ba6f2c164d4c3aa53ea0744873078d5d0cc504685211c72206d4630ee43c643c

Analysis

max time kernel
544s
max time network
444s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yes.bat
Size

81B
MD5

3ea9c0b7bb65aa8001eaeb9db7dc4baa
SHA1

66afd1dc643f1fd73f5d778c31eec1c2df87a188
SHA256

ba6f2c164d4c3aa53ea0744873078d5d0cc504685211c72206d4630ee43c643c
SHA512

ee5ae91c6246c595ceb395a4b80b580763aa884a1bdb8f2a3dc912e044bb2baecca294c36f771c791e1ebf8422b8436833dd34b94906992175545bfc609c14b3

Score

10^/10

adware defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware spyware stealer trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3332	bcdedit.exe
1060	Process not Found
3544	Process not Found
4368	Process not Found

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3388	Process not Found
5420	Process not Found
620	Process not Found
5388	Process not Found
5956	Process not Found
2980	powershell.exe
2172	powershell.exe
3640	Process not Found
5472	Process not Found
2272	Process not Found
568	Process not Found
4144	Process not Found
1740	Process not Found
4620	Process not Found
3064	Process not Found
452	Process not Found
3796	powershell.exe
5684	Process not Found
3064	Process not Found
3164	Process not Found
2616	powershell.exe
5184	powershell.exe
5332	Process not Found
2668	powershell.exe
4380	Process not Found
5032	Process not Found
5372	Process not Found
5588	powershell.exe
1080	powershell.exe
3688	Process not Found
4832	Process not Found
4032	powershell.exe
5908	powershell.exe
3348	powershell.exe
4604	Process not Found
2928	Process not Found
1592	powershell.exe
4420	powershell.exe
5132	Process not Found
1592	Process not Found
1496	Process not Found
3360	Process not Found
3820	powershell.exe
3688	powershell.exe
1048	Process not Found
1740	Process not Found
5732	powershell.exe
1572	Process not Found
4860	Process not Found
5072	Process not Found
3820	Process not Found
5276	Process not Found
3740	powershell.exe
4996	powershell.exe
5352	Process not Found
1960	Process not Found
5484	powershell.exe
4500	powershell.exe
5072	powershell.exe
1496	Process not Found
3608	Process not Found
4312	powershell.exe
3748	powershell.exe
1928	powershell.exe

Downloads MZ/PE file

Possible privilege escalation attempt 17 IoCs

exploit

pid	Process
5216	icacls.exe
5512	icacls.exe
5624	icacls.exe
6008	icacls.exe
6124	takeown.exe
2428	icacls.exe
3436	icacls.exe
3064	takeown.exe
2140	takeown.exe
2508	takeown.exe
5504	icacls.exe
2812	takeown.exe
4196	icacls.exe
3896	takeown.exe
6112	takeown.exe
4084	icacls.exe
3184	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
4896	OOSU10.exe
4928	NSudoLG.exe
4076	NSudoLG.exe
5924	OpenShellSetup_4_4_191.exe
2024	StartMenu.exe
2624	Process not Found

Loads dropped DLL 6 IoCs

pid	Process
1208	MsiExec.exe
3836	MsiExec.exe
2912	MsiExec.exe
4404	MsiExec.exe
2024	StartMenu.exe
5808	explorer.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3896	takeown.exe
5624	icacls.exe
4084	icacls.exe
4196	icacls.exe
2140	takeown.exe
3436	icacls.exe
2812	takeown.exe
2428	icacls.exe
3064	takeown.exe
6008	icacls.exe
6124	takeown.exe
3184	takeown.exe
5512	icacls.exe
2508	takeown.exe
6112	takeown.exe
5504	icacls.exe
5216	icacls.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9kleoi	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console"	Process not Found

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
150	drive.google.com
170	raw.githubusercontent.com
177	raw.githubusercontent.com
178	drive.google.com
179	drive.google.com
135	raw.githubusercontent.com
136	raw.githubusercontent.com
148	drive.google.com

Power Settings 1 TTPs 24 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5444	Process not Found
4120	Process not Found
5364	Process not Found
448	Process not Found
1928	Process not Found
4628	Process not Found
1876	Process not Found
2380	Process not Found
5668	Process not Found
3684	Process not Found
2444	Process not Found
2036	Process not Found
6072	Process not Found
5804	powercfg.exe
4076	Process not Found
3368	Process not Found
4188	Process not Found
4196	Process not Found
5496	Process not Found
4616	Process not Found
3364	Process not Found
1272	Process not Found
6132	Process not Found
4108	Process not Found

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{02d0b31d-15a8-4ae0-85bd-eed922f6d3c3}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3442511616-637977696-3186306149-1000_StartupInfo3.xml	svchost.exe
File created	C:\Windows\SysWOW64\StartMenuHelper32.dll	msiexec.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{02d0b31d-15a8-4ae0-85bd-eed922f6d3c3}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3442511616-637977696-3186306149-1000_UserData.bin	svchost.exe
File created	C:\Windows\system32\StartMenuHelper64.dll	msiexec.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\ExplorerL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\PolicyDefinitions.zip	msiexec.exe
File created	C:\Program Files\Open-Shell\Update.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenu.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe5beeb2.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShellReadme.rtf	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer64.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Full Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShell.chm	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Basic.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuDLL.dll	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metallic.skin7	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer32.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Midnight.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuHelperL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorerSettings.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\DesktopToasts.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Smoked Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe5beec1.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe5beed1.TMP	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Acrofx32.dll	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACROPD~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEA~2.BDC	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Checkers.api	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PDDOM~1.API	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\prcr.x3d	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\RDRSER~1.EXE	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_77A9~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_727A~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEP~1.PMP	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MULTIM~1.API	cmd.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\CONCRT~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~4	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_B2C0~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1253.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icudt40.dll	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QUICKT~1.MPP	cmd.exe
File created	C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7}	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_D2B9~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CORPCH~1.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1252~1.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DISPLA~2.T	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\FILLSI~1.AAP	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\MSVCP1~3.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_R~1.AAP	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	cmd.exe
File opened for modification	C:\Windows\Installer\e5bea9b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_7C53~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CYRILLIC.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eBook.api	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\MSVCP1~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_9827~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACROTE~1.EXE	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_ecc.dll	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXE8SH~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CCME_A~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CROATIAN.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENT~1.194	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ROMAN~1.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Spelling.api	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SYMBOL.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A206~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~2	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACROBR~1.EXE	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ROMANIAN.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\MSVCP1~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_FCCC~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_038A~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_E61E~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\JP2KLib.dll	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Onix32.dll	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEH~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CENTEURO.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1257.TXT	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\JSBYTE~1.BIN	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\READER~1.EXE	cmd.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1208	powershell.exe
4436	powershell.exe
5532	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5788	sc.exe
2856	sc.exe
5780	sc.exe
5808	sc.exe
3368	sc.exe
5652	sc.exe
5932	sc.exe
400	sc.exe
5516	sc.exe
4320	sc.exe
3256	sc.exe
5772	sc.exe
5388	sc.exe
3888	sc.exe
3864	sc.exe
228	sc.exe
3492	sc.exe
4428	sc.exe
3064	sc.exe
5968	sc.exe
5408	sc.exe
5576	sc.exe
6008	sc.exe
5712	sc.exe
6076	sc.exe
3756	sc.exe
5876	sc.exe
1876	sc.exe
4884	sc.exe
4944	sc.exe
1420	sc.exe
5508	sc.exe
1248	sc.exe
2428	sc.exe
3360	sc.exe
4696	sc.exe
5360	sc.exe
660	sc.exe
5108	sc.exe
4548	sc.exe
5496	sc.exe
1924	sc.exe
4632	sc.exe
5644	sc.exe
5956	sc.exe
1828	sc.exe
5324	sc.exe
5460	sc.exe
1652	sc.exe
5964	sc.exe
2840	sc.exe
396	sc.exe
5460	sc.exe
5852	sc.exe
5012	sc.exe
5744	sc.exe
5460	sc.exe
5384	sc.exe
5856	sc.exe
5964	sc.exe
1720	sc.exe
5240	sc.exe
5836	sc.exe
5564	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenShellSetup_4_4_191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5392	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
5848	timeout.exe
5944	timeout.exe
5524	timeout.exe
208	timeout.exe
3796	timeout.exe
1684	Process not Found
2008	timeout.exe
3720	Process not Found
4520	timeout.exe
5828	timeout.exe
4072	timeout.exe
4384	Process not Found
4500	timeout.exe
5132	timeout.exe
5496	timeout.exe
5132	timeout.exe
5844	timeout.exe
1684	timeout.exe
4724	timeout.exe
2344	Process not Found
452	Process not Found
5508	timeout.exe
3672	timeout.exe
4904	timeout.exe
4604	timeout.exe
5916	timeout.exe
2824	timeout.exe
5012	timeout.exe
5636	timeout.exe
3892	timeout.exe
4812	Process not Found
5472	Process not Found
1528	timeout.exe
1048	timeout.exe
3064	timeout.exe
396	timeout.exe
636	Process not Found
1456	Process not Found
3732	Process not Found
2804	Process not Found
5720	timeout.exe
5936	timeout.exe
3196	timeout.exe
5768	timeout.exe
3544	timeout.exe
1052	Process not Found
2052	timeout.exe
5760	timeout.exe
3680	Process not Found
3940	timeout.exe
4508	timeout.exe
5216	timeout.exe
4764	timeout.exe
1468	Process not Found
3584	Process not Found
5736	timeout.exe
5844	timeout.exe
4308	timeout.exe
1832	timeout.exe
4772	timeout.exe
5508	timeout.exe
5516	timeout.exe
5736	timeout.exe
3360	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1248	Process not Found
3668	Process not Found
3924	Process not Found
2384	Process not Found

