b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

Analysis

max time kernel
291s
max time network
291s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-11-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V6.7.bat
Size

202KB
MD5

4acd7d1e7294d4ab4e9db8977d5135e4
SHA1

07c5474fcd09ff5843df3f776d665dcf0eef4284
SHA256

b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
SHA512

d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
SSDEEP

1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk

Score

10^/10

adware defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5960	bcdedit.exe
3332	Process not Found
1268	Process not Found
1084	Process not Found

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
2136	powershell.exe
1752	powershell.exe
5712	Process not Found
5408	Process not Found
2484	powershell.exe
4440	powershell.exe
5432	powershell.exe
5524	powershell.exe
5564	powershell.exe
4904	powershell.exe
3816	powershell.exe
2704	powershell.exe
4808	powershell.exe
684	powershell.exe
5828	powershell.exe
4880	powershell.exe
4840	powershell.exe
4576	powershell.exe
2932	powershell.exe
580	powershell.exe
6080	Process not Found
4072	Process not Found
5584	powershell.exe
5220	powershell.exe
6040	Process not Found
4636	powershell.exe
6092	powershell.exe
4996	powershell.exe
2296	Process not Found
4564	powershell.exe
5404	powershell.exe
4204	powershell.exe
3548	powershell.exe
4832	powershell.exe
3788	powershell.exe
3572	powershell.exe
3844	Process not Found
4060	Process not Found
4140	Process not Found
5220	Process not Found
2704	Process not Found
3304	powershell.exe
3652	Process not Found
5644	Process not Found
4668	powershell.exe
5144	Process not Found
1228	powershell.exe
1920	powershell.exe
720	Process not Found
5964	powershell.exe
4056	powershell.exe
784	Process not Found
4160	Process not Found
4424	powershell.exe
1096	powershell.exe
1176	powershell.exe
3316	powershell.exe
2724	powershell.exe
4708	powershell.exe
3116	powershell.exe
1112	powershell.exe
5832	powershell.exe
5160	powershell.exe
5636	powershell.exe

Downloads MZ/PE file

Possible privilege escalation attempt 21 IoCs

exploit

pid	Process
5668	icacls.exe
5192	takeown.exe
5712	icacls.exe
4308	takeown.exe
2380	icacls.exe
4284	takeown.exe
3164	icacls.exe
5052	icacls.exe
3532	takeown.exe
5552	takeown.exe
5992	takeown.exe
4472	takeown.exe
4224	icacls.exe
5768	takeown.exe
3496	icacls.exe
3516	takeown.exe
5228	icacls.exe
1748	takeown.exe
3160	icacls.exe
5332	icacls.exe
4932	icacls.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
4308	OOSU10.exe
4548	NSudoLG.exe
4708	NSudoLG.exe
4116	OpenShellSetup_4_4_191.exe
4632	StartMenu.exe
5072	Process not Found

Loads dropped DLL 7 IoCs

pid	Process
4288	MsiExec.exe
5548	MsiExec.exe
3184	MsiExec.exe
4804	MsiExec.exe
4632	StartMenu.exe
2244	explorer.exe
1732	Process not Found

Modifies file permissions 1 TTPs 21 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4932	icacls.exe
5052	icacls.exe
5332	icacls.exe
5712	icacls.exe
5668	icacls.exe
2380	icacls.exe
4284	takeown.exe
5768	takeown.exe
3532	takeown.exe
3516	takeown.exe
5552	takeown.exe
5992	takeown.exe
5192	takeown.exe
4224	icacls.exe
3164	icacls.exe
1748	takeown.exe
3160	icacls.exe
3496	icacls.exe
4308	takeown.exe
5228	icacls.exe
4472	takeown.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\8m56aq	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu	reg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
11	raw.githubusercontent.com
16	drive.google.com
19	drive.google.com
39	raw.githubusercontent.com
41	raw.githubusercontent.com
45	drive.google.com

Power Settings 1 TTPs 24 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1980	Process not Found
2884	Process not Found
1184	Process not Found
5404	Process not Found
5636	Process not Found
1068	powercfg.exe
4764	Process not Found
4212	Process not Found
5508	Process not Found
3264	Process not Found
1176	Process not Found
5412	Process not Found
3064	Process not Found
1252	Process not Found
5268	Process not Found
4656	Process not Found
2280	Process not Found
2092	Process not Found
5308	Process not Found
2568	Process not Found
3624	Process not Found
6104	Process not Found
3576	Process not Found
5328	Process not Found

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File created	C:\Windows\SysWOW64\StartMenuHelper32.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{7f53d945-015b-4fbe-b8ac-69e0c35e4f69}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3587106988-279496464-3440778474-1000_UserData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3587106988-279496464-3440778474-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\StartMenuHelper64.dll	msiexec.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{7f53d945-015b-4fbe-b8ac-69e0c35e4f69}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Open-Shell\StartMenuHelperL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorerSettings.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShellReadme.rtf	msiexec.exe
File created	C:\Program Files\Open-Shell\ExplorerL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Smoked Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Update.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShell.chm	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenu.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe59843a.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Full Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Basic.skin	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer32.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metallic.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Midnight.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuDLL.dll	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\PolicyDefinitions.zip	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\DesktopToasts.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer64.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe59842a.TMP	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe59841a.TMP	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DF72956AF12D2488A1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico	msiexec.exe
File created	C:\Windows\Installer\e598219.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File created	C:\Windows\Installer\e598217.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7}	msiexec.exe
File created	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82B3.tmp	msiexec.exe
File created	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEB515F348384DE50.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e598217.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7AA8499A01853A17.TMP	msiexec.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DF45835C530D1B1888.TMP	msiexec.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2484	powershell.exe
5304	powershell.exe
1752	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5292	sc.exe
5632	sc.exe
4764	sc.exe
3768	sc.exe
2840	sc.exe
3340	sc.exe
956	sc.exe
2928	sc.exe
988	sc.exe
4228	sc.exe
948	sc.exe
5688	sc.exe
5104	sc.exe
4212	sc.exe
4656	sc.exe
4484	sc.exe
2760	sc.exe
3048	sc.exe
1340	sc.exe
6036	sc.exe
1568	sc.exe
2680	sc.exe
2372	sc.exe
4204	sc.exe
2400	sc.exe
2320	sc.exe
2096	sc.exe
5812	sc.exe
3380	sc.exe
1552	sc.exe
388	sc.exe
360	sc.exe
4232	sc.exe
4872	sc.exe
5520	sc.exe
1748	sc.exe
4748	sc.exe
3752	sc.exe
3944	sc.exe
2920	sc.exe
5520	sc.exe
5868	sc.exe
2676	sc.exe
3860	sc.exe
4556	sc.exe
2376	sc.exe
5904	sc.exe
4916	sc.exe
5548	sc.exe
3920	sc.exe
4684	sc.exe
5592	sc.exe
3912	sc.exe
5324	sc.exe
3604	sc.exe
1584	sc.exe
5060	sc.exe
2824	sc.exe
5144	sc.exe
2264	sc.exe
5640	sc.exe
896	sc.exe
4012	sc.exe
2232	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenShellSetup_4_4_191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1552	timeout.exe
5772	timeout.exe
5972	timeout.exe
6084	timeout.exe
4088	timeout.exe
4496	timeout.exe
5068	timeout.exe
428	timeout.exe
1016	timeout.exe
1176	timeout.exe
5892	Process not Found
2300	timeout.exe
4524	timeout.exe
4596	timeout.exe
2924	Process not Found
5216	Process not Found
3704	timeout.exe
4436	timeout.exe
5456	timeout.exe
3380	timeout.exe
360	timeout.exe
2296	timeout.exe
5688	timeout.exe
3112	timeout.exe
5092	timeout.exe
2676	timeout.exe
1624	timeout.exe
3796	timeout.exe
4944	timeout.exe
948	timeout.exe
3900	timeout.exe
872	timeout.exe
1744	timeout.exe
6116	timeout.exe
540	Process not Found
3136	timeout.exe
3616	timeout.exe
5064	timeout.exe
5608	timeout.exe
1408	timeout.exe
5928	timeout.exe
4520	timeout.exe
5016	Process not Found
1772	timeout.exe
4912	timeout.exe
2808	timeout.exe
4440	timeout.exe
2264	timeout.exe
3264	timeout.exe
1144	timeout.exe
2816	timeout.exe
2936	Process not Found
4140	Process not Found
5872	Process not Found
5284	timeout.exe
3048	timeout.exe
4704	timeout.exe
3724	timeout.exe
6112	Process not Found
5976	Process not Found
5580	timeout.exe
5996	timeout.exe
4640	timeout.exe
4500	Process not Found

