Analysis
-
max time kernel
633s -
max time network
618s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-11-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
Full-Package-OneClick-V6.7.zip
Resource
win11-20241007-en
General
-
Target
Full-Package-OneClick-V6.7.zip
-
Size
1.3MB
-
MD5
d8dc00ed1b4565dc180ceacd4b44ced3
-
SHA1
623cd693f170780c1859bc6d9f8c693e8d1b5cfa
-
SHA256
3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21
-
SHA512
b77d52184a9b40fab368e4e67179c5fc71825a3895dc665ded380dc1c5a44d7da12be97c5637ef2c35e8ae73cd1354a7a40e54947c5aa5dbdba1c76820c51a83
-
SSDEEP
24576:7Vop8eTs5bNuKI01xVIjf7fySbYRgikjmqjrU74en00tO9Jkq7Yylia9QlpNJS:7VO4NDIiqfOSMRgt3G4en0SXqga9gS
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
OOSU10.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" reg.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1300 powershell.exe 4524 powershell.exe 4180 powershell.exe 4944 powershell.exe 1496 powershell.exe 1392 powershell.exe 440 3368 4728 powershell.exe 2876 powershell.exe 3424 powershell.exe 2308 powershell.exe 4840 1456 1916 powershell.exe 2500 powershell.exe 648 powershell.exe 1988 5052 3992 powershell.exe 4872 powershell.exe 4028 powershell.exe 1524 powershell.exe 2636 powershell.exe 4396 powershell.exe 4828 powershell.exe 5080 powershell.exe 4132 powershell.exe 4036 powershell.exe 3180 powershell.exe 2240 powershell.exe 3760 powershell.exe 4872 powershell.exe 4228 powershell.exe 3776 powershell.exe 3200 powershell.exe 3864 powershell.exe 3520 powershell.exe 3484 powershell.exe 908 4336 2360 powershell.exe 3836 powershell.exe 4148 powershell.exe 3964 4276 powershell.exe 2888 powershell.exe 4696 3504 powershell.exe 3364 powershell.exe 1648 powershell.exe 4692 4828 powershell.exe 2344 powershell.exe 2300 powershell.exe 4072 powershell.exe 5092 2788 3868 powershell.exe 1464 powershell.exe 724 powershell.exe 1648 powershell.exe 1624 3700 -
Downloads MZ/PE file
-
Possible privilege escalation attempt 13 IoCs
Processes:
icacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2676 icacls.exe 2272 takeown.exe 4828 takeown.exe 2124 icacls.exe 4028 takeown.exe 3960 icacls.exe 3808 icacls.exe 772 takeown.exe 3396 icacls.exe 1088 takeown.exe 2888 icacls.exe 688 takeown.exe 5000 icacls.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 5 IoCs
Processes:
OOSU10.exeNSudoLG.exeNSudoLG.exepid process 404 OOSU10.exe 772 NSudoLG.exe 2448 NSudoLG.exe 4148 3016 -
Modifies file permissions 1 TTPs 13 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 4028 takeown.exe 688 takeown.exe 2676 icacls.exe 2272 takeown.exe 3396 icacls.exe 1088 takeown.exe 2888 icacls.exe 3960 icacls.exe 3808 icacls.exe 772 takeown.exe 5000 icacls.exe 4828 takeown.exe 2124 icacls.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console" Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\8m56aq reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\ reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ reg.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\F: File opened (read-only) \??\F: -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 2 raw.githubusercontent.com 8 raw.githubusercontent.com 19 drive.google.com 24 drive.google.com 39 raw.githubusercontent.com 42 drive.google.com -
Power Settings 1 TTPs 28 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepid process 3364 1848 5096 3560 4748 2148 3712 3808 1132 3964 1100 4984 2924 4928 2204 2244 3384 4644 4108 3880 4420 3004 powercfg.exe 924 4788 4592 1980 1832 3176 -
Drops file in System32 directory 9 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3a811826-2439-4b4b-8e5b-3758fdc20efe}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3a811826-2439-4b4b-8e5b-3758fdc20efe}\snapshot.etl svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3587106988-279496464-3440778474-1000_UserData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3587106988-279496464-3440778474-1000_StartupInfo3.xml svchost.exe -
Drops file in Windows directory 64 IoCs
Processes:
cmd.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\CONCRT~2.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\BIB~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\UPDATE~1.API cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEP~1.PMP cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\COLLEC~1.AAP cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1250~1.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_R~1.AAP cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Spelling.api cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TURKISH.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_53EF~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXE8SH~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CCME_B~2.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\COOLTY~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\INFO~1.PLI cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MULTIM~1.API cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DISPLA~2.T cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PLUGIN~1.MAN cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A468~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~2 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_62AD~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_C9E2~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEL~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1257.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_31C8~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACROFO~1.API cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeXMP.dll cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1251.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CROATIAN.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\CACHES~1.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\COMMEN~1.AAP cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CORPCH~1.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SYMBOL~1.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_3369~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\FILLSI~1.AAP cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\LOGTRA~1.EXE cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Onix32.dll cmd.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXSLE.dll cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DigSig.api cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENT~3.194 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icudt40.dll cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DISPLA~1.EN_ cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TESSEL~1.X3D cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\CONCRT~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~4 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_9587~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_B2C0~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEH~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TRACKE~1.AAP cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_d.x3d cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\a3dutils.dll cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEC~1.EXE cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CENTEURO.TXT cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DISPLA~2.EN_ cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\dummy.dic cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icucnv40.dll cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_D2B9~1 cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACE~1.DLL cmd.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_F~1.AAP cmd.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
Processes:
powershell.exepowershell.exepowershell.exepid process 4524 powershell.exe 2716 powershell.exe 1392 powershell.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1392 sc.exe 772 sc.exe 5076 sc.exe 3364 sc.exe 1808 sc.exe 2820 sc.exe 3100 sc.exe 3408 sc.exe 3416 sc.exe 3196 sc.exe 4900 sc.exe 3508 sc.exe 1472 sc.exe 4728 sc.exe 3200 sc.exe 4892 sc.exe 3504 sc.exe 2964 sc.exe 2448 sc.exe 2380 sc.exe 328 sc.exe 3508 sc.exe 3116 sc.exe 1376 sc.exe 1244 sc.exe 2500 sc.exe 4820 sc.exe 3748 sc.exe 1384 sc.exe 868 sc.exe 3212 sc.exe 1144 sc.exe 5088 sc.exe 1836 sc.exe 4984 sc.exe 1848 sc.exe 5088 sc.exe 1260 sc.exe 2936 sc.exe 344 sc.exe 1228 sc.exe 580 sc.exe 3980 sc.exe 1088 sc.exe 3204 sc.exe 1068 sc.exe 1044 sc.exe 796 sc.exe 3332 sc.exe 2964 sc.exe 3180 sc.exe 4488 sc.exe 652 sc.exe 4892 sc.exe 4004 sc.exe 3132 sc.exe 1364 sc.exe 3136 sc.exe 2892 sc.exe 5024 sc.exe 4892 sc.exe 4504 sc.exe 5080 sc.exe 4480 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
description ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exeTaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 64 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 4552 timeout.exe 2008 timeout.exe 3368 timeout.exe 864 timeout.exe 2132 4084 344 timeout.exe 4504 timeout.exe 5080 4844 2824 timeout.exe 3016 timeout.exe 4608 3856 timeout.exe 2544 timeout.exe 3832 timeout.exe 3856 timeout.exe 3604 timeout.exe 3020 1948 1868 timeout.exe 4556 timeout.exe 2664 488 3832 796 timeout.exe 1088 timeout.exe 4228 timeout.exe 3992 timeout.exe 4364 timeout.exe 3964 timeout.exe 4528 timeout.exe 4044 timeout.exe 4788 timeout.exe 2852 timeout.exe 2568 timeout.exe 2356 timeout.exe 4908 timeout.exe 4408 timeout.exe 1320 timeout.exe 3856 timeout.exe 984 timeout.exe 1752 timeout.exe 3740 4588 1080 timeout.exe 3696 timeout.exe 2728 timeout.exe 4424 timeout.exe 3200 timeout.exe 4576 1160 timeout.exe 660 timeout.exe 3176 timeout.exe 4968 timeout.exe 2816 1700 4348 2960 timeout.exe 2868 timeout.exe 4312 3908 timeout.exe 3780 timeout.exe 4328 -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
pid process 692 4196 4568 1996 -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4428 taskkill.exe 5016 4176 3684 taskkill.exe 3428 taskkill.exe 864 taskkill.exe 4140 taskkill.exe 3212 4028 4532 taskkill.exe 1464 taskkill.exe 2404 taskkill.exe 2244 -
Modifies Control Panel 1 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" OOSU10.exe -
Processes:
SearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" -
Modifies data under HKEY_USERS 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" reg.exe -
Modifies registry class 64 IoCs
Processes:
SearchHost.exepowershell.exeOOSU10.exeexplorer.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "56" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "58" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 powershell.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no" OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12401" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} powershell.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} reg.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 0c0001008421de39020000000000 Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ powershell.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "56" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12366" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options" Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000fdad8608b018db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "38" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f706806ee260aa0d7449371beb064c986830000 Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "858" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "23" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main OOSU10.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoftwindows.client.cbs SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12399" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "858" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory\ = "0" OOSU10.exe Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "23" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache SearchHost.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
pid process 3884 3884 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7zFM.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTaskmgr.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exeNSudoLG.exeNSudoLG.exepowershell.exeexplorer.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2292 7zFM.exe 2292 7zFM.exe 2464 powershell.exe 2464 powershell.exe 3992 powershell.exe 3992 powershell.exe 1608 powershell.exe 1608 powershell.exe 4524 powershell.exe 4524 powershell.exe 4180 powershell.exe 4180 powershell.exe 4944 powershell.exe 4944 powershell.exe 3504 powershell.exe 3504 powershell.exe 1300 powershell.exe 1300 powershell.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 4500 svchost.exe 4500 svchost.exe 4500 svchost.exe 4500 svchost.exe 2716 powershell.exe 2716 powershell.exe 4728 powershell.exe 4728 powershell.exe 1496 powershell.exe 1496 powershell.exe 1392 powershell.exe 1392 powershell.exe 772 NSudoLG.exe 772 NSudoLG.exe 2448 NSudoLG.exe 2448 NSudoLG.exe 1948 powershell.exe 1948 powershell.exe 2544 explorer.exe 2544 explorer.exe 4508 powershell.exe 4508 powershell.exe 4508 powershell.exe 4276 powershell.exe 4276 powershell.exe 3584 powershell.exe 3584 powershell.exe 3620 powershell.exe 3620 powershell.exe 4332 powershell.exe 4332 powershell.exe 2876 powershell.exe 2876 powershell.exe 4036 powershell.exe 4036 powershell.exe 4164 powershell.exe 4164 powershell.exe 4440 powershell.exe 4440 powershell.exe 3424 powershell.exe 3424 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