Kills process with taskkill 13 IoCs

evasion

pid	Process
5332	taskkill.exe
3956	Process not Found
5512	taskkill.exe
3032	taskkill.exe
4500	taskkill.exe
5484	taskkill.exe
5996	taskkill.exe
1208	Process not Found
4404	Process not Found
976	Process not Found
5216	taskkill.exe
3944	taskkill.exe
5960	Process not Found

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	OOSU10.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133757379713934070"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39020000000000	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer32.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}\ = "StartMenuHelper"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\ = "ExplorerBand Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win64\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ = "Open-Shell Modern Settings"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e0071800000000000000000000037595a02bea68646a84436fe4bec8b6d0000	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win64	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\CLSID\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\ = "ShareOverlay Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\StartMenu = "OpenShell"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\CLSID\ = "{594D4122-1F87-41E2-96C7-825FB4796516}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\ShellEx\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FE47A977ED3217C4CA21E25E5A24DE43	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\SourceList\PackageName = "OpenShellSetup64_4_4_191.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.ImmersiveApplication\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ = "IShareOverlay"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ = "C:\\Windows\\SysWow64\\StartMenuHelper32.dll"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\ = "StartMenuEmulation"	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\ = "ExplorerBHO Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.ImmersiveApplication\ShellEx\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ = "ExplorerBHO Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay.1\CLSID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ProgID\ = "ClassicExplorer.ShareOverlay.1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5548	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1728	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
5588	powershell.exe
5588	powershell.exe
5588	powershell.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
6040	powershell.exe
6040	powershell.exe
6040	powershell.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
5988	powershell.exe
5988	powershell.exe
5988	powershell.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5808	explorer.exe
4952	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3444	WMIC.exe
Token: SeSecurityPrivilege	3444	WMIC.exe
Token: SeTakeOwnershipPrivilege	3444	WMIC.exe
Token: SeLoadDriverPrivilege	3444	WMIC.exe
Token: SeSystemProfilePrivilege	3444	WMIC.exe
Token: SeSystemtimePrivilege	3444	WMIC.exe
Token: SeProfSingleProcessPrivilege	3444	WMIC.exe
Token: SeIncBasePriorityPrivilege	3444	WMIC.exe
Token: SeCreatePagefilePrivilege	3444	WMIC.exe
Token: SeBackupPrivilege	3444	WMIC.exe
Token: SeRestorePrivilege	3444	WMIC.exe
Token: SeShutdownPrivilege	3444	WMIC.exe
Token: SeDebugPrivilege	3444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3444	WMIC.exe
Token: SeRemoteShutdownPrivilege	3444	WMIC.exe
Token: SeUndockPrivilege	3444	WMIC.exe
Token: SeManageVolumePrivilege	3444	WMIC.exe
Token: 33	3444	WMIC.exe
Token: 34	3444	WMIC.exe
Token: 35	3444	WMIC.exe
Token: 36	3444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3444	WMIC.exe
Token: SeSecurityPrivilege	3444	WMIC.exe
Token: SeTakeOwnershipPrivilege	3444	WMIC.exe
Token: SeLoadDriverPrivilege	3444	WMIC.exe
Token: SeSystemProfilePrivilege	3444	WMIC.exe
Token: SeSystemtimePrivilege	3444	WMIC.exe
Token: SeProfSingleProcessPrivilege	3444	WMIC.exe
Token: SeIncBasePriorityPrivilege	3444	WMIC.exe
Token: SeCreatePagefilePrivilege	3444	WMIC.exe
Token: SeBackupPrivilege	3444	WMIC.exe
Token: SeRestorePrivilege	3444	WMIC.exe
Token: SeShutdownPrivilege	3444	WMIC.exe
Token: SeDebugPrivilege	3444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3444	WMIC.exe
Token: SeRemoteShutdownPrivilege	3444	WMIC.exe
Token: SeUndockPrivilege	3444	WMIC.exe
Token: SeManageVolumePrivilege	3444	WMIC.exe
Token: 33	3444	WMIC.exe
Token: 34	3444	WMIC.exe
Token: 35	3444	WMIC.exe
Token: 36	3444	WMIC.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe
Token: SeShutdownPrivilege	4352	chrome.exe
Token: SeCreatePagefilePrivilege	4352	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe
4820	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3060	StartMenuExperienceHost.exe
4676	SearchApp.exe
5808	explorer.exe
2024	StartMenu.exe
5808	explorer.exe
5808	explorer.exe
5808	explorer.exe
5808	explorer.exe
5808	explorer.exe
5808	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 3444	4012	cmd.exe	84
PID 4012 wrote to memory of 3444	4012	cmd.exe	84
PID 4352 wrote to memory of 812	4352	chrome.exe	104
PID 4352 wrote to memory of 812	4352	chrome.exe	104
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 1680	4352	chrome.exe	105
PID 4352 wrote to memory of 3832	4352	chrome.exe	106
PID 4352 wrote to memory of 3832	4352	chrome.exe	106
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107
PID 4352 wrote to memory of 4856	4352	chrome.exe	107

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	OOSU10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\yes.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\System32\Wbem\WMIC.exe
  wmic baseboard get Manufacturer, Product, SerialNumber, Version
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffee631cc40,0x7ffee631cc4c,0x7ffee631cc58
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2024,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4584,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3732 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5092,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5100,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5296,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4436,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5776,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5804 /prefetch:2
  2⤵
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5596,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6000,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3408,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5924,i,15827499447221798148,794338208564598704,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  PID:5420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4788