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 13 IoCs

evasion

pid	Process
360	Process not Found
3320	taskkill.exe
5404	taskkill.exe
3792	Process not Found
2868	Process not Found
3804	taskkill.exe
2020	taskkill.exe
920	Process not Found
3292	Process not Found
244	taskkill.exe
2892	taskkill.exe
2104	taskkill.exe
4688	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	OOSU10.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100001003500000001000000010700005e010000060000000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b7913855d5a02645be18d3ce461d6310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Process not Found

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ = "Classic Explorer Bar"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\ = "ClassicCopyExt Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder\Attributes = "2684354560"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID\ = "ClassicExplorer.ExplorerBand.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0"	OOSU10.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E407B70A-1FBD-4D5E-8822-231C69102472}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\ = "ClassicExplorer 1.0 Type Library"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer\ = "ClassicExplorer.ExplorerBHO.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ShellEx\MayChangeDefaultMenu\	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ = "Open-Shell Modern Settings"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\StartMenuHelper.DLL	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e0071800000000000000000000037595a02bea68646a84436fe4bec8b6d0000	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer\ = "ClassicExplorer.ExplorerBHO.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\ = "ExplorerBand Class"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no"	OOSU10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer32.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "56"	SearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\ = "ExplorerBHO Class"	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39020000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\ = "ShareOverlay Class"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\ClassicCopyExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ShellEx	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder\Attributes = "2684354560"	MsiExec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3480	reg.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1732	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	powershell.exe
3296	powershell.exe
2484	powershell.exe
2484	powershell.exe
4440	powershell.exe
4440	powershell.exe
5432	powershell.exe
5432	powershell.exe
1228	powershell.exe
1228	powershell.exe
5564	powershell.exe
5564	powershell.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
3352	svchost.exe
5304	powershell.exe
5304	powershell.exe
2136	powershell.exe
2136	powershell.exe
5524	powershell.exe
5524	powershell.exe
1752	powershell.exe
1752	powershell.exe
4548	NSudoLG.exe
4548	NSudoLG.exe
4708	NSudoLG.exe
4708	NSudoLG.exe
668	powershell.exe
668	powershell.exe
2244	explorer.exe
2244	explorer.exe
2932	powershell.exe
2932	powershell.exe
2932	powershell.exe
3976	powershell.exe
3976	powershell.exe
4564	powershell.exe
4564	powershell.exe
2752	msiexec.exe
2752	msiexec.exe
4576	powershell.exe
4576	powershell.exe
1832	powershell.exe
1832	powershell.exe
6112	powershell.exe
6112	powershell.exe
1920	powershell.exe
1920	powershell.exe
2020	powershell.exe
2020	powershell.exe
1176	powershell.exe
1176	powershell.exe
5996	powershell.exe
5996	powershell.exe
3116	powershell.exe
3116	powershell.exe
4868	powershell.exe
4868	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2244	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeBackupPrivilege	1952	TiWorker.exe
Token: SeRestorePrivilege	1952	TiWorker.exe
Token: SeSecurityPrivilege	1952	TiWorker.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	5432	powershell.exe
Token: SeShutdownPrivilege	1068	powercfg.exe
Token: SeCreatePagefilePrivilege	1068	powercfg.exe
Token: SeShutdownPrivilege	1068	powercfg.exe
Token: SeCreatePagefilePrivilege	1068	powercfg.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeIncreaseQuotaPrivilege	1228	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
5652	msiexec.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
5700	Taskmgr.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2244	explorer.exe
5128	SearchHost.exe
5032	StartMenuExperienceHost.exe
2244	explorer.exe
4632	StartMenu.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
2244	explorer.exe
1732	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4304	2796	cmd.exe	80
PID 2796 wrote to memory of 4304	2796	cmd.exe	80
PID 2796 wrote to memory of 3348	2796	cmd.exe	81
PID 2796 wrote to memory of 3348	2796	cmd.exe	81
PID 2796 wrote to memory of 5168	2796	cmd.exe	82
PID 2796 wrote to memory of 5168	2796	cmd.exe	82
PID 2796 wrote to memory of 5172	2796	cmd.exe	83
PID 2796 wrote to memory of 5172	2796	cmd.exe	83
PID 2796 wrote to memory of 1420	2796	cmd.exe	84
PID 2796 wrote to memory of 1420	2796	cmd.exe	84
PID 2796 wrote to memory of 988	2796	cmd.exe	85
PID 2796 wrote to memory of 988	2796	cmd.exe	85
PID 2796 wrote to memory of 5772	2796	cmd.exe	86
PID 2796 wrote to memory of 5772	2796	cmd.exe	86
PID 2796 wrote to memory of 3608	2796	cmd.exe	87
PID 2796 wrote to memory of 3608	2796	cmd.exe	87
PID 2796 wrote to memory of 1048	2796	cmd.exe	88
PID 2796 wrote to memory of 1048	2796	cmd.exe	88
PID 1048 wrote to memory of 1288	1048	net.exe	89
PID 1048 wrote to memory of 1288	1048	net.exe	89
PID 2796 wrote to memory of 668	2796	cmd.exe	92
PID 2796 wrote to memory of 668	2796	cmd.exe	92
PID 2796 wrote to memory of 948	2796	cmd.exe	93
PID 2796 wrote to memory of 948	2796	cmd.exe	93
PID 2796 wrote to memory of 2888	2796	cmd.exe	94
PID 2796 wrote to memory of 2888	2796	cmd.exe	94
PID 2796 wrote to memory of 5864	2796	cmd.exe	95
PID 2796 wrote to memory of 5864	2796	cmd.exe	95
PID 2796 wrote to memory of 1552	2796	cmd.exe	96
PID 2796 wrote to memory of 1552	2796	cmd.exe	96
PID 2796 wrote to memory of 3800	2796	cmd.exe	97
PID 2796 wrote to memory of 3800	2796	cmd.exe	97
PID 2796 wrote to memory of 4772	2796	cmd.exe	98
PID 2796 wrote to memory of 4772	2796	cmd.exe	98
PID 2796 wrote to memory of 3296	2796	cmd.exe	99
PID 2796 wrote to memory of 3296	2796	cmd.exe	99
PID 2796 wrote to memory of 3704	2796	cmd.exe	100
PID 2796 wrote to memory of 3704	2796	cmd.exe	100
PID 2796 wrote to memory of 4852	2796	cmd.exe	101
PID 2796 wrote to memory of 4852	2796	cmd.exe	101
PID 2796 wrote to memory of 4496	2796	cmd.exe	102
PID 2796 wrote to memory of 4496	2796	cmd.exe	102
PID 2796 wrote to memory of 5404	2796	cmd.exe	103
PID 2796 wrote to memory of 5404	2796	cmd.exe	103
PID 2796 wrote to memory of 3308	2796	cmd.exe	104
PID 2796 wrote to memory of 3308	2796	cmd.exe	104
PID 2796 wrote to memory of 1084	2796	cmd.exe	105
PID 2796 wrote to memory of 1084	2796	cmd.exe	105
PID 2796 wrote to memory of 360	2796	cmd.exe	106
PID 2796 wrote to memory of 360	2796	cmd.exe	106
PID 2796 wrote to memory of 5608	2796	cmd.exe	107
PID 2796 wrote to memory of 5608	2796	cmd.exe	107
PID 2796 wrote to memory of 5188	2796	cmd.exe	108
PID 2796 wrote to memory of 5188	2796	cmd.exe	108
PID 2796 wrote to memory of 2244	2796	cmd.exe	109
PID 2796 wrote to memory of 2244	2796	cmd.exe	109
PID 2796 wrote to memory of 228	2796	cmd.exe	110
PID 2796 wrote to memory of 228	2796	cmd.exe	110
PID 2796 wrote to memory of 5184	2796	cmd.exe	111
PID 2796 wrote to memory of 5184	2796	cmd.exe	111
PID 2796 wrote to memory of 5628	2796	cmd.exe	112
PID 2796 wrote to memory of 5628	2796	cmd.exe	112
PID 2796 wrote to memory of 444	2796	cmd.exe	113
PID 2796 wrote to memory of 444	2796	cmd.exe	113