7zFM.exeexplorer.exepid process 2292 7zFM.exe 2544 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zFM.exeTiWorker.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeRestorePrivilege 2292 7zFM.exe Token: 35 2292 7zFM.exe Token: SeSecurityPrivilege 2292 7zFM.exe Token: SeSecurityPrivilege 2292 7zFM.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeBackupPrivilege 3956 TiWorker.exe Token: SeRestorePrivilege 3956 TiWorker.exe Token: SeSecurityPrivilege 3956 TiWorker.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 4180 powershell.exe Token: SeDebugPrivilege 4944 powershell.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
7zFM.exeTaskmgr.exeexplorer.exepid process 2292 7zFM.exe 2292 7zFM.exe 2292 7zFM.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 3884 3884 -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exeexplorer.exepid process 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 1984 Taskmgr.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe 2544 explorer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
MiniSearchHost.exeexplorer.exeSearchHost.exeStartMenuExperienceHost.exepid process 4940 MiniSearchHost.exe 2544 explorer.exe 1868 SearchHost.exe 2724 StartMenuExperienceHost.exe 2544 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7zFM.execmd.exenet.execmd.exedescription pid process target process PID 2292 wrote to memory of 1160 2292 7zFM.exe NOTEPAD.EXE PID 2292 wrote to memory of 1160 2292 7zFM.exe NOTEPAD.EXE PID 1652 wrote to memory of 2148 1652 cmd.exe fltMC.exe PID 1652 wrote to memory of 2148 1652 cmd.exe fltMC.exe PID 1652 wrote to memory of 1068 1652 cmd.exe sc.exe PID 1652 wrote to memory of 1068 1652 cmd.exe sc.exe PID 1652 wrote to memory of 4980 1652 cmd.exe find.exe PID 1652 wrote to memory of 4980 1652 cmd.exe find.exe PID 1652 wrote to memory of 2860 1652 cmd.exe find.exe PID 1652 wrote to memory of 2860 1652 cmd.exe find.exe PID 1652 wrote to memory of 1648 1652 cmd.exe sc.exe PID 1652 wrote to memory of 1648 1652 cmd.exe sc.exe PID 1652 wrote to memory of 4756 1652 cmd.exe find.exe PID 1652 wrote to memory of 4756 1652 cmd.exe find.exe PID 1652 wrote to memory of 2356 1652 cmd.exe find.exe PID 1652 wrote to memory of 2356 1652 cmd.exe find.exe PID 1652 wrote to memory of 5092 1652 cmd.exe sc.exe PID 1652 wrote to memory of 5092 1652 cmd.exe sc.exe PID 1652 wrote to memory of 988 1652 cmd.exe net.exe PID 1652 wrote to memory of 988 1652 cmd.exe net.exe PID 988 wrote to memory of 420 988 net.exe net1.exe PID 988 wrote to memory of 420 988 net.exe net1.exe PID 3624 wrote to memory of 1552 3624 cmd.exe fltMC.exe PID 3624 wrote to memory of 1552 3624 cmd.exe fltMC.exe PID 3624 wrote to memory of 3284 3624 cmd.exe sc.exe PID 3624 wrote to memory of 3284 3624 cmd.exe sc.exe PID 3624 wrote to memory of 4976 3624 cmd.exe find.exe PID 3624 wrote to memory of 4976 3624 cmd.exe find.exe PID 3624 wrote to memory of 2420 3624 cmd.exe find.exe PID 3624 wrote to memory of 2420 3624 cmd.exe find.exe PID 3624 wrote to memory of 4004 3624 cmd.exe sc.exe PID 3624 wrote to memory of 4004 3624 cmd.exe sc.exe PID 3624 wrote to memory of 1128 3624 cmd.exe find.exe PID 3624 wrote to memory of 1128 3624 cmd.exe find.exe PID 3624 wrote to memory of 2536 3624 cmd.exe find.exe PID 3624 wrote to memory of 2536 3624 cmd.exe find.exe PID 3624 wrote to memory of 1636 3624 cmd.exe curl.exe PID 3624 wrote to memory of 1636 3624 cmd.exe curl.exe PID 3624 wrote to memory of 2672 3624 cmd.exe timeout.exe PID 3624 wrote to memory of 2672 3624 cmd.exe timeout.exe PID 3624 wrote to memory of 1556 3624 cmd.exe tar.exe PID 3624 wrote to memory of 1556 3624 cmd.exe tar.exe PID 3624 wrote to memory of 3400 3624 cmd.exe chcp.com PID 3624 wrote to memory of 3400 3624 cmd.exe chcp.com PID 3624 wrote to memory of 796 3624 cmd.exe timeout.exe PID 3624 wrote to memory of 796 3624 cmd.exe timeout.exe PID 3624 wrote to memory of 568 3624 cmd.exe chcp.com PID 3624 wrote to memory of 568 3624 cmd.exe chcp.com PID 3624 wrote to memory of 3208 3624 cmd.exe chcp.com PID 3624 wrote to memory of 3208 3624 cmd.exe chcp.com PID 3624 wrote to memory of 2464 3624 cmd.exe powershell.exe PID 3624 wrote to memory of 2464 3624 cmd.exe powershell.exe PID 3624 wrote to memory of 3992 3624 cmd.exe powershell.exe PID 3624 wrote to memory of 3992 3624 cmd.exe powershell.exe PID 3624 wrote to memory of 3908 3624 cmd.exe timeout.exe PID 3624 wrote to memory of 3908 3624 cmd.exe timeout.exe PID 3624 wrote to memory of 1420 3624 cmd.exe chcp.com PID 3624 wrote to memory of 1420 3624 cmd.exe chcp.com PID 3624 wrote to memory of 1176 3624 cmd.exe chcp.com PID 3624 wrote to memory of 1176 3624 cmd.exe chcp.com PID 3624 wrote to memory of 1608 3624 cmd.exe powershell.exe PID 3624 wrote to memory of 1608 3624 cmd.exe powershell.exe PID 3624 wrote to memory of 2152 3624 cmd.exe timeout.exe PID 3624 wrote to memory of 2152 3624 cmd.exe timeout.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
OOSU10.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" OOSU10.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" OOSU10.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Full-Package-OneClick-V6.7.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4F86FEB7\0- Read Me Important.txt2⤵PID:1160
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:2148
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵
- Launches sc.exe
PID:1068 -
C:\Windows\system32\find.exefind "STATE"2⤵PID:4980
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:2860
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵PID:1648
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:4756
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:2356
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=auto2⤵PID:5092
-
C:\Windows\system32\net.exenet start TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TrustedInstaller3⤵PID:420
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat1⤵PID:4424
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\system32\fltMC.exefltmc2⤵PID:1552
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵PID:3284
-
C:\Windows\system32\find.exefind "STATE"2⤵PID:4976
-
C:\Windows\system32\find.exefind "RUNNING"2⤵PID:2420
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵PID:4004
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵PID:1128
-
C:\Windows\system32\find.exefind "DISABLED"2⤵PID:2536
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵PID:1636
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:2672
-
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵PID:1556
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:3400
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:796 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:568
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Invalid choice, Please choose Y or N.' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:3908 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:1420
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:1176
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\system32\timeout.exetimeout 22⤵PID:2152
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2936
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3856 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:3672
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f2⤵PID:2888
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵PID:2928
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f2⤵PID:4888
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2960 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:3212
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f2⤵PID:1344
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f2⤵PID:4644
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f2⤵PID:424
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:1380
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f2⤵PID:1540
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f2⤵PID:1812
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2356 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f2⤵PID:5092
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2868 -
C:\Windows\system32\reg.exereg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f2⤵
- Modifies data under HKEY_USERS
PID:2492 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:2480
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:344 -
C:\Windows\system32\reg.exereg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
PID:540 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4908 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f2⤵PID:1992
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2008 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:1956
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1080 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f2⤵PID:1584
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f2⤵PID:4696
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f2⤵PID:3284
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f2⤵PID:3552
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f2⤵PID:2784
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f2⤵PID:4004
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f2⤵PID:2156
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f2⤵PID:2656
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f2⤵PID:2120
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f2⤵PID:3764
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f2⤵PID:3100
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f2⤵PID:1568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3368 -
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f2⤵PID:2568
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f2⤵PID:4476
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f2⤵PID:3332
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f2⤵PID:3972
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f2⤵PID:5088
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f2⤵PID:1680
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵PID:3032
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2544 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f2⤵PID:3652
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f2⤵PID:2400
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3696 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f2⤵PID:1076
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:4628
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
PID:4016 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3964 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f2⤵PID:4620
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f2⤵PID:428
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f2⤵PID:3788
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3832 -
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f2⤵PID:1376
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f2⤵PID:2380
-
C:\Windows\system32\powercfg.exepowercfg.exe /hibernate off2⤵
- Power Settings
PID:3004 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2852 -
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵PID:1444
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:4536
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1160 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:3676
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f2⤵PID:2200
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:1364
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f2⤵PID:1876
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4408 -
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f2⤵PID:1048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3504 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4528 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 02⤵
- UAC bypass
PID:3880 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1320 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1932
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1868 -
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:1836
-
C:\Windows\system32\sc.exesc config ALG start=demand2⤵PID:1452
-
C:\Windows\system32\sc.exesc config AppIDSvc start=demand2⤵
- Launches sc.exe
PID:3116 -
C:\Windows\system32\sc.exesc config AppMgmt start=demand2⤵PID:3612
-
C:\Windows\system32\sc.exesc config AppReadiness start=demand2⤵PID:2724
-
C:\Windows\system32\sc.exesc config AppVClient start=disabled2⤵PID:3156
-
C:\Windows\system32\sc.exesc config AppXSvc start=demand2⤵
- Launches sc.exe
PID:1228 -
C:\Windows\system32\sc.exesc config Appinfo start=demand2⤵
- Launches sc.exe
PID:344 -
C:\Windows\system32\sc.exesc config AssignedAccessManagerSvc start=disabled2⤵PID:1484
-
C:\Windows\system32\sc.exesc config AudioEndpointBuilder start=auto2⤵PID:4728
-
C:\Windows\system32\sc.exesc config AudioSrv start=auto2⤵PID:2284
-
C:\Windows\system32\sc.exesc config Audiosrv start=auto2⤵PID:3924
-
C:\Windows\system32\sc.exesc config AxInstSV start=demand2⤵PID:4876