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Oneclick-V6.7.bat"
1⤵
- Checks computer location settings
- Drops file in Windows directory
PID:4836
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:5168
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  PID:5148
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:5140
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:5128
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:3796
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:4608
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:1272
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
  2⤵
  PID:2428
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4500
- C:\Windows\system32\tar.exe
  tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
  2⤵
  PID:5456
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5484
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:5516
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5548
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5588
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  PID:6132
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5700
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5720
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5744
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:5732
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:5804
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:5828
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5848
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:5868
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:5880
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:5904
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:5916
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5944
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:5960
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4904
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:6012
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:856
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:5440
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6040
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3940
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:3384
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:3036
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:4292
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4520
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:1304
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4604
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:1440
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:228
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:6036
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:5264
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:5276
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:5356
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:368
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:5352
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5132
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:5148
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:3796
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:4812
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:4492
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2444
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1528
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:5520
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:5480
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5496
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:5404
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5524
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:5548
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5636
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:5704
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:3772
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:3724
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5736
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5752
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:5796
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  PID:5804
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5828
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:5852
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  - Launches sc.exe
  PID:5876
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5936
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:5920
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:5912
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5916
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:5948
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5972
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5988
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:3844
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5132
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5148
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2008
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:3744
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:672
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  PID:3656
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  PID:4500
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:5468
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  PID:5512
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:5480
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  PID:5504
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  - Launches sc.exe
  PID:1876
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  PID:5404
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  - Launches sc.exe
  PID:5516
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:5524
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  PID:5580
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  - Launches sc.exe
  PID:5644
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  PID:6132
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  PID:4832
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:4892
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  PID:3724
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  PID:5764
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:5812
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:5816
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  PID:5840
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:5804
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:5828
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:5852
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  PID:5876
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:5936
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:5920
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  PID:5912
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:5956
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  - Launches sc.exe
  PID:5964
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:2200
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  PID:2340
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:5004
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:5300
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  PID:6000
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  PID:4636
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:6024
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:6032
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:396
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:6060
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:5428
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:5084
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:952
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  PID:5424
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:6076
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:6048
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:6040
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  - Launches sc.exe
  PID:4320
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  PID:3452
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:5388
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:5444
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  PID:1068
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:4520
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  - Launches sc.exe
  PID:4884
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:2344
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:5408
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  PID:3044
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  PID:228
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  PID:3196
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:5260
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:5268
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:5324
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  - Launches sc.exe
  PID:1720
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:4420
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  - Launches sc.exe
  PID:4944
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:4068
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:4300
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:5316
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  PID:3360
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  PID:1176
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  PID:964
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:220
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:5352
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  PID:4676
- C:\Windows\system32\sc.exe
  sc config MSDTC start=demand
  2⤵
  PID:4360
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:2336
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  - Launches sc.exe
  PID:3256
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  PID:928
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  PID:2332
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:976
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  PID:1776
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  PID:3888
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:4508
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  - Launches sc.exe
  PID:660
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:3332
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:2704
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5788
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:5724
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  PID:5896
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:5208
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  PID:5224
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:5204
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:5200
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  - Launches sc.exe
  PID:5460
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:5540
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  PID:5452
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:3500
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5108
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:4372
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:4948
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:5216
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:3968
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:4432
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  PID:4584
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:4012
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:4552
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:2540
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:5240
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:2232
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  - Launches sc.exe
  PID:3064
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  - Launches sc.exe
  PID:4548
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:4544
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  - Launches sc.exe
  PID:6008
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  PID:3720
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:5988
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:1056
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:5124
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  PID:1924
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  PID:2668
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  PID:4772
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  PID:4608
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:2140
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  - Launches sc.exe
  PID:5508
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  PID:1528
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  PID:5476
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:5492
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:5484
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5496
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:5532
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:5360
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  PID:5560
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:5524
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  PID:5652
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:6096
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  - Launches sc.exe
  PID:5712
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:4832
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:5728
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  PID:5744
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5808
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:5812
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  PID:5816
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  PID:5840
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:5804
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:5868
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  - Launches sc.exe
  PID:5852
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  PID:5876
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  PID:5936
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:1540
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  PID:5732
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  - Launches sc.exe
  PID:5968
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  PID:2200
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  PID:2340
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:5280
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  PID:4348
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:4636
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:6056
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:6052
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:936
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:1156
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  PID:5432
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:952
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:5424
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  - Launches sc.exe
  PID:6076
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  - Launches sc.exe
  PID:1828
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:3940
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:3384
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  PID:2448
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5388
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:3084
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  PID:1068
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:4520
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:1440
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5408
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  PID:4808
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:3196
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:5260
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:5268
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  - Launches sc.exe
  PID:5324
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:4420
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  PID:2248
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:5316
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  - Launches sc.exe
  PID:3360
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:4860
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:668
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:736
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  PID:5352
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:4676
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  PID:1520
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:1032
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:2368
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  PID:4632
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:4996
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  - Launches sc.exe
  PID:3888
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:4848
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  PID:3172
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  PID:2188
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  PID:5784
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  PID:5792
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:5892
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  PID:5724
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:5232
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  PID:5220
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:5204
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  PID:5192
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  - Launches sc.exe
  PID:5460
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  - Launches sc.exe
  PID:5564
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:1516
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  PID:3500
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:5108
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:4372
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  PID:4948
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  PID:1184
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  PID:2588
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:1072
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:2860
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  - Launches sc.exe
  PID:3756
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:4436
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:4072
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  PID:4792
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  PID:2560
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:4924
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:4964
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:5464
- C:\Windows\system32\sc.exe
  sc config smphost start=demand
  2⤵
  PID:4784
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:4564
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:3672
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  PID:4544
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  PID:2848
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:3720
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:5988
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  PID:1056
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:1924
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:2668
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  - Launches sc.exe
  PID:4696
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:672
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:3656
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:5520
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:5468
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  PID:5512
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  PID:5484
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:5528
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:5252
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  - Launches sc.exe
  PID:5576
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  PID:5560
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:5636
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:5652
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:5700
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:3772
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  PID:3492
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:3724
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  PID:5728
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:5744
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5824
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:5860
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:5820
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:5868
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:5852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:5920
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:5944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:4896
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:5948
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:5972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:2200
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:5004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:5800
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:6024
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:2052
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:396
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:6060
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5428
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4804
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1760
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5112
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:6040
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3940
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:428
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:3936
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:4456
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:1068
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:2164
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:4384
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:1492
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:860
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:228
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:4464
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:1624
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:5376
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:3836
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:696
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:4068
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:6064
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:5316
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:368
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:4860
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:3952
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:1496
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:6020
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:464
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:4968
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:224
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4428
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4508
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:2704
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:5756
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  PID:5900
- - C:\Windows\system32\Taskmgr.exe
    "C:\Windows\system32\Taskmgr.exe"
    3⤵
    PID:2920
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:1048
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2896
- C:\Windows\system32\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:5216
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
  2⤵
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
  2⤵
  PID:5292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
    3⤵
    PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
  2⤵
  PID:4696
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:5532
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5736
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5808
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5836
- C:\Windows\system32\curl.exe
  curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
  2⤵
  PID:5864
- C:\Windows\system32\curl.exe
  curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"
  2⤵
  PID:5860
- C:\Oneclick Tools\OOShutup10\OOSU10.exe
  "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Modifies Control Panel
  - System policy modification
  PID:4896
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3196
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4944
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:208
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5184
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3360
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1032
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3476
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4848
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4428
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2672
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:1608
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:4984
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5888
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:5756
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5768
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:5568
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:5556
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  PID:4568
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:5220
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:5160
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:5212
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:5224
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:5236
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:5188
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:552
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:5020
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:1048
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:2896
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:3884
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  - Launches sc.exe
  PID:1248
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:5332
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:1328
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  PID:4800
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:3300
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:2588
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:4020
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:2032
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  PID:4924