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	OOSU10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:4304
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  PID:3348
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:5168
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:5172
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:1420
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:988
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:5772
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=auto
  2⤵
  PID:3608
- C:\Windows\system32\net.exe
  net start TrustedInstaller
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start TrustedInstaller
    3⤵
    PID:1288
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
  2⤵
  PID:668
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:948
- C:\Windows\system32\tar.exe
  tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
  2⤵
  PID:2888
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5864
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1552
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3800
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3704
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4852
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4496
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5404
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:3308
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:1084
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:360
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5188
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:228
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:5184
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5628
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:444
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5284
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3900
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:5072
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5068
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:6052
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1408
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:5224
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:428
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:2384
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:872
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:5500
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1744
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:2192
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:944
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:5844
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:4920
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:5292
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:1876
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:5268
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:5328
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:5416
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5432
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2300
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5476
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:5136
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:5248
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3920
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5092
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2040
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2676
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:1908
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5428
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:3480
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5928
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:5912
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:5896
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:5884
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4436
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1612
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:1728
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3264
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:5004
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:3200
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5456
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:5384
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:2928
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5572
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:5808
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5564
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1016
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:988
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5772
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5824
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1624
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:6064
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3912
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:3904
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  PID:5820
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  PID:4552
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:2536
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:3196
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  - Launches sc.exe
  PID:3768
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  - Launches sc.exe
  PID:5144
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  PID:1920
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  - Launches sc.exe
  PID:4212
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:4668
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  PID:4192
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  PID:5124
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  PID:5252
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:5520
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:5324
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  PID:5836
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  - Launches sc.exe
  PID:2920
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:5624
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  PID:5984
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:4596
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:5968
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:4264
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  PID:668
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:5304
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  PID:5996
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  PID:2400
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:2888
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:2596
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  - Launches sc.exe
  PID:5688
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  PID:3540
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:3800
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:2932
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  PID:2380
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  PID:2084
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:2156
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:5104
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:4656
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:2060
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:2264
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:280
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:2104
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  - Launches sc.exe
  PID:2840
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:1544
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:5560
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:6116
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:4688
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5548
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:4496
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:712
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  PID:2768
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:2516
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:5052
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  - Launches sc.exe
  PID:360
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:2372
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:4960
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  PID:224
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  PID:252
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  PID:228
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:4220
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:616
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:4912
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:444
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  PID:5284
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:2252
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  PID:3752
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:4972
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:4940
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:5556
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  PID:2752
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  - Launches sc.exe
  PID:4232
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  PID:1652
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:4012
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:4484
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  PID:2760
- C:\Windows\system32\sc.exe
  sc config MSDTC start=demand
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:5592
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  PID:5068
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:960
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  PID:3928
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  PID:1648
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:3552
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  PID:5972
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:5232
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:5228
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  - Launches sc.exe
  PID:3380
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3860
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:1604
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  PID:3424
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:3168
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:428
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  PID:6128
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:5448
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  PID:5032
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:3944
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:5128
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:4876
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:4760
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:1868
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:420
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:1088
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  PID:4920
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:1044
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:844
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:2696
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:4400
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:5268
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:5328
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:5296
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  PID:2704
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:2160
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:2684
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:6060
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:852
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  PID:484
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:3580
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:5160
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:5432
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  PID:1296
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  - Launches sc.exe
  PID:4556
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  PID:4928
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  PID:5140
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:4188
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:5136
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  PID:6076
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  - Launches sc.exe
  PID:3920
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  PID:3504
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:3780
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:2876
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:2040
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:572
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:3628
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  PID:5708
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:4784
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  PID:4704
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:2680
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  PID:5916
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:5908
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:5912
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  PID:5892
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  PID:5876
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:1880
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  - Launches sc.exe
  PID:1748
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  PID:1612
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:1036
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:5336
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  PID:1068
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  PID:4924
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  PID:1060
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:6104
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:6112
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2928
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:5572
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  PID:5544
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:4964
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:2864
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:5096
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:920
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:2748
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  PID:720
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:3604
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:4364
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  PID:784
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  PID:1364
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  - Launches sc.exe
  PID:5868
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:5768
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  PID:1016
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  - Launches sc.exe
  PID:988
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:2544
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  - Launches sc.exe
  PID:1340
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:3820
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:3208
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  PID:2836
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:1176
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  PID:3840
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:3912
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  PID:3904
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:1040
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:5492
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  PID:3452
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  PID:1416
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:824
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  PID:2240
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:1288
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:4296
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  - Launches sc.exe
  PID:4872
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  - Launches sc.exe
  PID:4228
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5520
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  - Launches sc.exe
  PID:5324
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  PID:5836
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:5604
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:5624
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:3144
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:4216
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  PID:4596
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:5968
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  PID:6040
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:668
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:948
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  - Launches sc.exe
  PID:5640
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:5996
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  - Launches sc.exe
  PID:2400
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  PID:5636
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:5580
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  PID:1552
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:5688
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  PID:2312
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:4772
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  PID:2380
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:2084
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:240
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  - Launches sc.exe
  PID:4656
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:2060
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  - Launches sc.exe
  PID:2264
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  PID:4392
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  - Launches sc.exe
  PID:4748
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  PID:2840
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:1544
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:5560
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  PID:3020
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:4744
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:5216
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  PID:4496
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  PID:712
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:2768
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:2516
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:5052
- C:\Windows\system32\sc.exe
  sc config smphost start=demand
  2⤵
  PID:3204
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:2372
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:5188
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:2244
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  PID:4348
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:2296
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  PID:3308
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:5628
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:1924
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  PID:2432
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:5084
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:2216
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  - Launches sc.exe
  PID:2376
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  - Launches sc.exe
  PID:896
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  PID:1436
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:2328
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:4232
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:2284
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:4012
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  - Launches sc.exe
  PID:4484
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  - Launches sc.exe
  PID:2760
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:388
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:5592
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  PID:5068
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:960
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:3928
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:1648
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  PID:3552
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:2824
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  PID:5972
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:5232
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3796
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3380
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:4148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:4680
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:4008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:3424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:1784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:2384
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:5448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:5032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:3944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:820
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:2192
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:1868
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:5260
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:5472
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:4804
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:844
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4740
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5416
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3184
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:852
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:4868
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:4888
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:956
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:5432
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:5140
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:4188
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:3920
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:564
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:572
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:976
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:5428
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:2728
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:5928
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:5904
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:5912
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:5872
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:4436
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:1584
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:1612
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:1728
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:5412
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:6088
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:5696
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4884
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:1060
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:3524
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:6028
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:5572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5564
- - C:\Windows\system32\Taskmgr.exe
    "C:\Windows\system32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5700
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  PID:6084
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:3388
- C:\Windows\system32\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:3320
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
  2⤵
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:5304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
  2⤵
  PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5524
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5284
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5084
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4968
- C:\Windows\system32\curl.exe
  curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
  2⤵
  PID:4940
- C:\Windows\system32\curl.exe
  curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"
  2⤵
  PID:2752
- C:\Oneclick Tools\OOShutup10\OOSU10.exe
  "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Modifies Control Panel
  - Modifies registry class
  - System policy modification
  PID:4308
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4520
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3412
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5972
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4492
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1144
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5812
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5752
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5224
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:952
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:428
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:6128
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5500
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1744
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:4604
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:820
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:4760
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3120
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:4540
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:4920
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  PID:1044
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5292
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:1976
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:5828
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:5496
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:4740
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:5328
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:4916
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:4204
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  PID:2160
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:4944
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:3184
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:4632
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  PID:1264