-
C:\Windows\system32\sc.exesc config BDESVC start=demand2⤵PID:3944
-
C:\Windows\system32\sc.exesc config BFE start=auto2⤵
- Launches sc.exe
PID:2964 -
C:\Windows\system32\sc.exesc config BITS start=delayed-auto2⤵PID:4976
-
C:\Windows\system32\sc.exesc config BTAGService start=demand2⤵PID:3204
-
C:\Windows\system32\sc.exesc config BcastDVRUserService_dc2a4 start=demand2⤵PID:3284
-
C:\Windows\system32\sc.exesc config BluetoothUserService_dc2a4 start=demand2⤵PID:5008
-
C:\Windows\system32\sc.exesc config BrokerInfrastructure start=auto2⤵PID:1128
-
C:\Windows\system32\sc.exesc config Browser start=demand2⤵PID:2536
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=auto2⤵PID:2136
-
C:\Windows\system32\sc.exesc config BthHFSrv start=auto2⤵PID:2124
-
C:\Windows\system32\sc.exesc config CDPSvc start=demand2⤵PID:4984
-
C:\Windows\system32\sc.exesc config CDPUserSvc_dc2a4 start=auto2⤵PID:1548
-
C:\Windows\system32\sc.exesc config COMSysApp start=demand2⤵PID:3764
-
C:\Windows\system32\sc.exesc config CaptureService_dc2a4 start=demand2⤵PID:3100
-
C:\Windows\system32\sc.exesc config CertPropSvc start=demand2⤵PID:4568
-
C:\Windows\system32\sc.exesc config ClipSVC start=demand2⤵PID:1568
-
C:\Windows\system32\sc.exesc config ConsentUxUserSvc_dc2a4 start=demand2⤵PID:580
-
C:\Windows\system32\sc.exesc config CoreMessagingRegistrar start=auto2⤵
- Launches sc.exe
PID:652 -
C:\Windows\system32\sc.exesc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand2⤵PID:492
-
C:\Windows\system32\sc.exesc config CryptSvc start=auto2⤵PID:1852
-
C:\Windows\system32\sc.exesc config CscService start=demand2⤵PID:2288
-
C:\Windows\system32\sc.exesc config DPS start=auto2⤵PID:1464
-
C:\Windows\system32\sc.exesc config DcomLaunch start=auto2⤵PID:864
-
C:\Windows\system32\sc.exesc config DcpSvc start=demand2⤵PID:568
-
C:\Windows\system32\sc.exesc config DevQueryBroker start=demand2⤵PID:3392
-
C:\Windows\system32\sc.exesc config DeviceAssociationBrokerSvc_dc2a4 start=demand2⤵PID:4512
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=demand2⤵
- Launches sc.exe
PID:3508 -
C:\Windows\system32\sc.exesc config DeviceInstall start=demand2⤵PID:2568
-
C:\Windows\system32\sc.exesc config DevicePickerUserSvc_dc2a4 start=demand2⤵PID:4476
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_dc2a4 start=demand2⤵
- Launches sc.exe
PID:4504 -
C:\Windows\system32\sc.exesc config Dhcp start=auto2⤵PID:3440
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:3876
-
C:\Windows\system32\sc.exesc config DialogBlockingService start=disabled2⤵
- Launches sc.exe
PID:5088 -
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start=auto2⤵PID:1680
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start=demand2⤵PID:884
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=demand2⤵PID:2068
-
C:\Windows\system32\sc.exesc config Dnscache start=auto2⤵PID:928
-
C:\Windows\system32\sc.exesc config DoSvc start=delayed-auto2⤵PID:4156
-
C:\Windows\system32\sc.exesc config DsSvc start=demand2⤵PID:1092
-
C:\Windows\system32\sc.exesc config DsmSvc start=demand2⤵PID:404
-
C:\Windows\system32\sc.exesc config DusmSvc start=auto2⤵PID:1300
-
C:\Windows\system32\sc.exesc config EFS start=demand2⤵PID:4772
-
C:\Windows\system32\sc.exesc config EapHost start=demand2⤵PID:1076
-
C:\Windows\system32\sc.exesc config EntAppSvc start=demand2⤵
- Launches sc.exe
PID:2448 -
C:\Windows\system32\sc.exesc config EventLog start=auto2⤵PID:4628
-
C:\Windows\system32\sc.exesc config EventSystem start=auto2⤵PID:328
-
C:\Windows\system32\sc.exesc config FDResPub start=demand2⤵PID:1908
-
C:\Windows\system32\sc.exesc config Fax start=demand2⤵PID:2024
-
C:\Windows\system32\sc.exesc config FontCache start=auto2⤵PID:4380
-
C:\Windows\system32\sc.exesc config FrameServer start=demand2⤵PID:2728
-
C:\Windows\system32\sc.exesc config FrameServerMonitor start=demand2⤵PID:3788
-
C:\Windows\system32\sc.exesc config GraphicsPerfSvc start=demand2⤵PID:3908
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵
- Launches sc.exe
PID:1808 -
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵PID:1176
-
C:\Windows\system32\sc.exesc config HvHost start=demand2⤵
- Launches sc.exe
PID:2380 -
C:\Windows\system32\sc.exesc config IEEtwCollectorService start=demand2⤵PID:1260
-
C:\Windows\system32\sc.exesc config IKEEXT start=demand2⤵PID:2604
-
C:\Windows\system32\sc.exesc config InstallService start=demand2⤵PID:4168
-
C:\Windows\system32\sc.exesc config InventorySvc start=demand2⤵PID:1444
-
C:\Windows\system32\sc.exesc config IpxlatCfgSvc start=demand2⤵PID:4536
-
C:\Windows\system32\sc.exesc config KeyIso start=auto2⤵
- Launches sc.exe
PID:3132 -
C:\Windows\system32\sc.exesc config KtmRm start=demand2⤵PID:2424
-
C:\Windows\system32\sc.exesc config LSM start=auto2⤵PID:4064
-
C:\Windows\system32\sc.exesc config LanmanServer start=auto2⤵PID:2200
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start=auto2⤵PID:1608
-
C:\Windows\system32\sc.exesc config LicenseManager start=demand2⤵
- Launches sc.exe
PID:1364 -
C:\Windows\system32\sc.exesc config LxpSvc start=demand2⤵PID:2152
-
C:\Windows\system32\sc.exesc config MSDTC start=demand2⤵PID:1788
-
C:\Windows\system32\sc.exesc config MSiSCSI start=demand2⤵PID:1204
-
C:\Windows\system32\sc.exesc config MapsBroker start=delayed-auto2⤵
- Launches sc.exe
PID:5080 -
C:\Windows\system32\sc.exesc config McpManagementService start=demand2⤵PID:1140
-
C:\Windows\system32\sc.exesc config MessagingService_dc2a4 start=demand2⤵PID:4344
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start=demand2⤵
- Launches sc.exe
PID:4480 -
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start=demand2⤵PID:1244
-
C:\Windows\system32\sc.exesc config MpsSvc start=auto2⤵PID:4860
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start=demand2⤵PID:4688
-
C:\Windows\system32\sc.exesc config NPSMSvc_dc2a4 start=demand2⤵PID:3684
-
C:\Windows\system32\sc.exesc config NaturalAuthentication start=demand2⤵
- Launches sc.exe
PID:3180 -
C:\Windows\system32\sc.exesc config NcaSvc start=demand2⤵PID:4888
-
C:\Windows\system32\sc.exesc config NcbService start=demand2⤵PID:1460
-
C:\Windows\system32\sc.exesc config NcdAutoSetup start=demand2⤵
- Launches sc.exe
PID:3212 -
C:\Windows\system32\sc.exesc config NetSetupSvc start=demand2⤵
- Launches sc.exe
PID:3504 -
C:\Windows\system32\sc.exesc config NetTcpPortSharing start=disabled2⤵PID:3980
-
C:\Windows\system32\sc.exesc config Netlogon start=demand2⤵PID:2240
-
C:\Windows\system32\sc.exesc config Netman start=demand2⤵PID:3444
-
C:\Windows\system32\sc.exesc config NgcCtnrSvc start=demand2⤵PID:1320
-
C:\Windows\system32\sc.exesc config NgcSvc start=demand2⤵PID:1232
-
C:\Windows\system32\sc.exesc config NlaSvc start=demand2⤵PID:1824
-
C:\Windows\system32\sc.exesc config OneSyncSvc_dc2a4 start=auto2⤵PID:1836
-
C:\Windows\system32\sc.exesc config P9RdrService_dc2a4 start=demand2⤵PID:1452
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=demand2⤵
- Launches sc.exe
PID:4892 -
C:\Windows\system32\sc.exesc config PNRPsvc start=demand2⤵PID:3744
-
C:\Windows\system32\sc.exesc config PcaSvc start=demand2⤵
- Launches sc.exe
PID:1144 -
C:\Windows\system32\sc.exesc config PeerDistSvc start=demand2⤵PID:1012
-
C:\Windows\system32\sc.exesc config PenService_dc2a4 start=demand2⤵PID:4784
-
C:\Windows\system32\sc.exesc config PerfHost start=demand2⤵PID:1624
-
C:\Windows\system32\sc.exesc config PhoneSvc start=demand2⤵PID:540
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_dc2a4 start=demand2⤵PID:744
-
C:\Windows\system32\sc.exesc config PlugPlay start=demand2⤵PID:4424
-
C:\Windows\system32\sc.exesc config PolicyAgent start=demand2⤵PID:2008
-
C:\Windows\system32\sc.exesc config Power start=auto2⤵PID:1552
-
C:\Windows\system32\sc.exesc config PrintNotify start=demand2⤵PID:4416
-
C:\Windows\system32\sc.exesc config PrintWorkflowUserSvc_dc2a4 start=demand2⤵PID:3944
-
C:\Windows\system32\sc.exesc config ProfSvc start=auto2⤵
- Launches sc.exe
PID:2964 -
C:\Windows\system32\sc.exesc config PushToInstall start=demand2⤵PID:3008
-
C:\Windows\system32\sc.exesc config QWAVE start=demand2⤵PID:2420
-
C:\Windows\system32\sc.exesc config RasAuto start=demand2⤵PID:3284
-
C:\Windows\system32\sc.exesc config RasMan start=demand2⤵PID:2296
-
C:\Windows\system32\sc.exesc config RemoteAccess start=disabled2⤵PID:1724
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:3660
-
C:\Windows\system32\sc.exesc config RetailDemo start=demand2⤵PID:2536
-
C:\Windows\system32\sc.exesc config RmSvc start=demand2⤵PID:2600
-
C:\Windows\system32\sc.exesc config RpcEptMapper start=auto2⤵PID:2124
-
C:\Windows\system32\sc.exesc config RpcLocator start=demand2⤵PID:1532
-
C:\Windows\system32\sc.exesc config RpcSs start=auto2⤵PID:3520
-
C:\Windows\system32\sc.exesc config SCPolicySvc start=demand2⤵PID:3764
-
C:\Windows\system32\sc.exesc config SCardSvr start=demand2⤵PID:3100
-
C:\Windows\system32\sc.exesc config SDRSVC start=demand2⤵PID:3336
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=demand2⤵PID:576
-
C:\Windows\system32\sc.exesc config SENS start=auto2⤵
- Launches sc.exe
PID:580 -
C:\Windows\system32\sc.exesc config SNMPTRAP start=demand2⤵PID:652
-
C:\Windows\system32\sc.exesc config SNMPTrap start=demand2⤵PID:492
-
C:\Windows\system32\sc.exesc config SSDPSRV start=demand2⤵PID:1852
-
C:\Windows\system32\sc.exesc config SamSs start=auto2⤵PID:2288
-
C:\Windows\system32\sc.exesc config ScDeviceEnum start=demand2⤵PID:488
-
C:\Windows\system32\sc.exesc config Schedule start=auto2⤵
- Launches sc.exe
PID:3200 -
C:\Windows\system32\sc.exesc config SecurityHealthService start=demand2⤵PID:2672
-
C:\Windows\system32\sc.exesc config Sense start=demand2⤵PID:3884
-
C:\Windows\system32\sc.exesc config SensorDataService start=demand2⤵
- Launches sc.exe
PID:2820 -
C:\Windows\system32\sc.exesc config SensorService start=demand2⤵PID:236
-
C:\Windows\system32\sc.exesc config SensrSvc start=demand2⤵PID:3608
-
C:\Windows\system32\sc.exesc config SessionEnv start=demand2⤵PID:3332
-
C:\Windows\system32\sc.exesc config SgrmBroker start=auto2⤵PID:3208
-
C:\Windows\system32\sc.exesc config SharedAccess start=demand2⤵PID:3440
-
C:\Windows\system32\sc.exesc config SharedRealitySvc start=demand2⤵PID:3876
-
C:\Windows\system32\sc.exesc config ShellHWDetection start=auto2⤵
- Launches sc.exe
PID:5088 -
C:\Windows\system32\sc.exesc config SmsRouter start=demand2⤵PID:4720
-
C:\Windows\system32\sc.exesc config Spooler start=auto2⤵PID:884
-
C:\Windows\system32\sc.exesc config SstpSvc start=demand2⤵PID:2068
-
C:\Windows\system32\sc.exesc config StateRepository start=demand2⤵PID:928
-
C:\Windows\system32\sc.exesc config StiSvc start=demand2⤵PID:3732
-
C:\Windows\system32\sc.exesc config StorSvc start=demand2⤵PID:1720
-
C:\Windows\system32\sc.exesc config SysMain start=auto2⤵PID:404
-
C:\Windows\system32\sc.exesc config SystemEventsBroker start=auto2⤵PID:1300
-
C:\Windows\system32\sc.exesc config TabletInputService start=demand2⤵PID:4348
-
C:\Windows\system32\sc.exesc config TapiSrv start=demand2⤵PID:4832
-
C:\Windows\system32\sc.exesc config TermService start=auto2⤵PID:2448
-
C:\Windows\system32\sc.exesc config TextInputManagementService start=demand2⤵PID:4628
-
C:\Windows\system32\sc.exesc config Themes start=auto2⤵
- Launches sc.exe
PID:328 -
C:\Windows\system32\sc.exesc config TieringEngineService start=demand2⤵PID:1908
-
C:\Windows\system32\sc.exesc config TimeBroker start=demand2⤵PID:428
-
C:\Windows\system32\sc.exesc config TimeBrokerSvc start=demand2⤵PID:1984
-
C:\Windows\system32\sc.exesc config TokenBroker start=demand2⤵PID:3232
-
C:\Windows\system32\sc.exesc config TrkWks start=auto2⤵PID:3832
-
C:\Windows\system32\sc.exesc config TroubleshootingSvc start=demand2⤵PID:1376
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=demand2⤵PID:1176
-
C:\Windows\system32\sc.exesc config UI0Detect start=demand2⤵PID:1820
-
C:\Windows\system32\sc.exesc config UdkUserSvc_dc2a4 start=demand2⤵PID:5064
-
C:\Windows\system32\sc.exesc config UevAgentService start=disabled2⤵PID:4176
-
C:\Windows\system32\sc.exesc config UmRdpService start=demand2⤵
- Launches sc.exe
PID:868 -
C:\Windows\system32\sc.exesc config UnistoreSvc_dc2a4 start=demand2⤵PID:1444
-
C:\Windows\system32\sc.exesc config UserDataSvc_dc2a4 start=demand2⤵PID:4536
-
C:\Windows\system32\sc.exesc config UserManager start=auto2⤵
- Launches sc.exe
PID:4488 -
C:\Windows\system32\sc.exesc config UsoSvc start=demand2⤵PID:4356
-
C:\Windows\system32\sc.exesc config VGAuthService start=auto2⤵PID:2884
-
C:\Windows\system32\sc.exesc config VMTools start=auto2⤵PID:220
-
C:\Windows\system32\sc.exesc config VSS start=demand2⤵PID:2200
-
C:\Windows\system32\sc.exesc config VacSvc start=demand2⤵PID:1608
-
C:\Windows\system32\sc.exesc config VaultSvc start=auto2⤵PID:1952
-
C:\Windows\system32\sc.exesc config W32Time start=demand2⤵PID:4408
-
C:\Windows\system32\sc.exesc config WEPHOSTSVC start=demand2⤵PID:3856
-
C:\Windows\system32\sc.exesc config WFDSConMgrSvc start=demand2⤵PID:5024
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=demand2⤵PID:2928
-
C:\Windows\system32\sc.exesc config WManSvc start=demand2⤵
- Launches sc.exe
PID:3364 -
C:\Windows\system32\sc.exesc config WPDBusEnum start=demand2⤵PID:4480
-
C:\Windows\system32\sc.exesc config WSService start=demand2⤵
- Launches sc.exe