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  - Launches sc.exe
  PID:5240
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:5464
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  PID:4016
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:1280
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3368
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:4784
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:740
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:5216
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:2928
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:5128
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1420
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:2668
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:4544
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5012
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  - Launches sc.exe
  PID:2856
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  PID:5140
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:6008
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:384
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:1228
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:5472
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:5468
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:4812
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:4104
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:5508
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:1368
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  PID:4696
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:5536
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5652
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  PID:6096
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:3772
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:5584
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:5252
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:5560
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  - Launches sc.exe
  PID:3864
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:3492
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:3544
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:5764
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  - Launches sc.exe
  PID:5744
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:5824
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5836
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:5848
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:5816
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:5908
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:5928
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:4460
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:180
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:5804
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  - Launches sc.exe
  PID:5964
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:2340
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:2448
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:4528
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:64
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:4688
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:860
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:1524
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:396
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:5388
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:3060
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:5256
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:2832
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:3820
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:4896
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:3196
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:4944
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:2892
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:5316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:2788
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:4360
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:2336
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:6020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:1892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:1200
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:2376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:4968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:224
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:4848
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:2188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:4048
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:3172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:5440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:5884
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:2416
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:5784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:2704
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:5568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:5556
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:4568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:2592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:5160
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:5212
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:4224
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:1516
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:5724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:5020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:3624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:5312
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:1816
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:1248
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:3380
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:4980
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:4972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:1072
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:4020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:2540
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:4424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:4552
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:1684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:4056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:5060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:4784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:2700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:5136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:1056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:1420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:2888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:3672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:2848
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:1652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:5140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:4108
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:1528
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:4500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:5476
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:5468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:3744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:5480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:5496
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:1876
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:6132
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:5700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:5504
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:3772
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:5584
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:5648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:4832
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:5384
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:5728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:5736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:4572
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:5532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:5824
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5844
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:5816
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:5932
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:5928
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:5924
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:5872
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:5964
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:116
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:5112
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:4384
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  PID:3044
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  PID:1212
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:228
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:5972
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5420
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5444
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:2112
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:404
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4464
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4420
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3628
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:208
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:5184
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:3952
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:1496
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:4756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:3488
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:2336
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:2564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:6020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:1892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:1200
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:2376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:4968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:224
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:4848
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:2188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:1608
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5788
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:5896
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:5772
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:5192
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:5784
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5768
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  - Launches sc.exe
  PID:5460
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:3500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:636
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:5108
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2920
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  - Launches sc.exe
  PID:5780
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:4288
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5760
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:5452
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:4224
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:5900
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:552
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:5020
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:3624
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:2896
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:5328
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:5332
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:1248
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:2964
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:3968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:2588
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:2032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:4924
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:2372
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4308
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4552
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4072
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4964
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3064
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:740
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5216
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:3844
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  - Launches sc.exe
  PID:1924
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:1056
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:4284
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:2668
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:1420
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:2888
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:3672
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:2848
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:1652
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:4772
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:3944
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:2444
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:5520
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:4500
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:5476
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:3796
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:2140
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:4104
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:4960
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:5704
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:5644
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:5712
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  PID:5548
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  - Launches sc.exe
  PID:5360
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:5252
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:5584
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:5580
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:3864
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  - Launches sc.exe
  PID:3492
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  - Launches sc.exe
  PID:5384
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:3544
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:5764
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:3336
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:5812
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:5532
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:5824
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  - Launches sc.exe
  PID:5856
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:5880
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:5816
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  - Launches sc.exe
  PID:5932
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:5928
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:5924
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:5860
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:2200
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:2340
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:3012
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:4604
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  - Launches sc.exe
  PID:2840
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:2692
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  PID:1492
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:1060
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:6052
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=disabled
  2⤵
  PID:1524
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:396
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:5960
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:2616
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:2628
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:3820
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:2112
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:1480
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:1960
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  PID:4944
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:4300
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:208
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  - Launches sc.exe
  PID:400
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  PID:3952
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  PID:436
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  PID:1496
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  PID:5088
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:5032
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:368
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:5392
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2624
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:928
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:1776
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4632
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:2376
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc config esifsvc start=disabled
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config LMS start=disabled
  2⤵
  - Launches sc.exe
  PID:4428
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1832
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:3332
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:5792
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:1180
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:5756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:5784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:5540
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:5416
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:5564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:3644
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:4568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:2592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:5160
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:5204
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:5196
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:5452
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:5028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:5724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:2268
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:5020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:5336
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:1816
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:5332
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:2904
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:2116
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:4152
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:4468
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:3756
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:2560
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:2232
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:5464
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:4012
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"
  2⤵
  PID:4056
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2888
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2812
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6008
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4772
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  PID:3944
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:4500
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:5512
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5508
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "OneDrive.exe"
  2⤵
  - Kills process with taskkill
  PID:5484
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "explorer.exe"
  2⤵
  - Kills process with taskkill
  PID:5996
- C:\Windows\system32\reg.exe
  reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:5360
- C:\Windows\system32\reg.exe
  reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:5560
- C:\Windows\system32\reg.exe
  reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"
  2⤵
  PID:5380
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  reg unload "hku\Default"
  2⤵
  PID:5720
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "OneDrive*" /f
  2⤵
  PID:5728
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5808
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2824
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6124
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4084
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4724
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WidgetService.exe
  2⤵
  - Kills process with taskkill
  PID:3032
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Widgets.exe
  2⤵
  - Kills process with taskkill
  PID:5332
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:1064
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:2424
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5012
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\smartscreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3064
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5216
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3184
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2428
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3796
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2140
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5512
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5508
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5484
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3892
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2508
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4196
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3896
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5624
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\taskhostw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6112
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\taskhostw.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3436
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5620
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Needed if you''d like to Search things!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4032
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5992
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/Open-Shell/Open-Shell-Menu/releases/download/v4.4.191/OpenShellSetup_4_4_191.exe" -o "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"
  2⤵
  PID:3864
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Downloads/raw/main/Menu_Settings_1.xml" -o "C:\Oneclick Tools\Open Shell\Menu_Settings_1.xml"
  2⤵
  PID:5840
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4764
- C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe
  "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5924
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:4060
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Do not skip if you want to Search things' -ForegroundColor White -BackgroundColor Red"
  2⤵
  PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list
  2⤵
  PID:3896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic startup get caption /format:list
    3⤵
    PID:5620
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:3616
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:5680
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "9kleoi " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:5660
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Open-Shell Start Menu " /t REG_SZ /d "" /f
  2⤵
  - Adds Run key to start application
  PID:5528
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3544
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:5748
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:5448
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
  2⤵
  PID:5956
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:5840
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:4764
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:3016
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
  2⤵
  PID:4204
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  - Adds Run key to start application
  PID:4328
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:3388
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"
  2⤵
  PID:5832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"
  2⤵
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"
  2⤵
  PID:4108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"
  2⤵
  PID:3552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"
  2⤵
  PID:5484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"
  2⤵
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"
  2⤵
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"
  2⤵
  PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"
  2⤵
  PID:6092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"
  2⤵
  PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"
  2⤵
  PID:712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"
  2⤵
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"
  2⤵
  PID:3636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"
  2⤵
  PID:5444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"
  2⤵
  PID:5368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"
  2⤵
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"
  2⤵
  PID:6004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"
  2⤵
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"
  2⤵
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"
  2⤵
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"
  2⤵
  PID:5708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"
  2⤵
  PID:3488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"
  2⤵
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"
  2⤵
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"
  2⤵
  PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
  2⤵
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
  2⤵
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"
  2⤵
  PID:5512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"
  2⤵
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"
  2⤵
  PID:5464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:6056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:1156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1676
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1956
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1208
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3836
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2912
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  PID:4404
- C:\Program Files\Open-Shell\StartMenu.exe
  "C:\Program Files\Open-Shell\StartMenu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1516