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:5796
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:3580
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  PID:5160
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:1232
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:3528
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:3136
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:5140
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  - Launches sc.exe
  PID:4684
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:3780
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  PID:1556
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  PID:2232
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:2676
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:2148
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:3340
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:976
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:1936
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:248
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  - Launches sc.exe
  PID:2680
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:5924
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:5908
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:5904
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  PID:5912
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  PID:5876
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:5576
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  PID:1748
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:1036
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:5336
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:3264
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:5004
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:5696
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:1184
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  PID:4396
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:6132
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:5960
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:5740
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  PID:5808
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:3524
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:2504
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  PID:5756
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:3660
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:5704
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:4652
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:3008
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:720
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  - Launches sc.exe
  PID:3604
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:5564
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:1848
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:1920
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  PID:1804
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:4872
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:2020
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:1364
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:6084
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:6096
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:5668
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:5992
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:5644
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:1176
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:1456
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:2736
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:5636
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:792
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:3104
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:4428
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:5568
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:2132
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:1548
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:5332
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:2640
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:244
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:2508
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:3484
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:2892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:2056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:2156
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:3332
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:1268
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:5548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:4256
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:2136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:4852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:1544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:4372
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:4744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:4244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:5408
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:4676
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:5628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:5064
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:4960
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:5188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:5060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:3924
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:2216
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:2376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:2716
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:5244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:3764
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:4024
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:2760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:5536
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:2328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:5528
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:5068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:3112
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:2456
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:1664
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:5712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:5236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:4308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:5972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:4492
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:1144
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:5812
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:4680
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:5752
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:3168
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:3424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:5224
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:6128
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:5500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:5128
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:4604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:2012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:2192
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:3120
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:4760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:4148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:1876
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:4804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:5164
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:5496
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:3060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:2552
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:1668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:2704
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:4944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:3184
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:1132
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:4888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:1208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:1296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:5044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:3136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:5140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:6036
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3048
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:2676
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:2148
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  - Launches sc.exe
  PID:3340
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:976
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:1936
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  - Launches sc.exe
  PID:2320
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:2728
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:5916
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:5888
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  - Launches sc.exe
  PID:5904
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:5876
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1584
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5632
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:1036
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:1068
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2744
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:6032
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5456
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:6104
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5860
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:6028
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1008
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5172
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:5148
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:5756
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:5988
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:2724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:6080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:3008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:4964
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:5144
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:3804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:4692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:4192
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:4668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:4976
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:4644
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:5616
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:2072
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:6084
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  PID:6096
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:904
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:5868
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1772
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:5644
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:5624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:3960
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:2196
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5580
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  - Launches sc.exe
  PID:1552
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:3800
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5996
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:5864
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:2400
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:2924
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:5332
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:2264
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:2840
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  - Launches sc.exe
  PID:2096
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:240
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:2056
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:2156
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:3188
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:2932
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:5216
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:1280
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:3416
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:6116
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2768
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:360
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3204
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2296
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:616
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4912
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:224
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  - Launches sc.exe
  PID:2372
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:252
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:4348
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  - Launches sc.exe
  PID:5060
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:5284
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  - Launches sc.exe
  PID:3752
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:2376
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:2716
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:5244
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:3764
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4012
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:5024
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:4232
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  - Launches sc.exe
  PID:388
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:6052
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:5692
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:5068
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:5592
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:3516
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:4520
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  PID:5712
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2824
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:3972
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:1452
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:3796
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:4492
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:1144
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  - Launches sc.exe
  PID:5812
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:4008
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:3336
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:2288
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:952
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:2756
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:3356
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:5396
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:5500
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  - Launches sc.exe
  PID:3944
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:944
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:4876
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:820
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:1868
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:4540
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:3120
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:4760
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:844
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:1876
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:4804
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:5484
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:1444
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  - Launches sc.exe
  PID:4916
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  - Launches sc.exe
  PID:4204
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:2684
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=disabled
  2⤵
  PID:3668
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4944
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:3184
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:1264
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:5796
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  - Launches sc.exe
  PID:956
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:4888
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:5160
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:1232
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  - Launches sc.exe
  PID:4764
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:5044
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3136
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  PID:5140
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:6036
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  - Launches sc.exe
  PID:2232
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  PID:2876
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  - Launches sc.exe
  PID:2676
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:2148
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:2952
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4704
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:5920
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:5928
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:5924
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:5916
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:5888
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:2960
- C:\Windows\system32\sc.exe
  sc config esifsvc start=disabled
  2⤵
  PID:5884
- C:\Windows\system32\sc.exe
  sc config LMS start=disabled
  2⤵
  PID:2804
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2808
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:3264
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:6088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:6032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:5456
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:6104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:4396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:2868
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:2928
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:5860
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:5172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:5148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:5756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:5988
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:2864
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:6080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:3008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:4964
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:5144
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:3804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:4692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:3624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:4984
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:1472
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:4228
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:1952
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:1364
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:3388
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:3636
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:4052
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:5992
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:4932
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5688
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3532
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5332
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2816
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  PID:244
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:2892
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:2104
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3616
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "OneDrive.exe"
  2⤵
  - Kills process with taskkill
  PID:5404
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "explorer.exe"
  2⤵
  - Kills process with taskkill
  PID:4688
- C:\Windows\system32\reg.exe
  reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:5220
- C:\Windows\system32\reg.exe
  reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"
  2⤵
  PID:5608
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
  2⤵
  PID:4220
- C:\Windows\system32\reg.exe
  reg unload "hku\Default"
  2⤵
  PID:4892
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "OneDrive*" /f
  2⤵
  PID:5052
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5064
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3516
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5712
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4308
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5228
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4440
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WidgetService.exe
  2⤵
  - Kills process with taskkill
  PID:3804
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Widgets.exe
  2⤵
  - Kills process with taskkill
  PID:2020
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:5616
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:2072
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:6084
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\smartscreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5552
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5668
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5992
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4932
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4524
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4472
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2380
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2264
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3724
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5192
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4224
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4284
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3164
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1748
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3160
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\taskhostw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5768
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\taskhostw.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3496
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:4688
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Needed if you''d like to Search things!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1200
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/Open-Shell/Open-Shell-Menu/releases/download/v4.4.191/OpenShellSetup_4_4_191.exe" -o "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"
  2⤵
  PID:4900
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Downloads/raw/main/Menu_Settings_1.xml" -o "C:\Oneclick Tools\Open Shell\Menu_Settings_1.xml"
  2⤵
  PID:3896
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4088
- C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe
  "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4116
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:5652
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Do not skip if you want to Search things' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list
  2⤵
  PID:5408
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic startup get caption /format:list
    3⤵
    PID:4904
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:616
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:2372
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "8m56aq " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:5460
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Open-Shell Start Menu " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:2332
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4596
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:5780
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:4040
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
  2⤵
  PID:4840
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:3844
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:3852
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:3848
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
  2⤵
  PID:4168
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:4788
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4640
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"
  2⤵
  PID:4512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"
  2⤵
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"
  2⤵
  PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"
  2⤵
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"
  2⤵
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"
  2⤵
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"
  2⤵
  PID:3864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"
  2⤵
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"
  2⤵
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"
  2⤵
  PID:4804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"
  2⤵
  PID:5956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"
  2⤵
  PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"
  2⤵
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"
  2⤵
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"
  2⤵
  PID:3528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"
  2⤵
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
  2⤵
  PID:4604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
  2⤵
  PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:6092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"
  2⤵
  PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"
  2⤵
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"
  2⤵
  PID:3684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"
  2⤵
  PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"
  2⤵
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"
  2⤵
  PID:4772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"
  2⤵
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"
  2⤵
  PID:5876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"
  2⤵
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"
  2⤵
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"
  2⤵
  PID:2868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4668