PID:1244 -
C:\Windows\system32\sc.exesc config WSearch start=delayed-auto2⤵PID:960
-
C:\Windows\system32\sc.exesc config WaaSMedicSvc start=demand2⤵PID:2056
-
C:\Windows\system32\sc.exesc config WalletService start=demand2⤵PID:1472
-
C:\Windows\system32\sc.exesc config WarpJITSvc start=demand2⤵PID:3180
-
C:\Windows\system32\sc.exesc config WbioSrvc start=demand2⤵PID:4888
-
C:\Windows\system32\sc.exesc config Wcmsvc start=auto2⤵PID:1780
-
C:\Windows\system32\sc.exesc config WcsPlugInService start=demand2⤵PID:3212
-
C:\Windows\system32\sc.exesc config WdNisSvc start=demand2⤵PID:3504
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=demand2⤵
- Launches sc.exe
PID:3980 -
C:\Windows\system32\sc.exesc config WdiSystemHost start=demand2⤵PID:2492
-
C:\Windows\system32\sc.exesc config WebClient start=demand2⤵PID:3444
-
C:\Windows\system32\sc.exesc config Wecsvc start=demand2⤵PID:3956
-
C:\Windows\system32\sc.exesc config WerSvc start=demand2⤵PID:1232
-
C:\Windows\system32\sc.exesc config WiaRpc start=demand2⤵PID:2316
-
C:\Windows\system32\sc.exesc config WinDefend start=auto2⤵PID:3896
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start=demand2⤵PID:1804
-
C:\Windows\system32\sc.exesc config WinRM start=demand2⤵
- Launches sc.exe
PID:1044 -
C:\Windows\system32\sc.exesc config Winmgmt start=auto2⤵PID:3612
-
C:\Windows\system32\sc.exesc config WlanSvc start=auto2⤵PID:2724
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=demand2⤵PID:4180
-
C:\Windows\system32\sc.exesc config WpnService start=demand2⤵PID:1228
-
C:\Windows\system32\sc.exesc config WpnUserService_dc2a4 start=auto2⤵PID:2360
-
C:\Windows\system32\sc.exesc config WwanSvc start=demand2⤵PID:1484
-
C:\Windows\system32\sc.exesc config XblAuthManager start=demand2⤵
- Launches sc.exe
PID:4728 -
C:\Windows\system32\sc.exesc config XblGameSave start=demand2⤵PID:1544
-
C:\Windows\system32\sc.exesc config XboxGipSvc start=demand2⤵PID:2892
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=demand2⤵PID:3820
-
C:\Windows\system32\sc.exesc config autotimesvc start=demand2⤵PID:1948
-
C:\Windows\system32\sc.exesc config bthserv start=demand2⤵PID:1000
-
C:\Windows\system32\sc.exesc config camsvc start=demand2⤵PID:4696
-
C:\Windows\system32\sc.exesc config cbdhsvc_dc2a4 start=demand2⤵PID:4976
-
C:\Windows\system32\sc.exesc config cloudidsvc start=demand2⤵PID:4556
-
C:\Windows\system32\sc.exesc config dcsvc start=demand2⤵PID:2420
-
C:\Windows\system32\sc.exesc config defragsvc start=demand2⤵PID:5008
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=demand2⤵PID:2784
-
C:\Windows\system32\sc.exesc config diagsvc start=demand2⤵PID:1496
-
C:\Windows\system32\sc.exesc config dmwappushservice start=demand2⤵PID:5012
-
C:\Windows\system32\sc.exesc config dot3svc start=demand2⤵PID:2600
-
C:\Windows\system32\sc.exesc config edgeupdate start=demand2⤵PID:2124
-
C:\Windows\system32\sc.exesc config edgeupdatem start=demand2⤵PID:2720
-
C:\Windows\system32\sc.exesc config embeddedmode start=demand2⤵PID:2500
-
C:\Windows\system32\sc.exesc config fdPHost start=demand2⤵PID:4900
-
C:\Windows\system32\sc.exesc config fhsvc start=demand2⤵PID:1752
-
C:\Windows\system32\sc.exesc config gpsvc start=auto2⤵PID:1568
-
C:\Windows\system32\sc.exesc config hidserv start=demand2⤵
- Launches sc.exe
PID:796 -
C:\Windows\system32\sc.exesc config icssvc start=demand2⤵PID:4872
-
C:\Windows\system32\sc.exesc config iphlpsvc start=auto2⤵PID:492
-
C:\Windows\system32\sc.exesc config lfsvc start=demand2⤵PID:1852
-
C:\Windows\system32\sc.exesc config lltdsvc start=demand2⤵PID:3408
-
C:\Windows\system32\sc.exesc config lmhosts start=demand2⤵PID:488
-
C:\Windows\system32\sc.exesc config mpssvc start=auto2⤵PID:3200
-
C:\Windows\system32\sc.exesc config msiserver start=demand2⤵PID:3392
-
C:\Windows\system32\sc.exesc config netprofm start=demand2⤵PID:336
-
C:\Windows\system32\sc.exesc config nsi start=auto2⤵PID:4008
-
C:\Windows\system32\sc.exesc config p2pimsvc start=demand2⤵PID:2568
-
C:\Windows\system32\sc.exesc config p2psvc start=demand2⤵PID:3176
-
C:\Windows\system32\sc.exesc config perceptionsimulation start=demand2⤵PID:3332
-
C:\Windows\system32\sc.exesc config pla start=demand2⤵PID:3208
-
C:\Windows\system32\sc.exesc config seclogon start=demand2⤵PID:396
-
C:\Windows\system32\sc.exesc config shpamsvc start=disabled2⤵PID:2012
-
C:\Windows\system32\sc.exesc config smphost start=demand2⤵PID:4968
-
C:\Windows\system32\sc.exesc config spectrum start=demand2⤵PID:660
-
C:\Windows\system32\sc.exesc config sppsvc start=delayed-auto2⤵PID:1180
-
C:\Windows\system32\sc.exesc config ssh-agent start=disabled2⤵PID:2400
-
C:\Windows\system32\sc.exesc config svsvc start=demand2⤵PID:1676
-
C:\Windows\system32\sc.exesc config swprv start=demand2⤵PID:4748
-
C:\Windows\system32\sc.exesc config tiledatamodelsvc start=auto2⤵PID:404
-
C:\Windows\system32\sc.exesc config tzautoupdate start=disabled2⤵PID:4624
-
C:\Windows\system32\sc.exesc config uhssvc start=disabled2⤵
- Launches sc.exe
PID:3748 -
C:\Windows\system32\sc.exesc config upnphost start=demand2⤵PID:4564
-
C:\Windows\system32\sc.exesc config vds start=demand2⤵PID:3196
-
C:\Windows\system32\sc.exesc config vm3dservice start=demand2⤵PID:4996
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=demand2⤵PID:3964
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=demand2⤵PID:4620
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=demand2⤵PID:1908
-
C:\Windows\system32\sc.exesc config vmicrdv start=demand2⤵PID:4820
-
C:\Windows\system32\sc.exesc config vmicshutdown start=demand2⤵PID:1984
-
C:\Windows\system32\sc.exesc config vmictimesync start=demand2⤵PID:3908
-
C:\Windows\system32\sc.exesc config vmicvmsession start=demand2⤵PID:3832
-
C:\Windows\system32\sc.exesc config vmicvss start=demand2⤵PID:1372
-
C:\Windows\system32\sc.exesc config vmvss start=demand2⤵PID:1700
-
C:\Windows\system32\sc.exesc config wbengine start=demand2⤵
- Launches sc.exe
PID:1260 -
C:\Windows\system32\sc.exesc config wcncsvc start=demand2⤵PID:2604
-
C:\Windows\system32\sc.exesc config webthreatdefsvc start=demand2⤵PID:4168
-
C:\Windows\system32\sc.exesc config webthreatdefusersvc_dc2a4 start=auto2⤵
- Launches sc.exe
PID:3136 -
C:\Windows\system32\sc.exesc config wercplsupport start=demand2⤵PID:1444
-
C:\Windows\system32\sc.exesc config wisvc start=demand2⤵PID:4536
-
C:\Windows\system32\sc.exesc config wlidsvc start=demand2⤵PID:444
-
C:\Windows\system32\sc.exesc config wlpasvc start=demand2⤵PID:3416
-
C:\Windows\system32\sc.exesc config wmiApSrv start=demand2⤵PID:3524
-
C:\Windows\system32\sc.exesc config workfolderssvc start=demand2⤵PID:2772
-
C:\Windows\system32\sc.exesc config wscsvc start=delayed-auto2⤵PID:3192
-
C:\Windows\system32\sc.exesc config wuauserv start=demand2⤵PID:2936
-
C:\Windows\system32\sc.exesc config wudfsvc start=demand2⤵PID:4408
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3856 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1088 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:3616
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:3364
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:1524
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:2888
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:2612
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:3684
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:4560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:4888
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable2⤵PID:1780
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable2⤵PID:3212
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:3504
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:2696
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:1320
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:1932
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵PID:1868
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f2⤵PID:2316
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:3896
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:420
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f2⤵PID:3744
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵PID:2724
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f2⤵PID:4180
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f2⤵PID:1624
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f2⤵PID:540
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f2⤵PID:1992
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f2⤵PID:1544
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f2⤵PID:2892
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f2⤵PID:1080
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f2⤵PID:3944
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f2⤵PID:4696
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f2⤵PID:3724
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵PID:2420
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f2⤵PID:2156
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f2⤵PID:2120
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f2⤵PID:1548
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f2⤵PID:3520
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f2⤵PID:1596
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f2⤵PID:1636
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f2⤵PID:1752
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f2⤵PID:3396
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f2⤵PID:1392
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f2⤵PID:1972
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f2⤵PID:1464
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f2⤵PID:1556
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f2⤵PID:568
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f2⤵PID:4944
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f2⤵PID:3392
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f2⤵PID:336
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f2⤵PID:236
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f2⤵PID:3608
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f2⤵PID:3972
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f2⤵PID:4196
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f2⤵PID:4000
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f2⤵PID:4456
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:4968
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:660 -
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy Legacy2⤵
- Modifies boot configuration data using bcdedit
PID:1180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"2⤵PID:1092
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild3⤵PID:3696
-
C:\Windows\system32\findstr.exefindstr /r /c:"CurrentBuild"3⤵PID:1720
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1300 -
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1984 -
C:\Windows\system32\timeout.exetimeout /t 22⤵PID:1376
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences2⤵PID:2612
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
PID:3684 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f2⤵PID:2244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2716 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"2⤵PID:2308
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1496 -
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1392 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2568 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:3176
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3972
-
C:\Windows\system32\curl.execurl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"2⤵PID:1680
-
C:\Windows\system32\curl.execurl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"2⤵PID:2128
-
C:\Oneclick Tools\OOShutup10\OOSU10.exe"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet2⤵
- Modifies security service
- Executes dropped EXE
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:404 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2728 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:3788
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3780 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:5024
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3856 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:2532
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2816
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2248
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4200
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1376
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:2612
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:1808
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:3644
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f2⤵PID:1820
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:2636
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵PID:1176
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:3672
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f2⤵PID:3376
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f2⤵PID:1932
-
C:\Windows\system32\sc.exesc config wlidsvc start= disabled2⤵PID:3612
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start= disabled2⤵PID:3156
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵PID:3144