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5bea9c.rbs

Filesize
20KB

MD5
a20f5aa9441b3b2fb78e4f58dd94e100

SHA1
3582d1e28b23f7377fa9d79180939714f303f5b5

SHA256
8409cff4964edf4dcce7e1d10dbe2c05c19aa4355b0ff44e099745cd6a4147d2

SHA512
16d5c91ad9016244b07bfe48cf794ad60ea75e52b660bd35064041ed0ff4e46d2c284a3e527a4cf88b848a26776dfe42b4e10d49629572887cae68be7a4467c5

Download Submit
C:\Oneclick Tools.zip

Filesize
564KB

MD5
d2be90c23063c07c5bf6e02c9400ac35

SHA1
c2ca99de035c17ba9b7912c26725efffe290b1db

SHA256
9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3

SHA512
13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

Download Submit
C:\Oneclick Tools\NSudo\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Oneclick Tools\OOShutup10\OOSU10.exe

Filesize
1.9MB

MD5
4803e06db91fdb8b6d1b65c0010d2f87

SHA1
f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c

SHA256
beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b

SHA512
f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

Download Submit
C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg

Filesize
2KB

MD5
109f47ced5da3f92362c49069fc4624e

SHA1
79b611073aa0006f1bb4058a6ecb6f3cc97391d6

SHA256
2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b

SHA512
55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

Download Submit
C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe

Filesize
7.9MB

MD5
e0484fd1e79a0227a5923cdc95b511ba

SHA1
bea0cb5c42adbde14e8cf50b64982e1877c7855d

SHA256
9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c

SHA512
80f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer32.dll

Filesize
863KB

MD5
a805193aed76942c667a798f9dd721fc

SHA1
3d2f702b16cb22d5918f6d51585a871fb3b3f900

SHA256
97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89

SHA512
0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer64.dll

Filesize
964KB

MD5
950ff69adc1b8eec1bd8d502615b0ba6

SHA1
edb3916b7ada6aa0e765c6f70c39e182b8d45dfd

SHA256
9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e

SHA512
f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

Download Submit
C:\Program Files\Open-Shell\ExplorerL10N.ini

Filesize
98KB

MD5
6ed13b9c1719b252e735ba7e33280e67

SHA1
f3753deab4d99dbee4821a8a70fe6e978e1a45f6

SHA256
b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab

SHA512
f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk

Filesize
1KB

MD5
97d86fe239782cf35f95b0e719f5a565

SHA1
9929eae9732a426f50a06346c35081d639694f3e

SHA256
aafdd6859d9a194308286db68688a318160c7fb922b2509c2ba89d961ee2bde0

SHA512
675626c6658b314672ba8c9c55265219d000b82bd2501ba15ca9577ac023794d16df75a8ec549367eff2a9e2aaa4e1026dda9e439fa5752d93854de0313c4096

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe5beeb2.TMP

Filesize
1KB

MD5
1abb1e3f9f7620aa166bd5b00a8b0f9e

SHA1
fd9e74b2efbf02a37313a451e8deacd1513eb96e

SHA256
683e188b54ed3d47326a9d69e087038eee0a66dfaa8a277e7e23e39f8d316f75

SHA512
a9a63ffdb1676ee371046a559210e20db552b2e02ecf26e11545be848476243aadfc8d395971e9f677035c43b921b869a6affad0286464973493c7658f03051d

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
1KB

MD5
7026ab53f627e3207b712e9c22068059

SHA1
0c7444d44b1cdd61982ed49d1415a8d172b0bd09

SHA256
d617d83f5e558ea9b0bca4ba7572c1d9588b033fa8fe46a9b14f971c88fa5f05

SHA512
dc1bb98a40053e45cb62f4facb22203a491e04975bf7e4ac90d2ad69efb6466b6168a9c8a31ec2599fbf9cb530cb03bd7253d177a54f7581ff172456a5fa35f2

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
31fa376fa7b6bb425f5f63cfc890e955

SHA1
18212570b1d4054536990bfe458ac1959269b7c2

SHA256
6b731aa568e6ba2eca2afd4de6c354854da4f7732a40ee8db6d1ea71db7f5f74

SHA512
af8b78fb02f485e22ba7cd31f7972da1576530656f37c721a6fe64cb896b1c221db7111f893c4e539171267ca87b7d061b91e1386516ec5910ba12e3eba7a56d

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
33cd0c3789a19ea6ce103ce015e6d162

SHA1
5a318ae0ed8b850c7e4674454a0f58a0c64abb5e

SHA256
a96cea1304a7cf8233c0b18b4dab265aef5c149b5e02636b88fc0f30f0b2337d

SHA512
6c21289e48a5804b3d54d015d191832d325a958923fbb37dc0badd75c6984df6ffcf573733ecef8a01d90017f0445434a6e24c723f265f12fd523857c5b42a2e

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk~RFe5beec1.TMP

Filesize
1KB

MD5
6eb4b79b1e25c6345276be2b4c35cbf0

SHA1
63154ad972ac0bba6ac45787adebce66f0b99d8a

SHA256
635885ad26e724d1fe3c862dc1829e5d17c4ba065955c6ac9ffdbf54456f70cd

SHA512
9591f61b55bd414d138b1b166212c97299db313e92d1d1fd44d506a0d15500aa4bd644d1f035eada951e22624abdecd6aa388f58beb8198fe0867a7cac221fb2

Download Submit
C:\Program Files\Open-Shell\StartMenu.exe

Filesize
259KB

MD5
9aca92d31344210995d18ac75f7df752

SHA1
fec9f414f3c399f8384ad6a32d0b60adde85d8d9

SHA256
df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf

SHA512
ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

Download Submit
C:\Program Files\Open-Shell\StartMenuDLL.dll

Filesize
2.7MB

MD5
e29ab21b4d9266502677b9837ad23346

SHA1
939e7bb40623f04dd3d75f4685a543437512771a

SHA256
808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185

SHA512
7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

Download Submit
C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

Filesize
11KB

MD5
29221f620ea6b5893add15dd6c307684

SHA1
97c31bb9585a0896e1fcea8efa3f05ff16823da2

SHA256
53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84

SHA512
b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk

Filesize
1KB

MD5
857c88a7763f52965e74ca88d2ee3d7a

SHA1
f2f9d8d7b73e9505b7547742d5b32335e0c8e151

SHA256
d873b97c123eb9db17555269791db9b1d3dcc15d464e344633c080d4807e10a7

SHA512
255db186b157bab6f33f5dcb87b249b22dc9ea038ad0c1464916198cb3c58b7c2d93034125333026fd80f4d70bd4b46afe8d1bd633103f52c043b8470b4f5657

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe5bee83.TMP

Filesize
1KB

MD5
734a183031e627c98cbc4ed2c71888f7

SHA1
e4ad880e839290da2cf5b21f85a00531641810ac

SHA256
9facbe4e8e581deb891f07d4d4936d949e7f906693b8e6bc0b31b52633d7ff9e

SHA512
a658a9182702ad1c86aa65f37694aa31881990fc970f44e55997875eb3167170189f9dde333f8c90e9edc02d797d412d32b7ca5acf2662cb341f84153d654a57