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:4776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:6100

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5128

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2752
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5316
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4288
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:5548
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3184
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  PID:4804
- C:\Program Files\Open-Shell\StartMenu.exe
  "C:\Program Files\Open-Shell\StartMenu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e598218.rbs

Filesize
20KB

MD5
7c76dd80da760ab53be767f09e9ca36f

SHA1
ab40fd082aa247f4923fa8f4cdfa28a94288018f

SHA256
fce51edc797d8a0f5e3840f89bd304d69da5c9e82788911e269e3e0439e118b1

SHA512
61a41efcc6b31bf8cee7416bd91317fb043559b34619a95e5c294aff76214ddf82f4d7367df1f0548e86ac01842e01dad70008ffb531e1a0aa7eefe1eff7085f

Download Submit
C:\Oneclick Tools.zip

Filesize
564KB

MD5
d2be90c23063c07c5bf6e02c9400ac35

SHA1
c2ca99de035c17ba9b7912c26725efffe290b1db

SHA256
9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3

SHA512
13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

Download Submit
C:\Oneclick Tools\NSudo\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Oneclick Tools\OOShutup10\OOSU10.exe

Filesize
1.9MB

MD5
4803e06db91fdb8b6d1b65c0010d2f87

SHA1
f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c

SHA256
beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b

SHA512
f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

Download Submit
C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg

Filesize
2KB

MD5
109f47ced5da3f92362c49069fc4624e

SHA1
79b611073aa0006f1bb4058a6ecb6f3cc97391d6

SHA256
2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b

SHA512
55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

Download Submit
C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe

Filesize
7.9MB

MD5
e0484fd1e79a0227a5923cdc95b511ba

SHA1
bea0cb5c42adbde14e8cf50b64982e1877c7855d

SHA256
9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c

SHA512
80f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer32.dll

Filesize
863KB

MD5
a805193aed76942c667a798f9dd721fc

SHA1
3d2f702b16cb22d5918f6d51585a871fb3b3f900

SHA256
97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89

SHA512
0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer64.dll

Filesize
964KB

MD5
950ff69adc1b8eec1bd8d502615b0ba6

SHA1
edb3916b7ada6aa0e765c6f70c39e182b8d45dfd

SHA256
9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e

SHA512
f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

Download Submit
C:\Program Files\Open-Shell\ClassicExplorerSettings.exe

Filesize
179KB

MD5
c3c68d52fc3318e324021dab87e60779

SHA1
6855eabb6c38ff953c8c678473c6dd4ab9315f30

SHA256
fed5e80a82f9a4a687fccdc0c610902e4b5b75faf5a9588a22918711f103689a

SHA512
e506e39e036263db610f8fa33f35f9d708d4d52c16f801e58348ea8cc095ee8a0056f80b9d9c0bf8fde3ff76e61c2933504727e9dce1fafda91fde71c196635d

Download Submit
C:\Program Files\Open-Shell\ExplorerL10N.ini

Filesize
98KB

MD5
6ed13b9c1719b252e735ba7e33280e67

SHA1
f3753deab4d99dbee4821a8a70fe6e978e1a45f6

SHA256
b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab

SHA512
f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk

Filesize
1KB

MD5
34ae1d752945e65a9824d6492a8ac344

SHA1
3fbbd9ea43dac7e6e9f6ca2be977321ca4d205fc

SHA256
db830150cdc2366b9f33ab0aa4d112f7e804e166aea7ec4874f2047fc63888e8

SHA512
da1a3b43e37288653f23abf9c8ee32a346d1e7c267aa75394a0576975a87957366a4480b1da767959ed2cf009f667d2289d9cef1877908c1f3682816998c2162

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe59841a.TMP

Filesize
1KB

MD5
37e033843be7bd87a930fce5cb4205f1

SHA1
667f8a869a599da2984c05f5b6b1c64dceace43c

SHA256
a53f409f008813763aac30126f119d82d8caa1a29252c8359e05e59b10a349b4

SHA512
503db8ee0178797458137c99f247a5b07f07a83e91008156920ed923f45dc12f8daf4d2a2a3af0a93580de71de3bce9bcfd489f28c0e35062b7d69a73d16b882

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
6ff3e47c68bc135f8964f4b0b01d313a

SHA1
c4484ec04e8a08d965533c12aa9dc6d19998602b

SHA256
d8d06eca77242b845ac59c5363a54b390db17f89d380f607d8e6ccfe9a07cd84

SHA512
4dc2a4c2f00b9980401132ee3c36ab0c943eae24165c4f1a2e5aa795463de44d2e22b915aa4a400369ad3035ee7df5566196ee1d0c0c1c18a138b1f02f76f7e4

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
1KB

MD5
2333ba03c6cdd0ff6cf1a54bab410734

SHA1
0a1ee5c235825705b0ddd98e062419ff1b4b8fbb

SHA256
d3aeda085656fb8e7cd8e3b76ca5f073c5c58c546104ac8d21c0cd1c7609f70b

SHA512
b19b87bf3e093e7eeb181e78da1127756e35b1f6c8e041c7a48fc3bf7aed8d1cd0d23a7ef6467f340b152a7f8137836cc7fd2f09ef39f3a00385a8aaea60ba1d

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
5aefcaa3a0213e37026bef6616aee152

SHA1
40205ab31087026e785a8de0bdb6c4915f7494b7

SHA256
ebb7390a9b9e97cf6bbeb1e14269787132dcb0fedc6fe8ccdabb8eb544552ba5

SHA512
3dbc5c14816ffe66cb93721f15c30728bf8b9597f4590c0d2f6fc920519f1ad87b91cedaff9b95331bf6ff8de24a511a71dd18fe5d756ab70bd3f25aa987620d

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk~RFe59842a.TMP

Filesize
1KB

MD5
9b1d1db0d4c57ac62c2c0a59460ff9f3

SHA1
d3721a20053db7f43c3656af9e863926f1beeaae

SHA256
acf3f770ebc75b21fbfb686881ac8b928a5741f7efb7b528c5c4f4c94f2f2d15

SHA512
d9aae3192eb5849d6e45d2abae3478bda54edd0e89f352982dd69bf0e7cfee1262609081b840653179b119bb93c932d08777bb1c8a224bf4c58091cc3b4106f9