-
C:\Windows\system32\sc.exesc config DusmSvc start= disabled2⤵PID:2824
-
C:\Windows\system32\sc.exesc config TabletInputService start= disabled2⤵
- Launches sc.exe
PID:1836 -
C:\Windows\system32\sc.exesc config RetailDemo start= disabled2⤵PID:3616
-
C:\Windows\system32\sc.exesc config Fax start= disabled2⤵PID:1044
-
C:\Windows\system32\sc.exesc config SharedAccess start= disabled2⤵PID:1228
-
C:\Windows\system32\sc.exesc config lfsvc start= disabled2⤵PID:2360
-
C:\Windows\system32\sc.exesc config WpcMonSvc start= disabled2⤵PID:1584
-
C:\Windows\system32\sc.exesc config SessionEnv start= disabled2⤵PID:3088
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start= disabled2⤵PID:3008
-
C:\Windows\system32\sc.exesc config edgeupdate start= disabled2⤵PID:1724
-
C:\Windows\system32\sc.exesc config edgeupdatem start= disabled2⤵PID:3660
-
C:\Windows\system32\sc.exesc config autotimesvc start= disabled2⤵PID:1992
-
C:\Windows\system32\sc.exesc config CscService start= disabled2⤵PID:1544
-
C:\Windows\system32\sc.exesc config TermService start= disabled2⤵PID:2892
-
C:\Windows\system32\sc.exesc config SensorDataService start= disabled2⤵PID:3820
-
C:\Windows\system32\sc.exesc config SensorService start= disabled2⤵PID:2420
-
C:\Windows\system32\sc.exesc config SensrSvc start= disabled2⤵PID:744
-
C:\Windows\system32\sc.exesc config shpamsvc start= disabled2⤵
- Launches sc.exe
PID:3100 -
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵PID:1596
-
C:\Windows\system32\sc.exesc config PhoneSvc start= disabled2⤵PID:3336
-
C:\Windows\system32\sc.exesc config TapiSrv start= disabled2⤵PID:4828
-
C:\Windows\system32\sc.exesc config UevAgentService start= disabled2⤵PID:1884
-
C:\Windows\system32\sc.exesc config WalletService start= disabled2⤵
- Launches sc.exe
PID:4984 -
C:\Windows\system32\sc.exesc config TokenBroker start= disabled2⤵PID:2720
-
C:\Windows\system32\sc.exesc config WebClient start= disabled2⤵
- Launches sc.exe
PID:4004 -
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start= disabled2⤵PID:796
-
C:\Windows\system32\sc.exesc config stisvc start= disabled2⤵PID:652
-
C:\Windows\system32\sc.exesc config WbioSrvc start= disabled2⤵PID:3396
-
C:\Windows\system32\sc.exesc config icssvc start= disabled2⤵PID:3368
-
C:\Windows\system32\sc.exesc config Wecsvc start= disabled2⤵PID:3884
-
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵PID:4504
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵PID:1972
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵PID:872
-
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵
- Launches sc.exe
PID:3408 -
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled2⤵PID:2288
-
C:\Windows\system32\sc.exesc config iphlpsvc start= disabled2⤵PID:2820
-
C:\Windows\system32\sc.exesc config Backupper Service start= disabled2⤵PID:2788
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start= disabled2⤵PID:2568
-
C:\Windows\system32\sc.exesc config BDESVC start= disabled2⤵PID:3332
-
C:\Windows\system32\sc.exesc config cbdhsvc start= disabled2⤵PID:3608
-
C:\Windows\system32\sc.exesc config CDPSvc start= disabled2⤵
- Launches sc.exe
PID:1392 -
C:\Windows\system32\sc.exesc config CDPUserSvc start= disabled2⤵PID:396
-
C:\Windows\system32\sc.exesc config DevQueryBroker start= disabled2⤵PID:4968
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc start= disabled2⤵PID:660
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵PID:928
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start= disabled2⤵PID:2544
-
C:\Windows\system32\sc.exesc config TrkWks start= disabled2⤵PID:4456
-
C:\Windows\system32\sc.exesc config dLauncherLoopback start= disabled2⤵PID:3732
-
C:\Windows\system32\sc.exesc config EFS start= disabled2⤵PID:5076
-
C:\Windows\system32\sc.exesc config fdPHost start= disabled2⤵PID:3196
-
C:\Windows\system32\sc.exesc config FDResPub start= disabled2⤵PID:328
-
C:\Windows\system32\sc.exesc config IKEEXT start= disabled2⤵PID:1528
-
C:\Windows\system32\sc.exesc config NPSMSvc start= disabled2⤵PID:4628
-
C:\Windows\system32\sc.exesc config WPDBusEnum start= disabled2⤵PID:3232
-
C:\Windows\system32\sc.exesc config PcaSvc start= disabled2⤵PID:244
-
C:\Windows\system32\sc.exesc config RasMan start= disabled2⤵PID:4348
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵
- Launches sc.exe
PID:2936 -
C:\Windows\system32\sc.exesc config SstpSvc start=disabled2⤵PID:2928
-
C:\Windows\system32\sc.exesc config ShellHWDetection start= disabled2⤵PID:5024
-
C:\Windows\system32\sc.exesc config SSDPSRV start= disabled2⤵PID:4736
-
C:\Windows\system32\sc.exesc config SysMain start= disabled2⤵PID:1760
-
C:\Windows\system32\sc.exesc config OneSyncSvc start= disabled2⤵PID:4860
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:1244
-
C:\Windows\system32\sc.exesc config UserDataSvc start= disabled2⤵PID:2816
-
C:\Windows\system32\sc.exesc config UnistoreSvc start= disabled2⤵PID:2380
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵
- Launches sc.exe
PID:1472 -
C:\Windows\system32\sc.exesc config FontCache start= disabled2⤵PID:3668
-
C:\Windows\system32\sc.exesc config W32Time start= disabled2⤵PID:3832
-
C:\Windows\system32\sc.exesc config tzautoupdate start= disabled2⤵PID:2852
-
C:\Windows\system32\sc.exesc config DsSvc start= disabled2⤵PID:1808
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_5f1ad start= disabled2⤵
- Launches sc.exe
PID:3416 -
C:\Windows\system32\sc.exesc config diagsvc start= disabled2⤵PID:3524
-
C:\Windows\system32\sc.exesc config DialogBlockingService start= disabled2⤵PID:1460
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_5f1ad start= disabled2⤵
- Launches sc.exe
PID:1848 -
C:\Windows\system32\sc.exesc config MessagingService_5f1ad start= disabled2⤵PID:2244
-
C:\Windows\system32\sc.exesc config AppVClient start= disabled2⤵PID:1932
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start= disabled2⤵PID:3612
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start= disabled2⤵PID:1144
-
C:\Windows\system32\sc.exesc config ssh-agent start= disabled2⤵PID:3144
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled2⤵PID:1624
-
C:\Windows\system32\sc.exesc config OneSyncSvc_5f1ad start= disabled2⤵PID:2316
-
C:\Windows\system32\sc.exesc config wercplsupport start= disabled2⤵
- Launches sc.exe
PID:1384 -
C:\Windows\system32\sc.exesc config WMPNetworkSvc start= disabled2⤵PID:1804
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled2⤵PID:4904
-
C:\Windows\system32\sc.exesc config WpnUserService_5f1ad start= disabled2⤵PID:2360
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= disabled2⤵PID:4976
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDInstallLauncher" /f2⤵PID:4556
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDLinkUpdate" /f2⤵PID:3724
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f2⤵PID:3660
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "Driver Easy Scheduled Scan" /f2⤵PID:1992
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵PID:4696
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "SoftMakerUpdater" /f2⤵PID:4228
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartCN" /f2⤵PID:2284
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartDVR" /f2⤵PID:744
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵PID:3400
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵PID:648
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵PID:1548
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵PID:4608
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵PID:2136
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵PID:2720
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵PID:4004
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable2⤵PID:4872
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable2⤵PID:3200
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable2⤵PID:1060
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable2⤵PID:4512
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable2⤵PID:4504
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable2⤵PID:864
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵PID:488
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable2⤵PID:2288
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable2⤵PID:3016
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:3440
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable2⤵PID:3176
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵PID:3972
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵PID:1392
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable2⤵PID:2068
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable2⤵PID:2280
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable2⤵PID:928
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable2⤵PID:2128
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable2⤵PID:1092
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable2⤵PID:3992
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable2⤵PID:2448
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable2⤵PID:3964
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable2⤵PID:4632
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable2⤵PID:404
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable2⤵PID:3232
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable2⤵PID:1204
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable2⤵PID:636
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:3600
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵PID:5024
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable2⤵PID:4856
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable2⤵PID:904
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable2⤵PID:3364
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable2⤵PID:2816
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵PID:1376
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable2⤵PID:992
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable2⤵PID:3012
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable2⤵PID:5064
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable2⤵PID:2604
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable2⤵PID:220
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable2⤵PID:4560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable2⤵PID:3180
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable2⤵PID:3376
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable2⤵PID:2244
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable2⤵PID:3656
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable2⤵PID:3156
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable2⤵PID:344
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:1652
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:1452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable2⤵PID:1384
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable2⤵PID:1804
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable2⤵PID:4904
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable2⤵PID:2360
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable2⤵PID:4976
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable2⤵PID:3924
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable2⤵PID:2008
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable2⤵PID:1544
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable2⤵PID:3284
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable2⤵PID:1552
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable2⤵PID:2308
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable2⤵PID:3100
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable2⤵PID:1596
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable2⤵PID:3336
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable2⤵PID:4556
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable2⤵PID:1548
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable2⤵PID:4608
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable2⤵PID:2136
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable2⤵PID:2720
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable2⤵PID:4004
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable2⤵PID:4872
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable2⤵PID:3200
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable2⤵PID:1060
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable2⤵PID:4512
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4504 -
C:\Windows\system32\sc.exesc stop uhssvc2⤵PID:864
-
C:\Windows\system32\sc.exesc stop upfc2⤵PID:488
-
C:\Windows\system32\sc.exesc stop PushToInstall2⤵PID:2288
-
C:\Windows\system32\sc.exesc stop BITS2⤵PID:2920
-
C:\Windows\system32\sc.exesc stop InstallService2⤵PID:3208
-
C:\Windows\system32\sc.exesc stop uhssvc2⤵
- Launches sc.exe
PID:3332 -
C:\Windows\system32\sc.exesc stop UsoSvc2⤵PID:4000
-
C:\Windows\system32\sc.exesc stop wuauserv2⤵PID:396
-
C:\Windows\system32\sc.exesc stop LanmanServer2⤵PID:1392
-
C:\Windows\system32\sc.exesc config BITS start= disabled2⤵PID:2068
-
C:\Windows\system32\sc.exesc config InstallService start= disabled2⤵PID:2544
-
C:\Windows\system32\sc.exesc config uhssvc start= disabled2⤵PID:4620
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled2⤵PID:2024