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

Filesize
1KB

MD5
4e785a41d722aa3749f693d3a7c34f0d

SHA1
ddeb2bfb970190927f68ab522c851c499a1d141c

SHA256
7e3531f46bca7bf5fdd7df9ff26e14ccff236e6712738b388060a9a11f937f10

SHA512
82959dfb017c94934f0a4c173b5d6176b56ff090873ba72e89f67c1e3ae05dddc648e1dc567baa8a68675126747ff366e589fe76221dead7b589593510860265

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe5bee93.TMP

Filesize
1KB

MD5
ba2512399eddcc0ce7dad3a3f47a5380

SHA1
38331059982689f91fe3d4fd31066d89a7cae2de

SHA256
8c8f68f7aa29210750c9cbd8c6c24705de0b49c599e700396596dc34bca40995

SHA512
640305a741451653555ef11221ee2ec4700ff9569f47e4c273c3ac37468d5be294c415f5979991d25a7c73ce0d5657343b28861691fb0b4dad64d14826c7ab8c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
bab0c1cba0e61de46e112d1444db681b

SHA1
e1fe1108c54ba8fd050bb3a6092ffab1d3dc6bc7

SHA256
b2c578ff55f70f9e775912a4e6aba79c0066a49dd05a912a71270da57dfc9d7f

SHA512
793a3443660965cd5e1dbc7fac9353d6c960cab87a0fe4b15598fb1567d1e5a3e70d78a5a410bf544db9d1811feed11f3d4f61e45c3b2efff8d72691322b3780

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
1b49385fa0bb5d89f8ecff0dd6f88fee

SHA1
009fe390e9c7753f5fb367313941605c2db8906c

SHA256
2ed31323e1919148822ee71043f637f7a86376eed84143c75441eb6d05606bb2

SHA512
95faea68caa4715ca1428c020e5165a977fe2cca1a23d3f7831664c3d03337a564847defab42671b091360132009830b89dfe9e7847ece57b1fc2ac9ece9a7c5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe5bee73.TMP

Filesize
1KB

MD5
bc63f653434d9d6b20e3a370a54304b3

SHA1
35dc68a9e7f1b8a6f7ae07a044c4c8cb7d8aba3e

SHA256
649a9a76961d62204a2fb07de00e33b4f7a978ad6137ab8cf2d5b2ed0ee94d3b

SHA512
2f98ef13555565737d32dd022185e411451cffea67a35e3c9d2b545202eab81fe0405b39a158155435c71eabce3d2c2db10b52c2f7c4e1318ccff6acb45390db

Download Submit
C:\ProgramData\OpenShellSetup64_4_4_191.msi

Filesize
5.3MB

MD5
cc25bc2f1b5dec7e9e7ab3289ed92cc7

SHA1
449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2

SHA256
25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313

SHA512
e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b2f7feb0b069df665438aa9cebb2dd58

SHA1
42c8ff83da8dd3956ab66c6adf43ea483010c2e6

SHA256
635fd69280d7d1a192b10e88fc982153b5bfdb46382815470691a3e468695c02

SHA512
e0bdabec3829383477ee66a972fd4698cd84c3e105fbd6c4108e6240c1b544d276f9a52c2a65e9a8e5c75f2d53db5e20b467af9b5f868286c93fd5a9ca6eba6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3defa7a4fa3c04315ed9197dd6a64790

SHA1
724ced90c4cff17d86f2f5aabea8586e204735a0

SHA256
6df1930bffbee79c226ac770b97bda631ab6b8be5174f98349f8ce61eb12becf

SHA512
b5d37cc610a037434051da08e0ed0fb2285b4d46cce4c3ae019e187e7f9cd16a09c83bf64e6a9b03d581f79918316e2869c6e7e79b397136da524db50a755690

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
61418197b5bf99a31400c334622d618f

SHA1
9365c4472a9f6a568a3a4734f9dbf757240b6ebe

SHA256
6c47d24a66f9aa1b078b0062e7e1ff4bd77c9c85bf9e63060f61af91c4fb94c1

SHA512
bf51c501296bb90dc882a6b4271642b1b2090a9c6f628dd804fcb3c326ea58900162412aa683bfede419bba8e8f97acce479fa239b919ecf5fd33b2ef8308f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
3f1c3f66ed53fca1a050a93b50dde3a3

SHA1
4264ac8322b69af31cdd2516d37d882b8bcbba8b

SHA256
e5d1931221f0dcc220f11a9d8ad7848b9761858bb70a63090c533c96d847296d

SHA512
7db4811f05b0e33b10e003f2807f91da044568317c629e9c9b37e221f735c15e1c86906740c9978b5bfd5a7c44f278f4f268a9f1e0c7354610eed5c5de520f32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
263d6b71db95c975a31cea08d5ca29d4

SHA1
195276a4a162b53dcda8b377780e9fcbe80a6643

SHA256
445ffd2e39eee1a4390d71a80ca502a9b5f593ff33b46894596a14d602a0919f

SHA512
456d2527ec6dc1f6a420b19845d08ce06a046f7c2b27d2250d33c94c563c9e42cdf69770f1c2ddcf50632b7d15848473c861fe6ed7676206563bbfb2c42e0862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9b28a989374e6f2f8279974800a42abe

SHA1
4284317826e55ef580f395993446994e4ea7ca7f

SHA256
8b8b6bd606f05c9f61831dabfff164b7a03526f33822be4e61552530eae7a2ef

SHA512
dac0c52f2c92a4e2e75400117f6176ea5e655f2aa2b9c5c6be6a1d84cafe3e3ad97d3869c9740c0912fa7d35257614557cea6044eea14c3cedd57d3b1d825289

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
02887d63d662967c67fb4996ccf075d9

SHA1
72a9ec8f276d415cf7fdf7334f4d7e8b22f8dc1a

SHA256
41684d0288492709f266280aef92bf7c96f104015813b6d3797aafdfe6f6093c

SHA512
512cffb902afc5bf8a41688f1b558609e93dd572e1b3e53006110ee83db80f1facea25a45bdd65177de97987ef7b1b8001c9d85c868dcc41333c8fa80d19c2b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
776d7690d1d291653741aa9b1633e3ec

SHA1
5eb76979261eb0ced6711c14f3c94c3fb0384244

SHA256
052f9f5643bc325fde069a00623ee7bb883f2890729348a921509a5eedf421a9

SHA512
5a5afb6e8af088d0e9dbbf22389b4c8c45fecea0e1af134b1637924a3fa0ccb5423eb3ac834025454d36c996ea77c6d7ad7f0b3a729fe79cba1990c2d5d1888f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f384729a257f5f1fa467fab585013c28

SHA1
a908fed2db7e1d95be287045fa7656ff1d810e3f

SHA256
16c7abc36d9f05aabc2d0fd12543a05a2bb19981878be062536f845f36ea8b41

SHA512
9ed6143e8a6b6e29c0fecb10b0d95a7a024e137d4d117b159e63b2ad33fbf1a03e6fc5de21d71aa1a3b73a9977d5ff2e613b79ce3cde36e94a2270fe967be5b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
cf63ced9d4881e6fdb4fced785336aad

SHA1
d4705a20869dee0d1bdf371d73fbbce62958cd7c

SHA256
243b80b81ea18231dd0506f044a9bd137a276c96e944b123ecbc2ef810ef79a4

SHA512
6223ee9fe8b10b26a7453814cee51fa007858d50d36350adbc60670175d195d56bd2f3011eee046beb5589209ab95eac63714c156268645782ae17dd4edf9e31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d198809ccb936d4bf199dd61557854e3