Download Submit
C:\Program Files\Open-Shell\StartMenu.exe

Filesize
259KB

MD5
9aca92d31344210995d18ac75f7df752

SHA1
fec9f414f3c399f8384ad6a32d0b60adde85d8d9

SHA256
df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf

SHA512
ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

Download Submit
C:\Program Files\Open-Shell\StartMenuDLL.dll

Filesize
2.7MB

MD5
e29ab21b4d9266502677b9837ad23346

SHA1
939e7bb40623f04dd3d75f4685a543437512771a

SHA256
808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185

SHA512
7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

Download Submit
C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

Filesize
11KB

MD5
29221f620ea6b5893add15dd6c307684

SHA1
97c31bb9585a0896e1fcea8efa3f05ff16823da2

SHA256
53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84

SHA512
b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

Download Submit
C:\Program Files\Open-Shell\StartMenuL10N.ini

Filesize
286KB

MD5
673bb428b6d3fab8cba07890cad09d0e

SHA1
45039820289bdb485bb761e9b267f6de9e18a26c

SHA256
ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33

SHA512
2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

Download Submit
C:\Program Files\Open-Shell\Update.exe

Filesize
500KB

MD5
6165bb2e4d2215f5ec4d074b6c06b72b

SHA1
03e13ac321eadfae93a9e72f80f30bbba811b5d8

SHA256
078ab5206082b7b498e3a921913cc54e8022c79c314d37baee5290f1b451e202

SHA512
60ad9ba86160d92f46e2b6b04a65484a55c61eadf5d02b084ac5a3fe2fd8f8f2f867baeeb854b3cd3403bea83ce29e17b02057696122caff0b021f2b0f144997

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk

Filesize
1KB

MD5
234bf9c089ded65f80e3b6c9db99057b

SHA1
32d47ae64f82d88e6a417cf03be565cbc4a005df

SHA256
816a403e5658c2f99b9199822910c94045ae77c1a3da1cc85d7949c9b609f4dc

SHA512
23cbc86fbb5fd1402a13f2c44a378fd24f84a9c61e8796c21117572c3bbba7971b63f8b4100d9a9d3bb98a70dfd58adf101fabe2c6441abafd42b2654d46bbcc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe59840b.TMP

Filesize
1KB

MD5
1ea30338f8d973793c51309aad38de68

SHA1
188df79ee9f90728b40db2879bd91a43c553a6a9

SHA256
1c358848db27dab9c50c41ca44515670f5a996ac6cb4a26d47a8f949fba6e221

SHA512
b4724381d186f1536223bd6a06da0bcfce98aa28668539d08260f324142b38a51a12ffe66b86fddc8ad1f6016c923edbb6d8c854c73a140f069cb69b89aaef63

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Help.lnk

Filesize
1KB

MD5
69ff6eb9c4d829d0f38ba67285cd2fcc

SHA1
0fdb6e1768b632b69c6aafdd2c0380fa3447963c

SHA256
46e6f099ee6f26c0fbc6eda75af735761c75ca2ce9fe60e27d21abcc2478703c

SHA512
11d0d6657bde2a409b0a780d9e4c1d4eb9d67e7117e01122b53815634000bbe5e8e2f6384caa007efde26d95b9920c544dc0e4f306520dcb9fb85751018771da

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

Filesize
1KB

MD5
d0124ed60e4331594458ee059f957a2c

SHA1
a09ef3df01830447f6bcd65b854d3e19b8025fdf

SHA256
2cb37923df898d17f242762f38da128bcabe156ff46611ddadfa913ba593c182

SHA512
df9d4822b6817f42ed3dabc160920e673b81099aeba80bb256045854ee11f53a3f9e3d859c36d44b4adb0c8df4f2b6628b3311a661c5d7043f5025e9d66aea67

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe59841a.TMP

Filesize
1KB

MD5
d21af84b0824914aee1a7870b79d1391

SHA1
cba0f0316585db58e0281da529f2cebdc384da6b

SHA256
2e1548a467aae5a0f30abd985efc4a55ddb92b1d0a0ce2af7f60467876ca94d9

SHA512
fe7d4f36d9045d7b57dd858985fb08d67217466399c7482276300f32cb461c47f9e480cf7c5005b5dc3758f2a47b2bdadece79853b41f57b8165090e8e07373e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Readme.lnk

Filesize
1KB

MD5
00ddc51eff4d7705fc2686180858d744

SHA1
b49abfea9a6fa0647ae6223d69e1e1bcc7ca3816

SHA256
9ffd635f3440992fbe76a3ebfad1bdc54c04e70cf4cbbd898dab5d3eb94bcb8c

SHA512
93dac48a3bb04051a4e4b95757cbaa0d0f76be000a26cd55929a91d2a72a9dc162e3c57ce6e1a4dd76cd78b14249515091f3e6d561f5fe57888efd731cb71f77

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
3ad7b75c7402d098dde8ee6f89ed3e08

SHA1
f19af8c8f8fd510e746f33d83ca618f2a6fc8d9c

SHA256
47c2079bc08c490f2afb6dd53d7cc546981b78bf01f232a9e930a7792cbdae2f

SHA512
d5d34753e3e6a417f6747ffbf08f7e6ccf5e9bd297e8f2beb161e82981f6e1fc514dd5c84d229518849de5487e089941965b0b10eee879258f424cde4ee1efff

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
cfb6c396f7fd127ec4e13e230d38edef

SHA1
01889175b62a3a308e8bb22cba75744dbdbd22a8

SHA256
72b8cc91f6feaf491d59b3d1281e15bcb437bc26a0abeb7d1fb698eecaabd068

SHA512
056017f935c0955fdf629a5ceccda169c588d9d7852b97df4bd26a399132535f90e890310b0abfcf337966a4b6e6d732abdab09565294a83b565189b9664ce88

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe5983fb.TMP

Filesize
1KB

MD5
ae3aa0e0ba8164aae3f7410a8975bcc5

SHA1
ca9592b3c2daf85274bd7afaca73fc262a461d9c

SHA256
2dd719d7c130d1dec824b201aedc9a581d0a539967d9dabfa646403ccb2c2158

SHA512
7627bbe14d3b89531f148d3f5b07b952ad155077317240a862452c94ea193e02d28caacf66d4293f8d72697aaed807a67e139cc0105366ebbab08f21b192cff9

Download Submit
C:\ProgramData\OpenShellSetup64_4_4_191.msi

Filesize
5.3MB

MD5
cc25bc2f1b5dec7e9e7ab3289ed92cc7

SHA1
449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2

SHA256
25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313

SHA512
e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
5ffff6a71d5e86a06630b469b6139677

SHA1
96a831f9dd43e5c30f0bb12c0c7333e82bab5ce0

SHA256
f62213ab9d9fa2a38df8a5e44fa9da2434a5a0d04fd9877a683f51ad1722af7a

SHA512
d1a6ec2d03ef599d7b4103c605a5da95f5870c54b3dd18c2225841acb7e319a184c3e93a9af42d399f262bc632103c479cdf3b671fb927d6631c47a70833d1b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
158a72355ea99a8bc04d0b6a380cc97c

SHA1
750fff9e378ca754a4534371e54624f7e90b796f

SHA256
c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c

SHA512
0f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
238f0a5701700be966cc85a76ecbfc19

SHA1
c69446816c9c6c0657e8705ca08459440b6e1d53

SHA256
cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b

SHA512
791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb1d69b71a38dfe81ac0d2020830faf9

SHA1
1f8baf6d137b5138ee40c725f9138e1cdd2a71fd

SHA256
5ca132239020780c2a57681b9b6960880f23c03daa982d03cb3142cb923f5001

SHA512
dba787451922e7bd2d863ba23774d80200acf58243617d0c54e5b3941fa4a47e2c7f8ba43ed91580fdc82884db7bb22bbaec0ee9ca286faab6c1d827b62896fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
eb6bbad04121efc4b28aafcfb2098c9b

SHA1
874882a3749c41301505e95510f761491c465073

SHA256
bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5

SHA512
7ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
17a60c9cac37cf5412f4cd266c22a435