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled2⤵PID:1092
-
C:\Windows\system32\sc.exesc config LanmanServer start= disabled2⤵PID:5076
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1420
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f2⤵PID:328
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1528
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f2⤵
- Modifies security service
PID:4628 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f2⤵PID:1300
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f2⤵PID:1360
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f2⤵PID:3780
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f2⤵PID:1140
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f2⤵PID:1524
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f2⤵PID:2532
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f2⤵PID:2248
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f2⤵PID:1244
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f2⤵PID:2960
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable2⤵PID:1472
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable2⤵PID:3668
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable2⤵PID:3644
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable2⤵PID:2852
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable2⤵PID:2636
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable2⤵PID:3416
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable2⤵PID:3524
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable2⤵PID:1460
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable2⤵PID:3896
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable2⤵PID:3744
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable2⤵PID:3612
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable2⤵PID:1144
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:2824 -
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled2⤵PID:1824
-
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled2⤵PID:4784
-
C:\Windows\system32\sc.exesc config WinRM start= disabled2⤵PID:1452
-
C:\Windows\system32\sc.exesc config RmSvc start= disabled2⤵
- Launches sc.exe
PID:4892 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:1232
-
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:3088
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵PID:2360
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable2⤵PID:3008
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable2⤵PID:1956
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4424 -
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵PID:4416
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵
- Launches sc.exe
PID:2892 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4228 -
C:\Windows\system32\sc.exesc config NlaSvc start= disabled2⤵PID:2284
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start= disabled2⤵PID:2308
-
C:\Windows\system32\sc.exesc config BFE start= demand2⤵PID:2500
-
C:\Windows\system32\sc.exesc config Dnscache start= demand2⤵PID:3520
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= demand2⤵PID:1636
-
C:\Windows\system32\sc.exesc config Dhcp start= auto2⤵PID:984
-
C:\Windows\system32\sc.exesc config DPS start= auto2⤵PID:2156
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵PID:1884
-
C:\Windows\system32\sc.exesc config nsi start= auto2⤵PID:4984
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵PID:4608
-
C:\Windows\system32\sc.exesc config Winmgmt start= auto2⤵PID:2136
-
C:\Windows\system32\sc.exesc config WlanSvc start= demand2⤵PID:2720
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f2⤵PID:4004
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f2⤵PID:4872
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable2⤵PID:3200
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable2⤵PID:1060
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable2⤵PID:4512
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵PID:4504
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:864 -
C:\Windows\system32\chcp.comchcp 650012⤵PID:488
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:388
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:3440
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3176 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:1680
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4968 -
C:\Windows\system32\sc.exesc config ALG start=disabled2⤵PID:2992
-
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵PID:2940
-
C:\Windows\system32\sc.exesc config XblAuthManager start=disabled2⤵PID:660
-
C:\Windows\system32\sc.exesc config XblGameSave start=disabled2⤵PID:2664
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=disabled2⤵
- Launches sc.exe
PID:772 -
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵PID:884
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵PID:1676
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵PID:4564
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:1092
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=disabled2⤵
- Launches sc.exe
PID:5076 -
C:\Windows\system32\sc.exesc config SCardSvr start=disabled2⤵
- Launches sc.exe
PID:3196 -
C:\Windows\system32\sc.exesc config Netlogon start=disabled2⤵PID:3964
-
C:\Windows\system32\sc.exesc config CscService start=disabled2⤵
- Launches sc.exe
PID:4820 -
C:\Windows\system32\sc.exesc config icssvc start=disabled2⤵PID:1528
-
C:\Windows\system32\sc.exesc config wisvc start=disabled2⤵PID:4348
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵PID:3788
-
C:\Windows\system32\sc.exesc config WalletService start=disabled2⤵PID:1360
-
C:\Windows\system32\sc.exesc config Fax start=disabled2⤵
- Launches sc.exe
PID:1088 -
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵PID:4736
-
C:\Windows\system32\sc.exesc config iphlpsvc start=disabled2⤵
- Launches sc.exe
PID:5024 -
C:\Windows\system32\sc.exesc config wcncsvc start=disabled2⤵PID:2888
-
C:\Windows\system32\sc.exesc config fhsvc start=disabled2⤵PID:2532
-
C:\Windows\system32\sc.exesc config PhoneSvc start=disabled2⤵PID:904
-
C:\Windows\system32\sc.exesc config seclogon start=disabled2⤵PID:2248
-
C:\Windows\system32\sc.exesc config FrameServer start=disabled2⤵PID:4200
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵
- Launches sc.exe
PID:1376 -
C:\Windows\system32\sc.exesc config StiSvc start=disabled2⤵PID:1700
-
C:\Windows\system32\sc.exesc config PcaSvc start=disabled2⤵PID:3668
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵PID:3644
-
C:\Windows\system32\sc.exesc config MapsBroker start=disabled2⤵PID:1820
-
C:\Windows\system32\sc.exesc config bthserv start=disabled2⤵PID:2604
-
C:\Windows\system32\sc.exesc config BDESVC start=disabled2⤵PID:3040
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=disabled2⤵PID:3416
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵PID:3524
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵PID:3672
-
C:\Windows\system32\sc.exesc config CertPropSvc start=disabled2⤵PID:3376
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=disabled2⤵PID:420
-
C:\Windows\system32\sc.exesc config lmhosts start=disabled2⤵PID:3656
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=disabled2⤵PID:2724
-
C:\Windows\system32\sc.exesc config TrkWks start=disabled2⤵PID:3144
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled2⤵PID:1652
-
C:\Windows\system32\sc.exesc config TabletInputService start=disabled2⤵PID:4784
-
C:\Windows\system32\sc.exesc config EntAppSvc start=disabled2⤵PID:1452
-
C:\Windows\system32\sc.exesc config Spooler start=disabled2⤵
- Launches sc.exe
PID:4892 -
C:\Windows\system32\sc.exesc config BcastDVRUserService start=disabled2⤵PID:1232
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=disabled2⤵PID:3088
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=disabled2⤵PID:1724
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=disabled2⤵PID:3924
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=disabled2⤵PID:1956
-
C:\Windows\system32\sc.exesc config wlidsvc start=disabled2⤵PID:2008
-
C:\Windows\system32\sc.exesc config AXInstSV start=disabled2⤵PID:4696
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵
- Launches sc.exe
PID:3204 -
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:4352
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=disabled2⤵PID:4228
-
C:\Windows\system32\sc.exesc config StorSvc start=disabled2⤵PID:744
-
C:\Windows\system32\sc.exesc config TieringEngineService start=disabled2⤵
- Launches sc.exe
PID:4900 -
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵
- Launches sc.exe
PID:2500 -
C:\Windows\system32\sc.exesc config Themes start=disabled2⤵PID:3520
-
C:\Windows\system32\sc.exesc config AppReadiness start=disabled2⤵PID:2120
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4556 -
C:\Windows\system32\sc.exesc config HvHost start=disabled2⤵PID:2124
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=disabled2⤵PID:2192
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=disabled2⤵PID:576
-
C:\Windows\system32\sc.exesc config vmicshutdown start=disabled2⤵PID:4608
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=disabled2⤵PID:1496
-
C:\Windows\system32\sc.exesc config vmicvmsession start=disabled2⤵PID:4532
-
C:\Windows\system32\sc.exesc config vmicrdv start=disabled2⤵
- Launches sc.exe
PID:3508 -
C:\Windows\system32\sc.exesc config vmictimesync start=disabled2⤵PID:3392
-
C:\Windows\system32\sc.exesc config vmicvss start=disabled2⤵PID:3428
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3200 -
C:\Windows\system32\sc.exesc config edgeupdate start=disabled2⤵PID:1060
-
C:\Windows\system32\sc.exesc config edgeupdatem start=disabled2⤵PID:4512
-
C:\Windows\system32\sc.exesc config GoogleChromeElevationService start=disabled2⤵PID:4504
-
C:\Windows\system32\sc.exesc config gupdate start=disabled2⤵PID:4476
-
C:\Windows\system32\sc.exesc config gupdatem start=disabled2⤵PID:2788
-
C:\Windows\system32\sc.exesc config BraveElevationService start=disabled2⤵PID:4624
-
C:\Windows\system32\sc.exesc config brave start=disabled2⤵PID:2568
-
C:\Windows\system32\sc.exesc config bravem start=disabled2⤵PID:3208
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:3608
-
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵PID:2016
-
C:\Windows\system32\sc.exesc config jhi_service start=disabled2⤵PID:3972
-
C:\Windows\system32\sc.exesc config WMIRegistrationService start=disabled2⤵PID:4156
-
C:\Windows\system32\sc.exesc config "Intel(R) TPM Provisioning Service" start=disabled2⤵PID:4760
-
C:\Windows\system32\sc.exesc config ipfsvc start=disabled2⤵PID:1392
-
C:\Windows\system32\sc.exesc config igccservice start=disabled2⤵PID:2984
-
C:\Windows\system32\sc.exesc config cplspcon start=disabled2⤵PID:2940
-
C:\Windows\system32\sc.exesc config esifsvc start=disabled2⤵PID:2908
-
C:\Windows\system32\sc.exesc config LMS start=disabled2⤵PID:2280
-
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:772 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3992 -
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable2⤵PID:3964
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable2⤵PID:404
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable2⤵PID:1300
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable2⤵PID:2936
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable2⤵PID:4628
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleaner Update" /Disable2⤵PID:3780
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerCrashReporting" /Disable2⤵PID:4736
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable2⤵PID:5024
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable2⤵PID:1684
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable2⤵PID:3364
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵PID:3688
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵PID:2816
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable2⤵PID:1376
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable2⤵PID:3012
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable2⤵PID:5064
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable2⤵PID:2852
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable2⤵PID:2604
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable2⤵PID:4560
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable2⤵PID:2240
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable2⤵PID:1460
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable2⤵PID:3896
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable2⤵PID:3744
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F2⤵PID:1868
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F2⤵PID:1144
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F2⤵PID:1624
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F2⤵PID:2316
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F2⤵PID:4784
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleaner Update" /F2⤵PID:1228
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerCrashReporting" /F2⤵PID:2964
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F2⤵PID:1128
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F2⤵PID:3724
-
C:\Windows\system32\timeout.exetimeout 12⤵PID:3660