SHA1
d7170431192e12dee196238d9a915e8b7ea4d79e

SHA256
a42633de800252a0cef418517a0a1143ea411ca17607f0d4433e50e1f0641029

SHA512
299475e76e2f7ce6b4b9ee071c5808f54911510c01e3c833ce5b8e772e72cd00e340df5aa9b2ad35d60d01de6113b9860669879c1ddf9e5d7f47d544fa963ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
510d0ff363174b68a8383ab95d16fc41

SHA1
e756c55d6213c76dbef4f735a229797e432c6f7a

SHA256
9ffbdbe6eb03a77c8d563c8359449389bff0647008ef735ba73b2c0cf32578ac

SHA512
9f7973519ab13b4c902c2bce1790ad82b60a3a8c1bfc4ba5ea7d13794662506309e52c4c9876445dab141f01819c5a39438ae2b3d4db6c9067da02ee57a7fca4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6822df350c2218c151f6b83337b4d643

SHA1
d5e2eb8c5b980b227fc87a81ff4d1e50b4d6595d

SHA256
3a856f1490668bdddd01eff94f06dd6efe0206403c97ef292fa1fd5eb5752f39

SHA512
2001be87a26d12ef515a9435183b39f300bffda9743b4a3e7eeb632c058b4a17c0648fdfefef97045bd1df4eb43315b217de137e1a717af86a7e89c664ce3eb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f6be45c927838a2faef4a8ee353ed147

SHA1
0d80b9a741bc2881ce54a4237fe1dfbea3561781

SHA256
361d6868556d74472f4531c0b2a4154cb8b57e2d73ff713b3ac3eb15410e246f

SHA512
d89389f1a2cafd75ea62d76fea36b28296cda6a5a47dee802df57918e9393359a552d6c5fae30cfa5501e6b58cfd968205295d04df489471397619cad57e21d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8f7ef36927dd78189a9dfceb639b7b72

SHA1
e8f1807b692bdd675f06eae3e431dc57ff8f6e1f

SHA256
0561f78971561cf3f76d7d7bc140784142461807b894a9b57974f292dcb9d910

SHA512
68128956e7603385238dd34b649a14151d664ca7545c148f840c3b45cbcdd4a2bd824886c7d977d22ee6face7df549159f5bba3c91aebe2cfb379f4419f3257f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4eb28df733871025d39e0d43b4a42ad5

SHA1
f6a7bff6c8f4fe6e434ae32199948391dda06045

SHA256
8c3bb26a102cdece619ed1faa39b026fb9d14f1036b755b5e1518cb2bd4a567b

SHA512
17bb33df440c306aa5d3bfb387b3bab09f151689ad84a509c61a47a899be630b1fbfe40ab45773d73526cf3e139cd3fc2c82dc0d678bb9d6d46875a0a5d8b2ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
315909041defea26a60fa0fdfc5074b4

SHA1
9fd5f1053cee5791cae9c36f739fef69ced3d616

SHA256
dc139afba437eae277ed628bea22bf32100b9e2c0fbb1969ed3af1fed6b8a335

SHA512
c841f9fdab5e64232485018b1f0321703716ce6895d94e76fc74df77390b28dae0d5268bcd27fe7a771842445d624bf1c8895a2015f55388a6d99882e219d2ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
34ece79893ad11352ba838dd667fd671

SHA1
466a958cd78c25a235a12451c73b5764941d62fa

SHA256
a83dff796d7c288f6e81c79892f66622237d37bf850f5190aebb36ba407e4375

SHA512
04452e86eb9d47b8cdf2b2ddd67d953e279b0d829c4e806d3fc85079f4c7d3c1af709ac3869f3d9cb4eac44ad66d823bebf3047d944924b8a1a47f8a2addc70e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4c4b4a7f3ecb2b696d0c2cf260dae932

SHA1
84840fa17d19fae243bf89a895edec6b98622cfa

SHA256
60f33423e229dd3654cb8fed0d4466fe9022b6bcf2331a023abad80a17c13a76

SHA512
2fc9c16fa3caab13b129da811a9c702a14dcfa4471671653b31ce0186fc000a39143d01ec5387136c6d53be44b021306ac02cbd1e894f412b4547c3d0e93de08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
0fd554265dda67abc1ef2290805a4115

SHA1
bdd3e88f3ba7a1a6231a8fd696ffc6b2d0114f13

SHA256
2991893d1d5eda2adeac00444d75a16d78277d1df4d5ae8bf15ada9ab71b33fb

SHA512
bfed70db037a41a9f642e3d4ad940b317c90e22e7e9ea8d2d72dbc69eb12cd17a58813ad17276fdc6f4ec801eb004dd3633e9c3c1f5f1f9c6cb974334b90aafe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
0bd1f472a699d0786d3e5dbe92b9abfa

SHA1
afed4322951c254707b7be149b94da0fc83b4b7e

SHA256
517d6ed32b275a6b6a851bb493dd755cecefa9d984f3cbf39a5f839697068a8b

SHA512
3b9953beb150b1dd94cc6524ac563af5e2ca1d444d57fa6805f23cc57bb1a258f212822d4467c8e945c4d6eff2da59b93f7c7153fd0edcaf96d28c51ddaed572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
d844c9b7493fe2e1ff9442d7af1493ac

SHA1
7db79d2d6a94b93ce69febe29ca1dd62201198cd

SHA256
66753f4935829f91e727cce3f44d6a60532bd7ad933ec1f11936cf5b79290260

SHA512
f04def445abc17fcf66d067f35c6bd2fa63f2c84e9429acc05217925916571e06a997173fe236c546e42ea48bfd0c3b3eb3069e425d6bdc61f4bec8e461d8946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
e3e51d3bc7360e6a860290151118611e

SHA1
ade428b6a87082df3c1a4d012d9c70d3f9a1235b

SHA256
3ec8eda57d01116b3f0de1b332b3cee1e08a5f0ed7b8c2b75191bb33f5037bb6

SHA512
fe7e600f73d109885d266e451b050eae18dd4bd87c609b2e4e94af7a779b373599e29a6aa4e28ab52cd34f220c57faf23884123dccaf0a7287fc333ec0414db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9ad02565200fdf605add7b991b91669f

SHA1
3de2d00fad197b5e91eacb7bd3d56fa36df63aac

SHA256
cfb0953760e5aa702ab88c51462852909502df30cb48f1d937c0836c0aa23a24

SHA512
54d329611e5c17d7174fc599822c463a1c2d75533662917e2f129d7a1317bccc4924f872dc40172ca1882e839d8b345b0097ef2eb39b8df86ce90872f869cf40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d89f2a1cd6a98ca01ac3e819d50dcda

SHA1
e2da8cd3ece3fdf5319cb6b0bac3344ef89c3afd

SHA256
11646b49cddc61fc158db368229e399ba5fdd2a5144b4fc243284dbf8225c417

SHA512
7fcda3ed4cc427fd0cb2b11a95e5834acd7f8a94316a1f106dc1f74ac09653bfa8a8d29dcad96e0045366498f4b9719fbe300895c926a9512117719df3d59510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7274a07d1b80de6f66290b47588cee3b

SHA1
d926b384806c755fe6b9d03f68852765aabb5703

SHA256
5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8

SHA512
b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64279fe9334e41a53c2c2f7d8d54e74c

SHA1
b34c6930f724c1b97be5c6260b3096b616906fd2

SHA256
8bfb5fab88fe830d8afccad0f21429872152c99db9558fbae836585cf35e18ab

SHA512
315f0974b7ba4067ae14df88fc5cb53778910d6956e30565122770593e9c0e163873c44dd975404d1dd3767da5693ad51c99da8b68fdfe34a069519d59040e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ccf5bcedebe7b0de9736b11b08f1863

