e12f3df368f7fc86678727756cf4
SHA1b72f92174009ed1a606af18bcf229594a0c8d56b
SHA2567f5255005055807a9354d8416d3d0a92051cd2747c84ec59670ba8f38876604a
SHA512a390cb73eba7dc085ec50c92e01b366dc7149142f4dcc3853707a492338d6a931b414ee631a384728a1719838580d6e820c6065c4e372cbddcd728c16213e6c9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82