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:984 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4828 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2124 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:1752 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe2⤵
- Kills process with taskkill
PID:4532 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:3428 -
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
PID:1464 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:2820
-
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "OneDrive.exe"2⤵
- Kills process with taskkill
PID:864 -
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "explorer.exe"2⤵
- Kills process with taskkill
PID:2404 -
C:\Windows\system32\reg.exereg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
- Modifies registry class
PID:4764 -
C:\Windows\system32\reg.exereg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵PID:3000
-
C:\Windows\system32\reg.exereg load "hku\Default" "C:\Users\Default\NTUSER.DAT"2⤵PID:2980
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f2⤵PID:2876
-
C:\Windows\system32\reg.exereg unload "hku\Default"2⤵PID:2068
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "OneDrive*" /f2⤵PID:2908
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:3732
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\UsoClient.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1088 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2888 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4028 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3960 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4044 -
C:\Windows\system32\taskkill.exetaskkill /F /IM WidgetService.exe2⤵
- Kills process with taskkill
PID:4140 -
C:\Windows\system32\taskkill.exetaskkill /F /IM Widgets.exe2⤵
- Kills process with taskkill
PID:4428 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:2904
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵PID:4692
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:4788 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\smartscreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:688 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3808 -
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:772 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2676 -
C:\Windows\system32\timeout.exetimeout 12⤵PID:3956
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2272 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5000 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3016 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:2204
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508 -
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
PID:4364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic startup get caption /format:list2⤵PID:2788
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption /format:list3⤵PID:3836
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:1456 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:968 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "8m56aq " /t REG_SZ /d "" /f2⤵
- Adds Run key to start application
PID:3628 -
C:\Windows\system32\timeout.exetimeout 22⤵PID:4988
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:4284 -
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:1012 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f2⤵PID:1396
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:3032 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:3188 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:728 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f2⤵PID:488
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f2⤵
- Adds Run key to start application
PID:4872 -
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
PID:3604 -
C:\Windows\system32\chcp.comchcp 4372⤵PID:3784
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4036 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"2⤵PID:4944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"2⤵PID:4696
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"2⤵PID:4476
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"2⤵PID:3516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"2⤵PID:4144
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"2⤵PID:4284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"2⤵PID:3740
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"2⤵PID:4340
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"2⤵PID:1864
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"2⤵PID:4888
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"2⤵PID:4068
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3180 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"2⤵PID:2272
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"2⤵PID:712
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"2⤵PID:2080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2636 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"2⤵PID:3812
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"2⤵PID:4388
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"2⤵PID:1400
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"2⤵PID:1700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"2⤵PID:2568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3200 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3868 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"2⤵PID:4848
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"2⤵PID:4032
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:724 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"2⤵PID:2500
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"2⤵PID:2060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5080 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"2⤵PID:2924
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3760 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"2⤵PID:3592
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"2⤵PID:2300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"2⤵PID:924
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"2⤵PID:3336
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"2⤵PID:3828
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"2⤵PID:1080
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"2⤵PID:3820
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"2⤵PID:2324
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *PandoraMediaInc.29680B314EFC2* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *46928bounde.EclipseManager* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ActiproSoftwareLLC.562882FEEB491* | Remove-AppxPackage"2⤵PID:2488
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SpotifyAB.SpotifyMusic* | Remove-AppxPackage"2⤵PID:5008
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Advertising.Xaml* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4148 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.RemoteDesktop* | Remove-AppxPackage"2⤵PID:1380
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.NetworkSpeedTest* | Remove-AppxPackage"2⤵PID:3120
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Todos* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Search* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage"2⤵PID:232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage"2⤵PID:3416
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4940
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:4220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:4488
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1868
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2724
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564KB
MD5d2be90c23063c07c5bf6e02c9400ac35
SHA1c2ca99de035c17ba9b7912c26725efffe290b1db
SHA2569422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA51213935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e
-
Filesize
174KB
MD5423129ddb24fb923f35b2dd5787b13dd
SHA1575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA2565094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce
-
Filesize
1.9MB
MD54803e06db91fdb8b6d1b65c0010d2f87
SHA1f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6
-
Filesize
2KB
MD5109f47ced5da3f92362c49069fc4624e
SHA179b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA2562508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA51255a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774
-
Filesize
2KB
MD504493ed4421328d5e40252891bfe515a
SHA1ab8a4e3909ff849549ea989049ed30b490f274e7
SHA2563b14b48326a1201fc8b9667201c15392e52f7f5819c2aadafe19cbb72b08be51
SHA512c8ca89143763a72f4ce8f10ffa2e161b59d41454bad0f71fcb4c7e9c8861a5d99bdc787907761bfb8439afad1f0557a1338bbb1054f5810de807633f515d5a76
-
Filesize
1KB
MD535e5f4dac536c65c6061063c0bcc1680
SHA133de1ee54ad4af6ef7de46de372878664e40dbae
SHA25643d8e45c4f9ba7df3e8db0338838023fea62e5d4f0abf87a6fe78c01804893cb
SHA512ba5cb333699e07024d3193061fe883b4a88351ed9bfb387342ae76811874d8707cde193fd986746ad95b172e0941f56c810121af478b95120806106239408c31
-
Filesize
64B
MD573899b79c7c73a155bd762fff36ac1cb
SHA187cd5cfb64ea3e80d268adaf7946dbf20497943c
SHA2561bc07acc4fcc1f6097520ed8bce5c1e04c0642a0575c3dc3672725bd87234a7b
SHA5125f8e98dba3f99e70a72fc4a1421fe403155fddae33099d438e072729ab56ba904a8589252fab5ceb55b3f773cf4744760cbed25244bd94defad6226e3a8a9828
-
Filesize
1KB
MD5e3a924916719c590c164e2306f5b3ad4
SHA16b99d5b4cadd988deb3f825c38d3b2ca62beed11
SHA256a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1
SHA51229ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be
-
Filesize
1KB
MD5c3c70d512dd3f5823d1843b174b15cd6
SHA1014accda56aa5efd4cdd3ce3dbe3badf6952d4bf
SHA256d8037878878bf3a871c26a233ff70f2666309b3622c368b7ab40431b21c2937b
SHA512d9f555f3550c5ca9fa8357a9281e9d5e05ca668cfac20c851142441de6ceae9ad40172d697627ff25121083d532be84ec32bb98d239d5be284feeb425f74367a
-
Filesize
1KB
MD586b1713eaecef659d820ebc2388ef31c
SHA15a2c44be4c8c56f247083963fad0f6c81c8e08e8
SHA25643a1afa2ea409a5a220b6dbf138a1679b1909e1fa38d9e1355ab884b74337bcf
SHA5126043e649abe15314e4a6b767decf0caf098299d911a13b3eb45ee0e42def0aac9d36425992bc9fed1bf63a87a162bd7554e882dbfbf6a2855ee26272aae4553f
-
Filesize
64B
MD57274a07d1b80de6f66290b47588cee3b
SHA1d926b384806c755fe6b9d03f68852765aabb5703
SHA2565eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8
SHA512b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5238f0a5701700be966cc85a76ecbfc19
SHA1c69446816c9c6c0657e8705ca08459440b6e1d53
SHA256cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b
SHA512791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1
-
Filesize
1KB
MD5cb1d69b71a38dfe81ac0d2020830faf9
SHA11f8baf6d137b5138ee40c725f9138e1cdd2a71fd
SHA2565ca132239020780c2a57681b9b6960880f23c03daa982d03cb3142cb923f5001
SHA512dba787451922e7bd2d863ba23774d80200acf58243617d0c54e5b3941fa4a47e2c7f8ba43ed91580fdc82884db7bb22bbaec0ee9ca286faab6c1d827b62896fe
-
Filesize
948B
MD5eb6bbad04121efc4b28aafcfb2098c9b
SHA1874882a3749c41301505e95510f761491c465073
SHA256bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5
SHA5127ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3
-
Filesize
1KB
MD570c91e55fe182a7b11ff383b0dbdd172
SHA1b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6
SHA25620a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f
SHA5120f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e
-
Filesize
1KB
MD51e061b3383a83e8b835f080b461a37f0
SHA1cd95057b2b08facdeaea073035ca88d9c5aaf8c0
SHA256e1c5bc8053f119c13ca427ef0092042bee4244d44ff2f7ee84c49a14e5b861e6
SHA512722ddd8a2a6d94240359c582b3f4ae8435fe1506ef27ccd725b68ebc9f1d52e1f3b05a7325b5d2e800b8b0f44050cfd3ad5c3b3892f815e3400afea83e6c01b0
-
Filesize
1KB
MD54338fc72e39eaddb43a21a62e7764a57
SHA1d4bdb16dcda6d517f0e7cfd420bc3807c1a802f8
SHA25603ab0afe61f8f9f40713cc56f3489d7660f90863286033197fbfb7953eab31d5
SHA5126da5d8a9ee12a91c766d506f791bd857b7e0aeb7bb9833f4732e1b0238793ad0e5e41ef3e48e65fd710ab0977fddeb0bb22ee5a5b80cbea8091223529e75c385
-
Filesize
1KB
MD5690566e4b1d42e237d33e96481f5d28e
SHA1bb132f17d1bc80d6bacfe2a2bfb00cbeebb13f0e
SHA2566df89b54a71e11eb08052e21549295e1931e0f25415da3276934867f67df79a8
SHA512845492723ffe51cea54ea438bede4afe92b0aee1390a8642a8b85cf989fae4fa2e6cc19cf066db531d95cf43da456292d274ac165c4a27ab1e65838c90b311ec
-
Filesize
1KB
MD5290a4366e31f5dabb0875818baf3927e
SHA13492d28bc3614a72b3e7631e64dbbd7e3b710580
SHA25608b275dcc671db58a9e38542c5784731c0bd841c13e92bb6135b1ede252616c1
SHA5125f14c07d6f4b3e84f4b42d409a6388d879d39f8b671673001171ba6bccae5494c66e4f3a5069d7d73b35050ae200a3887331e093173d617bd5ad6c6f32ced3f6
-
Filesize
1KB
MD5cbb34cda293c9a5b7f0c2f56492293e8
SHA1736e478f6a77df444944357800a6b79c77aa456f
SHA256d5cac63fd588fd14c550cc0b4b3466282210394282659bcff48513e953d5aa75
SHA512a002e7bf881bf72e792ec34119e42c4a793430bfbbaa7dc7f56b56e935f727108b8d2b4877d6d726d89d01ff23ebdef788790b2352159dd7ee22c371acba365b
-
Filesize
1KB
MD5a236fd7e82e49b9094cf51d36d28fae5
SHA1b827df1433f5a1920d1b4032284f4b8c5d48b8fa
SHA2564807190696818d9b0cb5dcec1a6baf1d0c8f9fd22cfbd25afc94aa60397456ca
SHA5128070c1e2a34a31c8ebfaddab982f3c8e8598d557a3eb695b837f2947dadbf0ecb646c00e543a3181448202269a6cc9b833c4bf75417d5b0232eeff69a177a457
-
Filesize
1KB
MD50399eeb989e6cbd60604167b97c1dcd4
SHA1225c2d43f7d5d0889d999408fd9ff4a1352cf4a3
SHA2569ec655af69ecfd9d8aece95399628ec41fdce39faa7e7e7517a2a5db46ad612a