SHA1
648aed53b8f323be19dfb75e1c61e9dd95fdd0fd

SHA256
de36be11adf1651810ebee5d6214786e3a6045ac7ee51730036385f504d4653d

SHA512
43c8160d5e32d6aeae36201e7580dfd2d47b53ceba28443b2aedefd32377448296ce805669b5136686378603af1348d58fb40a59b906c28aed2df6f7d98b4044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70c91e55fe182a7b11ff383b0dbdd172

SHA1
b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6

SHA256
20a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f

SHA512
0f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
204a257ced6e7475e58992aef1c1b95a

SHA1
69ccb412677305d24af5c1806e9d44ece01d315d

SHA256
b68274d2c559816f2c0348ed7585828202dd3775c5855d9ef24ce96dcc5e0276

SHA512
8a3cc37c60134d3b23606ad9abd1594f32b2c7f5e37e4c85c572b34fcd7909ecfefcdab7ce8e32a4c305206118d891a9b848f1f8a40949405cc61d1519f5a59b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b460c5aa61d0dd50667f187d64747df

SHA1
e95362244531b2b3cc63f4830d481b70c45a62a8

SHA256
27fa39b21f726de242c8548e5db00216d498ab9e510fb02669e5b1d7e6ec945c

SHA512
bc3be8e41476d2433ab3e1585463b80c474931e3b853bd77b7eadf204840da94c195ade3513cbb0a949ad6adab4b884d9382481b6188fc502ec31a762480fd30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
84c204dad2b87f924a275b6bbc4ed6c5

SHA1
7ac34fa5e527882d016096834f8833ffbed44131

SHA256
31b9b1dfe955ec78dcbb4c23003e48742f69c9349a433763c870aecba7bc34e5

SHA512
6553284deebdfd31776fda19deda05765c4280fbdfbdece4b82188fe90395fd57d9ce3df3befe394c7a5bbd804d43806e0f5bf5ce75bd9e875924f1290064440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3a924916719c590c164e2306f5b3ad4

SHA1
6b99d5b4cadd988deb3f825c38d3b2ca62beed11

SHA256
a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1

SHA512
29ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
738e051dcbc27c717c236ec9f96174f9

SHA1
862fbc9fab74a4b50d2df2caae77c0cc08bf0c64

SHA256
12c60b2dfca396c7a9ed372bdd8dfecb6cf47b36b30b867abc8771d8eefc7d00

SHA512
78a018848fb9c4e0dae464e353ae7c42d9f3b80663776978731714d0a0ad1b689d58163a37fa489e8b92e4befb3e658198212ae9b48cc23dae7a615991cacebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ba8d03d9d09f8ab05ef694dea36596d

SHA1
0bb07da9d44b03720127ed9fb46d7de7454fdb79

SHA256
ee27d919a2a29e00b65110e779c83803b2d2f9d79fef103729c8ac46cc1f6711

SHA512
dfd2299c7950c69a8ed1fef842dd73f8818ba0632e22d34da50a6e531fd7719ef4076a3674c219881255401f4172b5746c7abc206d16206e3960a70b30673f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0744a59681a9be60bab7641365624c25

SHA1
cee75d038ba1a3e1a74838deecfd5941f8a21d6a

SHA256
8d56fad2832116079546b794e204957556adbed3f7b43547e7fec45c2f3cab64

SHA512
7bd0cc35fcf247eaf003ba18ee0dec906c95e5a5a35c6a38d0c9f25c585ef65250365777b54a0125dbad3d7397e4e3a6398956818deb5c2897e6e78c63e79903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7493a0adc29f690608d6c6a4b270409d

SHA1
4d020f4a6d6d1f8118124b7b15ed07c7f24633be

SHA256
b8ae5066296bc8f8216ac321f711ea56e5709e05a91346ea833298b03a706698

SHA512
640e32c6296bd03f66e9a865d6da30b617da8021ed8fadee46fcc9a55bbfac72f3895a74046e0cdbd8b29ccb1069af3b595e7825dea7d97f392c7eee64c131f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f6554e96f5fab42367a253b5bf405d0

SHA1
f35a94be4d16d9b186e51bc78dcd062ac0f238fd

SHA256
7e2712bb443fd87036d5d729d8ace1a8b72223aeaf3a04661856dce02b006f12

SHA512
9ef78818b06e6f84e5f98b3bd0051c07c55b86da6852d288b6d5a2234d6fef29806845173d0c6c58a906b290d489e2058e0fe856172eecf99cb828cb67bf29c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e0a762526392098e116e106f5ed4a89

SHA1
b5d43f02494625f23fe801cdd6494f713834c945

SHA256
d1e4afdfa2ac83ad0cc91ebdaaa7f139521dd46f7bd81b20d8f382e38ac8a32c

SHA512
3bbd3efdb4eea49d042e8134a192499fac4b3ebbf7753fa9a19435e6e3c7fac8d41894412c8aa7ee02a6557b8804112629b0e04fc0402103cddc901d46bd8ac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f702cdc9d939ae01790b9a8408671a4

SHA1
ee47fe5b362520a1066ae064266af0e3b35bcf91

SHA256
280cdf3f66527e95a43d1feeb2ed6223fb4aa3bc85efc539ac0aa1deff06ef9c

SHA512
ee697e40fe9016aeeaf38461306ca72e8d7e544539265815dd927662a064a59f00809067f61008baf0f2bea6153aa2fec5fce3beabd9935ca84ae91834a38b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9df033132c1d74b373893ede84d6e1ac

SHA1
a0c152fc6370f84557c39a078901b02394e1c1fb

SHA256
4633ad5454cf9986f1f075e970d33f73cb8c8e074fd8e4ef223f9c0a4d153c4c

SHA512
e39ec3fe9169f46e9c3b7d7c0cf4985954ff720100d6c67379be6d3536a7e0985c546c20ec1d78a289431cdb03b1a78344f6158c2dcc93d97de80395657379d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2bf307e17febb74f2eaf0d21e2958689

SHA1
ed72f4a1f4088e1dfdeb8b488fd551633bf86346

SHA256
56b3b13b65911979b02ee346be62623b4402962ff52dd326ab59ead19a59a7aa

SHA512
e8e6212b458a40df9c88c998273c623aa1c4acbca088a615986f9b0d60034957369368b18474c94900c410d82b1c8178b12b113dbde9535c938c47dd77d3235b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38c331907d57a8858bec716497ae3069

SHA1
3fda0e0e281bdfe6f5ad0fb5bb56b306cb9f0392

SHA256
50454d53f67f2207a5312a238728faca10f20ef59fe325a6d0bf56e87169a540

SHA512
2db847a118223ea00eed442083fa0db63d47c41ced9dc72f332444b429e7c7bca6b93492cd332ed84758459f903b1a0cee94b596699e53d450a70d7244263830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b421157cac6e558c0d5ada5a7b689583

SHA1
7a8aacf931b54f66604c1007b72939e156e9c2d9

SHA256
ed53e4bb2c5c7cfc8dd629fa4dd6e67daf94a57108809701015bd17b5f07c1f4

SHA512
4227d28e5b462531ed657db9743c003150c34c2980add83c36881cfb83ae8e59aabf50011989bf55c4a60c63a80db4c43c204113a98091ceb0aa5bae6f399ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3b704d3173c215d8933d7927c175600

SHA1
86a36a79fcdd08e62f8c6cd460c05e622d6c6181

SHA256
7fa7b9f8b3bdb2defcbff2d65e7195fe0836fa88c914ad75b40d1271d28e383f

SHA512
248c23cf7cd25dfc9746055cca245af4596fce4ded3bda4007f99fad77ee25e0af41f39a44968e3a883d45892a85f2b1039cd0e7c19f91ff0ede009191c0c2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
895cc00140e78236ec4ba884d0cf00bf