SHA512f2d3e010c468016e8184eec48aed81f16e7a5c86bc5f1d9b18b69c4264f88a5f31979e475edcb8a6fe681fd59da7c4a0c2e2533800e5f19babd0f800055222f8
-
Filesize
1KB
MD502db820e8fc517654c1ef3f0c7d6a788
SHA150aaa48e9d6be5dfb5c2dce89a8217153a03f4da
SHA256a12dba169f2897a287c79f1183022f0af95a25b77f1f7ac1a86c354d16bf8e41
SHA512be28cf77f23d23f58fa14a5888d0239091f1bcb12b025b6fc8ae16f3e7932f672bc45102c04eb72257d265c159d7a41ff0953e92db0dd60b0a6b3186d7215ede
-
Filesize
1KB
MD557645cfeaf683e9c1b6a5476bd6e5964
SHA1a9201ec8135335b21cc7a5607b952a51ee8c08a6
SHA2564e1414d1af81a01d28b742ff3f18fd54436163166e007796311cdbeec6df128b
SHA51208587fde0e37309dd8c0fd6ba1a479628a5d1d4f6974ef93e9b8f8255866e8d0522192a721b61d5f93e1169812c91ac5ddd0761f8725ae9f73a5fae5b955b969
-
Filesize
1KB
MD5a0952827d7b05e59bbcba9485a624cbb
SHA18479125258bd3f7b7e2dcdca7a14612ca03ab10c
SHA256819dcccd9dc5848fa19acf6175dcdab9bd2a1ef5edc6753a0dcee6fc13d21240
SHA5126ebbef69766656343e4df6f45f9dcc9ba370eb2f30a3bc83746f85a0ac9f942e58f80352a2ef4a4122ebf95d8010020cc3d2c6cb817ff000d3d5b8d41ecca789
-
Filesize
1KB
MD5f0635599de2c45f13bc9182b2c5bb463
SHA174e2714467887e419bdab75d545a64e34590e287
SHA256694c81bd357960865815fa26e4e9c55c2e37ac727e4fdca4aca416114a2b5a95
SHA512046671febcac9672f6aff3cc6f15b584fea535c371b882120d0854d20406c6d5669072a823845fca08007f80d5a2d3058eaadd6003199d6b5dd3c351ee9a7d7a
-
Filesize
1KB
MD5bb2919371112884fa7bcea5db0579382
SHA1a8e2e8a234af399778f48a1e9f9d5ee261549d25
SHA25627d3bc72ecfebff704f0334e11e4f795dee138536df55868ca0a6255a31774b9
SHA512041a1e88c5f2171cc52ec2c16e6290819287b76196b0bb6e8818ed118de2cf5d88d06a9fd65b0b1eff783f66911693cf2520a7072c5627fda0d077b2a4673f64
-
Filesize
1KB
MD56986f616ac97fb18cf0b185340d907c5
SHA101e20bc1ac230ac833b811164d194dd8a9918860
SHA2568f0c6d493545b710864ac9fbcf0c10f8f2c68aa05799f6945aae2f4b93dddd7d
SHA5128dc6d79d64729689a1ea4629a890d6e7b1c9cddeb072079b346a2c4846e92b8703a2b19aaa753cf87d74d0dbd39ebcdee1454bf00a58a2d21f7ede958fbcfc12
-
Filesize
1KB
MD51e2b5fde461eab77db6a1d06356164a2
SHA11a69edb86f7c162d800c06fb2541efded2045df4
SHA2564cec01afe1b359f4ea8a246634c00d138261bad57079f1fd887d09739d115766
SHA512c3fe6a0acbfbabc8278f0d336b1a3b820ce286177627ad05da358503916c1ae1e0165b74e75a735cbbda4752550369b9767b5382bb4f51f810c6dd584e132fe3
-
Filesize
1KB
MD56ca1b0e6fa3e854ebdb8b67e78ee0ab7
SHA1c6ec0b6d207d1fdbd0f8d954c7184c997546f610
SHA2564b714becbc8d873ee8cb136d3d892b8b1c2c7f7987ef1e41fef2713e312b250b
SHA512889fb8f2c206ac55e9d214977f76a1376eb564af3186534e761039e16344d772716965454977960a604f869ad41d39858a6b704484847b998104a35d1d9e6c83
-
Filesize
1KB
MD56c704b9773388c99030b20baa1940271
SHA1d7e1cd97d0f1710841bcb4cae16d0a6368b48d38
SHA256687fdb25ff381baa9f082d0056c104ae5153d6f7e482b597746e23d692e09cf8
SHA512c7eeeaaebd440999e0529b847b1a3df7958af805af44f0a68be72eddd0f111b11fb30d5e8f10970ed66f213c03dd16fd44278b775754b192fb591895f3d97203
-
Filesize
1KB
MD59b131b7ea927032776dcc0af2b59519d
SHA1ace78d56c0efb66f4ab2548642d7644827b5701a
SHA256019d2cdaa3f17bba88c37b6078293c524414a198d8540b5ea92adc288de9284d
SHA5124f0c3faf5993e4798f05de9262bc9f954bf022d7aa562bbde1050146e83257ee70eb49f74a032c6ef2d7d7a4f12373116e338bb30a8cf86b2d7f0e082d705897
-
Filesize
1KB
MD537107ab5a98362176f37cb3205664060
SHA1dbc8bc9b74f539aa7404ec405c7e2a908c1ac1ec
SHA25657ae257ebf026535dee1ce3738faa5e01deeb4e35583374d597d44a6f244ea34
SHA5128a9b8af499a2ad61f40ef53069f4e5ce6a24f9848c89b8215d24a9247fe2bf487bfa1847207624a27d8a3e40da6c9f74bff5e0c7bf8258d706ef4d206fe2aa84
-
Filesize
1KB
MD56de27b8a6f6d1c5724dce86b58fb1d7f
SHA1f5fcb98a4fe3879f180362f83c1971f55708b56c
SHA256e9e3f4b6c61fc0931f407ad370bf6a287b93fa50174646b2a2cc84b2ed342819
SHA512597a04bbbf4639c35a586488ab55d8183a6bd041da8a67a62daf7c3087b098ac90659033ae83d380789d6404a08b2389a9297e523a7f7e9e4602853bd9cb30fd
-
Filesize
1KB
MD5e6761ebd0d08c2817aab0cd8929083f6
SHA1185c0dc6d2018b91839444926665e5e7834d6ee2
SHA256c7b4e497632a03e9e91f9e8c1b3e3fadedfc1c86c22d009a7fd073a66f809f4f
SHA51260470c0e9ffdccd759a858c215bb950bab39aa50f52d62555bb06bf4c165d17ff5d9a2ca0970c9685fb83725379cbbc7bef3cb31ed8bcd57f7dba34fd1e9442e
-
Filesize
1KB
MD588f9ea1d100f5352ec61d1dc90d457e9
SHA1106a2f1a0efad68d3a6c4224e6e8ea97803444d0
SHA256b6f2fbe74673599fa5b2b66b726d21acd156b6470de6d2512da49c4dbf7f7a77
SHA512ee27cf000804e89583b60fc75f36ca06e96269b5ffca55e1843dabc4e30296ac7cdc67d8918873a91ba9af922a2669382626975800d8354f718c3e0d7ebdc333
-
Filesize
1KB
MD557e9d82eedb4a66e1d1331556a6973f3
SHA155e4f7e3c217e71dcb29192307be13fcf9133d9a
SHA2560ea63d1e12cd5212188085802a450afe91b7f915445dabb77eaf9085de21f5df
SHA512c8638d71b6f0555ce5ccdef4b252da84af2fd744025c57a687d71cc9c869b86677bcdd8760239b2d5d1edd121739dac2d7682ab372382b0720c30da86ffb997b
-
Filesize
1KB
MD54cc815d8de1f03786c53bbc5d8a987d3
SHA1c3ad86ff978b501e2038b78ab2c7defd1e3b9b0d
SHA2561065299433ed75de29dadead305eb8e0c677bdb8cb952550ea41c3cb964d2a96
SHA51247868cc4588fd4f07268114335b34dc94b11b2013bfa0ab1e3e5addff94d92f50d45c7cf4d9efd1a98e301747f109ee369f67e7b9302cfd183660648a5fccd22
-
Filesize
1KB
MD50193d08b80f38c2261328217a97d5c1e
SHA1b28ba65b981c2ea1f59a57cd408ae3066d11971c
SHA2563bdaab9f2abbaa26184a084a4d15cbfca295a168803f7913a01a83b51306e49c
SHA5125f119ec654b90ecb86ae793c7d0569df168890d8485d69c35b8662253d23b796fbecbfe3d0c1db405ca204c25b96380ed79d4797316becdfb457d1cf9e09fe74
-
Filesize
1KB
MD5dd9a77b53ba9ba68bb8dedcc001c1ddb
SHA12502db42ac0bf7f02892265df6fe8ccc83edcd83
SHA25643ffb8b8e22a6c9f1d1ab7b6b881eda6b27a0113e51d5658debc347735b5f376
SHA512bba1cf446a472213ff6bd0cd500366163e9e3bff714f8bdc0502ffaaeecf62e36f9935e14d763de136d731effc1ab72e756350ef6762108964a4ed389aac1507
-
Filesize
1KB
MD59df4389e6ecc8e02274bb8fdd5cf5df2
SHA130b337d4dbd1228dfe18783337467af398883252
SHA25651b2b774b06300fb196872e5f7b72ed981197eb64f1ea11bd4eaf3e6d7a3cb78
SHA512639bb0f91b25d90cf8dacc774914c184e4817e7c1fa01b4ba0a0468122b000abeb6dd19844a7d41d7a7757d6dd2af36af602ac3bc742db11176fe7590b90ac69
-
Filesize
1KB
MD539b74cb4f53320d69e53ec7133fd6079
SHA14130a7bee0a62db8d6418ec8f74d70fe8b5ea196
SHA2569f677578a6cf21d1280c7220d11184a56f6d32e714de9ce91631dc9261527070
SHA512573d732a49d6c1ef4ede95fdd3ed7631082b8bc085728211574c4a555e465e232029c51fe34af5dac4bec3069057b526554bfd4afbc31e2365e9de9ae55fae2f
-
Filesize
1KB
MD51244183154f408d2db7b49129a8e6db6
SHA13cfb4ebd836f4636665bf099c8c2e269a2bc80c3
SHA256921acd90c96c5d11ddffbaced67627a84c9beaaaa1de48bc0ee952b78440aad3
SHA512669b7555e3313ca704c181acc4f0e55f59970ad9dcc913b051b7ddbf241cf433b57c22c04468001bd07e68fd865cb5b3e12d2f29a9930ff00bf1125fa6a5f37b
-
Filesize
1KB
MD5439b4fb358f2572fcf1bcd7f1375fd87
SHA119487c5c6774f6d40ad746d0428ca7075bfdd01c
SHA2565bebe58b7bd91158a79cae6607327a39cd4c54106e69804817ba48072be5e566
SHA5126bdfbc990014c270b38592a97c0ba635890d988abe7f7c7866322b8dca6db26a2dddf3a3c6426f56b21e0ae0280b2f498722cf4af254760fbe53b96ea1ade8cf
-
Filesize
1KB
MD533772d29bdd550f69ad48411a88fe076
SHA1b8e3157b8b84b53ef8e15428d7eef1a6f3362f88
SHA2569189778f37b586262e03b6a111950ccea0665d4dd30ea0578a490a1a2a66d621
SHA51293f2577e93de7bce645fa9de5f6090b4d7e9f8ea844a4c2230f056be0c463dfdad3a9c3ebed6e38d5f0dea722597ad3a6853096859291cb3df9dbc13eac58de2
-
Filesize
1KB
MD5b04b0fca96913d10874a5a52390b575b
SHA15701469979579da2cb79a5317ef919ea596ef065
SHA256723e6b5e98d4ec34df030fbf460ffb8b728e6cfd9982867ae6d03700e0dcd8a5
SHA512c36acae46306813344b0665b76b20553eed19a591ad0a687697fff1890b9f3d50696b4b67065d680ed4a2f5f9620bd7756709edded70e10468c71909a6e273ae
-
Filesize
1KB
MD5bc795813febe531502ea380341939cde
SHA154da183397b8b5e7783357172c827a9a77f6b826
SHA256e7d77d3c60dd0f02cc5546cae216f964a277fff0a2f37c572276d1591292b4f9
SHA51206b1babeaa710abeb41aa342318e23e33c7998c7f6ae5045e1fa5fe9268aa26bb803f03395cb8a7e49016f090b222275c56fd51be2298325dda0b0eea8aa885f
-
Filesize
1KB
MD5cdb978c64fd6e4817c076e02bec9f321
SHA14da9900c0b44853322b36de4907f24f6a33c9780
SHA2566b1ebc649a3821a9493aaed3c02e66a0e3e0794b5d8838273dbc003fe57ab3e1
SHA5121365906be4ad53c85556c3ec675ebe7e064ccfb820371282742f8d84bf8d9b63cf641e913629ca46e26ac9aa18d6d9368844099c0d277260b2a24807d35b0cf1
-
Filesize
1KB
MD54a5ec0ff4e30cd14428898de3963645d
SHA17802024052ae981f9d2f1d6e2beb994ee9e21484
SHA2562b8a1f40ae9f44a9b455af282c0c46c32fffe010b9c18061a20972ce8f6c2c56
SHA5122e872d5212c30b55865b6d28d452fa5448aec266a7e93e130209e97482b552c856326adabb12c0f0ab3c1faee7f618c7ad908f650ea82f593e261135862e9b9f
-
Filesize
1KB
MD5018e2644e95c0cebe22cf3b01a2f04ef
SHA1f73e4974451213f79af0349aa82e8ed5bb51e730
SHA256917000a16bfb81b337ada47ace3fc17d2e3ec65ada9c593ed1416be767a7be9e
SHA5120f69ca949644f72a722fab3a42f847a7bfa0b8bede95d855258897461b184af5b6cbc6af5dfc27ee1dd3f502c99fdc142519b3416015658792f69715fde5cea1
-
Filesize
1KB
MD5bf4eec47cc01819a6977cbf0213ed025
SHA1fd9bdf4a8243060b364c25dfd8bd2ddf56bc3454
SHA2561c4b08daa3f7249c34eab9a9c9b179a83ed333d3299b3d1fe0b778eebb3035e6
SHA5124c0a752f586b5680d48980ebb43615b3b5bf52e76924eeeef5dbd19d3c413f0db85bd7b99a99085644964b6e82e860f15c632051aee23db774c128224fded7e2
-
Filesize
1KB
MD5af39a78ec0d56c9f996af7f58b412a6a
SHA18826ee35da28c256885f2a4a766778b0d4ca42bf
SHA2569ce363ebda0dd2316dce7e9ef5fcc192ee2dd20d7917e20365cb94bdf55c72c5
SHA5122d8065add3f328d90cd0cd6b32ccad8b63cc618780a92d88ea66e23adf42a9496908af67c73c574c8585f48e94e9a8827b2804b73d4a50263c74a50766c421dd
-
Filesize
1KB
MD5198048253ae45611eb45bea91d51dd00
SHA1d0893584b21fe73de16eb9b6c1c93928cc09123b
SHA25635c0c0e9e55d950be1e94fa013578dbf5c2e1bbdd6c5c30a68303d1dde86af70
SHA5129773a0c760476f3a1a8935955fcd260d6e71a83f44b5c85f0208832bc3831db0157194eda29e30d1c606dbbf6994f32bc0fcad344414f85b7e19b958169557e6
-
Filesize
1KB
MD54d06571a616d1849ac0d44af1a97b4b2
SHA14df5b8d5cd0f1ebf4182483468286c94a95300e7
SHA256b5a1a1befdcedf856a21719d1a969c4f6a1d1b96eed413e7a604b1a331766b25
SHA51228717032d20bb74cbcfdaa560c3bfd896c177cabd3ce5a5feaf7bdb764b34cf6be926e0afc41fbf0ff50f2bbaffd254962c9d228bef2e5e4ab0f942fa4e434b0
-
Filesize
1KB
MD5cb0f7161aab9a59840d429314eacfbfa
SHA1213886b9f9702603231e2af8cba7b68fbc741bb2
SHA256625d77502e605e164f4447c3b7b318ce6d6f11a0fddb7d641a53f95d043cdc65
SHA512d0a49e064832e4a301a519b9c13ceb647e339e134775259b2aaa361794244be9bef32178c6e10cb9333980281aefc7761cecc3508ea55a5568388b8e0aea8630
-
Filesize
1KB
MD5a0b13590459c6ffb8c52a0a10ae388db
SHA1c7fae31628fd7864ae3ac40d5265e40012f3050d
SHA25696837918d1718fc445e32fe0aec80e0d73d37eccbb3a502d72548cdef9edd314
SHA5122e13f803faf4848f71fbc6c055954b2371b23a9875c05a4f722b707df9663362052359071bcdb31657988f3bb5f706f2fe10759923661691f3e0f746cfc0de2a
-
Filesize
1KB
MD5a2922d1fe9108c92b4a380aac3cfb264
SHA1716e847ad1724edb14ded806eecf8101e3b97583
SHA256b586660ebac6fade8e62cc29f88b7a4b991d98b92bbb4bb27846f73e4e0b3db4
SHA51231a4f01d15ab5ebf16d4de8c4dd2c53e67810a6411753ae48ed2011ae3e25f8db6e73da4726eae181043c1bf48f5b500c18f83cc91ec102adcb285c6d8a2e815
-
Filesize
1KB
MD554ea21b23f8e591c905c42525db46a5a
SHA1a77fb28b1f608fc59ea041d1d2c365ca2e7630bb
SHA2566d112ef9a96272747210823847d65a4a01210f9e038e060339df5de7b901b565
SHA512d466ebb859d5eb631f944973c252a95ff08d206e1fc838478b92af2c5f290d9de3cd3a8b2aa9c3ad5d3f7aa165ba0d2ace8c7dcb41d8f342628322f44cce4c67
-
Filesize
1KB
MD56bfc02ee40e30ee8b3668a1a8cd74542
SHA1d05325b60c6e4c1bd331e89319efe02f2271b268
SHA2563798b25b810408a6e503f3bfc54da533f57bffd83250d3b24b2730e34f66348f
SHA5126c871a3e8017f37a65b002f88318b787d0d24d1cfb107bc66b22032857a960b6805975436b00bfcdf7874d74c8a774eb1376aaa895e38778af1f12a162cabc0a
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HJS5TRU2\microsoftwindows.client[1].xml
Filesize1KB
MD5439229379761282d0ad2553fe1b12385
SHA15a46f5c717303557006293d9a1739e1f776c6dbb
SHA256909c20c3b622ea9eed0e65b5b19ff956ff707b1c33a588d1f100ba8874bbf7a5
SHA512bbe2d1cf0f1d669b944324085938d69c231e2114372f59e45b51cc47813d4575e486b68435780518670c1af306aa41c5554d7e55633514df879972ea44611a98
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize2KB
MD532811684ac013cef9fb7de56188ec0b9
SHA1c5cd0d0a5307189d75c987c82d9db6348547fd16
SHA2560b03ab36327c0a993436487676b10284602e10e9837b21c79c9996780bcbe172
SHA512472332d44e2e9b6f3024dc9f1ec2649cbb3ac2940bc237bd877756e3f32ed4275626e035c0e0865c2cfbbb226b682a4044a0973dc4f7898f77f6c0df59498d63
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133756424482338871.txt
Filesize66KB
MD5b221598e5fa5f499996c78cc4e3d974e
SHA1a94a162f081b6118e5059ac20e6726778e782ebe
SHA2561f633eaf0f40fc16bfc90a7e686be0c49129cca2580f8a93f4a18912c4722de9
SHA5124be73764475c805de40e3c5f7a4e12ccc62590c10584eb950d5ce5d8e7fdad6b1740325b5cae77d0d05446e64d05cbc4e259dc7def0c55b45151176c6c7d77da
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5069c37bf9e39b121efb7a28ece933aee
SHA1eaef2e55b66e543a14a6780c23bb83fe60f2f04d
SHA256485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8
SHA512f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796
-
Filesize
5KB
MD53b97c92ec207c9c8f69c9d30a9f6931e
SHA1bb176cce7cdcee7ad5f6eac54f9c63c6dbcad5e8
SHA25695b0007bbb1b1c7f228716c1dad53d031a596d4376e24d4480e24180b6d70d79
SHA51288f16a86d25b40149debcaae119be8bb397901ead5981b61a8a454cb29d5292f50d352d3011dc043ddb5b9923a410f5ac9b028f3321d06948b589d6a090c05c0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat
Filesize202KB
MD54acd7d1e7294d4ab4e9db8977d5135e4
SHA107c5474fcd09ff5843df3f776d665dcf0eef4284
SHA256b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
SHA512d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36