SHA1
39c1d4273219d88eb54a04e52f6d2e37661473a2

SHA256
b03b7e5c63a2c67a553333429c5ff027e7732a08215726a87b9781f7539b5ab2

SHA512
e771eb6e0c0dd2efbdcf5c899518b28b5c445388c52b1e664d477b44fd8cef5d54692bc5f1f77fe809666967539750eb20370d8bfc96266fe632b2390483ec48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0e19dcecbcfbade4416e2c758ec751d

SHA1
3903cbb29f40bea64dbd10db1b8dabc29d285c34

SHA256
49ea68fcb52769795437990a0c8b4776b93bad7639f7ba821181611f52cbd59e

SHA512
b10b29de40f57d4a07fba682000f28e93f0ee52f3938dfe924c1c07cc451759993477e9bdd5448b25c5336ef063a44ab5da114eed0747f528e57bef8150dd006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44f82a0323500a2c5318558fa5c8c796

SHA1
4c69243508b51bc2370b8004ed66e7479f5f5cea

SHA256
7e5f695d55df65de3f6ea8d5446385ba33f3778e8ee5f600fc72b5312c012056

SHA512
9a280ce0d9dc724496af87ea245e3546e2dfbbe898447b3542663cd0bdd4556df7c542fa131ea0fd9fd793dce482449a095e81f9c2f824d6f5eba76a2755a22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0a3aced4b267e373c90b61888b5c4e0

SHA1
31cc397554a0f13bf4f8229f69d631e7567c0512

SHA256
0a5933c24625dc4ebed39d480380eb8e44a0ec81f39d7fed760f2096ca4f61e1

SHA512
d5c9c62572cc9abdf04fb078595610bd26b7ef8f94e9d31489f1e33f5f5240a172a04826f609e40d5939aec50f1da174767a8e2a50a2fafa83ae46668481b04b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79a05c612148fe10e52a945a877b71e6

SHA1
efdc61358e7b8f01580576583a14e41a9ec58663

SHA256
51f7f490d2a0143bec7a9eecd88db883ac5b490a12f4e50230ffb247e022dc71

SHA512
6dd1c961f2fcee8c83b176e9990e27c19dd027f8b092a0a0b9a6a096991670da853b05212ce5d499010cbea487e4888d8fa67563798de42ca186ea729170c0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5arhbuyf.ioh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\StartMenuHelper32.dll

Filesize
351KB

MD5
b7c7f2bf76b2220839af735e2b58fefc

SHA1
16631df5f62096b039fc1996066805721b622407

SHA256
a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875

SHA512
6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

Download Submit
C:\Windows\system32\StartMenuHelper64.dll

Filesize
426KB

MD5
22c9a786f3ff34275c80876b8ac5cc10

SHA1
beb6f4f28b98910b2031c37d7cec385543045614

SHA256
b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca

SHA512
92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
b4eaad5b9ff5cbe65c4ac468310bb144

SHA1
77af06f46734548eb047db7c180a757684af1350

SHA256
fe8d9d9b10c64e5a660837547a06bf1e18a77441f6f3fd13d5d6246027f07c1e

SHA512
e6e73cf8ca2acd611b90fe227ed2edad799ba83e4246533da360c2bb7ebe9d65e4bab2fc4ba04ea1fd137a4738749c54ff9af20e7647503830cd312a0fd7b2fa

Download Submit
\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{326ca81e-1a5a-47cb-b19e-43b2f4358d92}_OnDiskSnapshotProp

Filesize
6KB

MD5
16506ae29612c278e09f46e791731507

SHA1
4cfdc85284a77fc99b859e3ca94053d1ac3eac26

SHA256
098b57748cd1c1457cefe33d5ef0b36644c3fea3324bb3afce6d9f503a2d5ce0

SHA512
692a4ccec1d196c18694ec3844f832b4cf145b3e45b63971b7d53bd748ee174d1c942b46adbe9618708112fff29e4cf393236297f8491691d07365512d13afb3

Download Submit
memory/668-164-0x0000018A2D440000-0x0000018A2D466000-memory.dmp

Filesize
152KB

Download
memory/668-163-0x0000018A2D3A0000-0x0000018A2D3AA000-memory.dmp

Filesize
40KB

Download
memory/668-162-0x0000018A2D3B0000-0x0000018A2D3CC000-memory.dmp

Filesize
112KB

Download
memory/2136-114-0x00000216A9E70000-0x00000216A9E9A000-memory.dmp

Filesize
168KB

Download
memory/2136-115-0x00000216A9E70000-0x00000216A9E94000-memory.dmp

Filesize
144KB

Download
memory/2244-530-0x00000000103B0000-0x0000000010B6A000-memory.dmp

Filesize
7.7MB

Download
memory/3296-13-0x0000018520B30000-0x0000018520B52000-memory.dmp

Filesize
136KB

Download
memory/3352-1287-0x0000023000000000-0x0000023000001000-memory.dmp

Filesize
4KB

Download
memory/3352-1295-0x00000230758D0000-0x00000230758D1000-memory.dmp

Filesize
4KB

Download
memory/3352-89-0x0000023074DC0000-0x0000023074DD0000-memory.dmp

Filesize
64KB

Download
memory/3352-93-0x0000023075980000-0x0000023075981000-memory.dmp

Filesize
4KB

Download
memory/3352-85-0x0000023074D80000-0x0000023074D90000-memory.dmp

Filesize
64KB

Download
memory/3352-1286-0x0000023000010000-0x0000023000011000-memory.dmp

Filesize
4KB

Download
memory/3352-1290-0x0000023000000000-0x0000023000001000-memory.dmp

Filesize
4KB

Download
memory/3352-1289-0x0000023000010000-0x0000023000011000-memory.dmp

Filesize
4KB

Download
memory/3352-1292-0x0000023000000000-0x0000023000001000-memory.dmp

Filesize
4KB

Download
memory/4308-144-0x000002AB532A0000-0x000002AB53346000-memory.dmp

Filesize
664KB

Download
memory/4308-142-0x000002AB38B80000-0x000002AB38D70000-memory.dmp

Filesize
1.9MB

Download
memory/4308-143-0x000002AB39180000-0x000002AB391AC000-memory.dmp

Filesize
176KB

Download
memory/4308-146-0x000002AB53520000-0x000002AB535DA000-memory.dmp

Filesize
744KB

Download
memory/4308-145-0x000002AB391D0000-0x000002AB391EA000-memory.dmp

Filesize
104KB

Download
memory/5032-317-0x00007FF6DAF40000-0x00007FF6DB036000-memory.dmp

Filesize
984KB

Download
memory/5128-318-0x00007FF673B30000-0x00007FF673B37000-memory.dmp

Filesize
28KB

Download
memory/5128-170-0x000001F877EA0000-0x000001F877FA0000-memory.dmp

Filesize
1024KB

Download
memory/5128-168-0x000001F877EA0000-0x000001F877FA0000-memory.dmp

Filesize
1024KB

Download
memory/5128-200-0x000001F879640000-0x000001F879660000-memory.dmp

Filesize
128KB

Download
memory/5128-187-0x000001F879680000-0x000001F8796A0000-memory.dmp

Filesize
128KB

Download
memory/5128-219-0x000001F879BA0000-0x000001F879BC0000-memory.dmp

Filesize
128KB

Download
memory/5128-220-0x000001F879B60000-0x000001F879B80000-memory.dmp

Filesize
128KB

Download
memory/5700-77-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-80-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-78-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-81-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-79-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-82-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-70-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-76-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-71-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download
memory/5700-72-0x0000028764490000-0x0000028764491000-memory.dmp

Filesize
4KB

Download