SHA1
d178f4c9bf7af3daa9301d20354e1c5464e101dd

SHA256
31cbeda60e3f94b6914580e186f6caa157f44ee44a2d9ec89b304a92edc55a45

SHA512
cd43b31b6ca84d6419e4ec8c904f21b7fcccd822d956dd483a25142c03b34456d19eab00fb9ebaa8bfea5b1ede7816c03bb161a575cb81de432ebf301b39b145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
532d468a6c319cceed83b22ea7a4b129

SHA1
bf4a31c645bf32927bdc71b1cd115bcb9ec1eee1

SHA256
871a5a8677f44426b38cd592347c334cdc4600f6a0743815b6c90bd9e48dd4c6

SHA512
e7ac13bb3f404a17b1e6c501b1b5f1e5d93748d26e93acab3a342a0d578bc0d68b5deca164e43578f3c10921f58bd1c75404bf8044ead403fd2120958bffb6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
101ea4ad7dd1627df55f094e160d3f10

SHA1
776d510a3720a9b89d7382753c2e72f8c0a92e79

SHA256
0783244fd95209fff4ee42c3ea92ba93e7994b2f941f0ab68cf4b2992f4ae5f3

SHA512
cab5d1ec97e62227056c93a70c45c7ef6bc7ae40567f0507d7a20811fb2fb6bf41596033c7707e6b55a7ed3c7a3ce07d6b28d7dfc1bd8f74f77192a80203c99e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c6f55c7b0906504c8595b395325a5800

SHA1
e6d8dd51463491a74c9fd4bafef89443b16e96ca

SHA256
30478821fc18ff5bd06e9237856ab951c7209013f1aae98d3fc92a550150b501

SHA512
7f4a4a51c66dd3c161543cfe384b8902b78fdb0bd06da2d3feb43de47bfd417ba5297f70dfaa4ebc89fca335af692326b00d8e3a1b9c7dbd1eb70a3e1f9d64c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3b2a05f3fbe16d06391db3335944b77c

SHA1
1ecab602face79029c53e2dddb49a12b7a808a79

SHA256
185551abd0332fddc9593c6f5e6d982c4917ce2e418d56ac45b0537c13ed5d60

SHA512
782ecdda938503b560c23a12c3ec5ab8c81590d36f3a7e866cd27c2d26c30339fc71ef770be0d422fd43ff8fb2f3ac665776c86be4a9d9d0a2e9cd9236ce0fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c20ac38ae3022e305b8752804aadf486

SHA1
4c144d6cfafb5c37ab4810ff3c1744df81493cdb

SHA256
03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

SHA512
c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9b367c53270b61ce59c2510a224c7a60

SHA1
d46a8bebee55d5868e3d6f87e3ed25374919cf9f

SHA256
ffea339ec5b5dfcd03c40c3d038684c9a5d2cdfbefd5dd6574b41a2ee3548960

SHA512
4eda0a5d2ecae6d0f6605558f1f64557f1cc3acd47c5e167116a4e17c4edfe19bbd407737de0eec441f166090422b2691e6452cafb3cacf10186567c980860ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ad081b7830221ecc8e1c0e4500a0d7d

SHA1
255fa66a9cbca38f52939c0e7fc6ac73630224c5

SHA256
240019dd73fd6eeabc8ec488afa8ad119615e27112c1db273426512e847441a7

SHA512
1a5e5c25894c97e6af8468d7785148229e00d60a2be94b2b4a3a1d92ff47f52173cc968a12d586beb76df4e2ae5cf699297dd8aa7fb9ab94851b2afc8a1347c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ya2dmvem.ykg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4352_637322574\1d883978-bc8d-4490-8044-27a6b3d5cd8a.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4352_637322574\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 153320.crdownload

Filesize
202KB

MD5
4acd7d1e7294d4ab4e9db8977d5135e4

SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284

SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36

Download Submit
C:\Windows\SysWOW64\StartMenuHelper32.dll

Filesize
351KB

MD5
b7c7f2bf76b2220839af735e2b58fefc

SHA1
16631df5f62096b039fc1996066805721b622407

SHA256
a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875

SHA512
6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

Download Submit
C:\Windows\system32\StartMenuHelper64.dll

Filesize
426KB

MD5
22c9a786f3ff34275c80876b8ac5cc10

SHA1
beb6f4f28b98910b2031c37d7cec385543045614

SHA256
b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca

SHA512
92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

Download Submit
memory/4056-1252-0x000002A140B90000-0x000002A140B9A000-memory.dmp

Filesize
40KB

Download
memory/4056-1251-0x000002A140B70000-0x000002A140B86000-memory.dmp

Filesize
88KB

Download
memory/4056-1253-0x000002A140C00000-0x000002A140C26000-memory.dmp

Filesize
152KB

Download
memory/4548-1177-0x000001A22B350000-0x000001A22B374000-memory.dmp

Filesize
144KB

Download
memory/4548-1176-0x000001A22B350000-0x000001A22B37A000-memory.dmp

Filesize
168KB

Download
memory/4676-1263-0x000001D747D20000-0x000001D747D40000-memory.dmp

Filesize
128KB

Download
memory/4676-1258-0x000001CF45C00000-0x000001CF45D00000-memory.dmp

Filesize
1024KB

Download
memory/4676-1261-0x000001D747D60000-0x000001D747D80000-memory.dmp

Filesize
128KB

Download
memory/4676-1257-0x000001CF45C00000-0x000001CF45D00000-memory.dmp

Filesize
1024KB

Download
memory/4676-1256-0x000001CF45C00000-0x000001CF45D00000-memory.dmp

Filesize
1024KB

Download
memory/4676-1270-0x000001D748130000-0x000001D748150000-memory.dmp

Filesize
128KB

Download
memory/4820-903-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-902-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-901-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-896-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-897-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-895-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-907-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-906-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-905-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4820-904-0x000001FD928B0000-0x000001FD928B1000-memory.dmp

Filesize
4KB

Download
memory/4896-1208-0x0000020317580000-0x0000020317626000-memory.dmp

Filesize
664KB

Download
memory/4896-1206-0x0000020315660000-0x0000020315850000-memory.dmp

Filesize
1.9MB

Download
memory/4896-1210-0x000002032FF10000-0x000002032FFCA000-memory.dmp

Filesize
744KB

Download
memory/4896-1207-0x0000020317550000-0x000002031757C000-memory.dmp

Filesize
176KB

Download
memory/4896-1209-0x000002032FCF0000-0x000002032FD0A000-memory.dmp

Filesize
104KB

Download
memory/4952-1211-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1218-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1213-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1219-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1220-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1212-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1222-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1223-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/4952-1221-0x000002A165260000-0x000002A165261000-memory.dmp

Filesize
4KB

Download
memory/5588-949-0x0000017E33270000-0x0000017E33292000-memory.dmp

Filesize
136KB

Download
memory/6056-1231-0x00000133C1F00000-0x00000133C1F10000-memory.dmp

Filesize
64KB

Download
memory/6056-1227-0x00000133C1790000-0x00000133C17A0000-memory.dmp

Filesize
64KB

Download
memory/6056-1235-0x00000133C7390000-0x00000133C7391000-memory.dmp

Filesize
4KB

Download
memory/6056-1441-0x00000133C1FA0000-0x00000133C1FA1000-memory.dmp

Filesize
4KB

Download
memory/6056-1438-0x00000133C7390000-0x00000133C7391000-memory.dmp

Filesize
4KB

Download
memory/6056-1435-0x00000133C73A0000-0x00000133C73A1000-memory.dmp

Filesize
4KB

Download
memory/6056-1436-0x00000133C7390000-0x00000133C7391000-memory.dmp

Filesize
4KB

Download
memory/6056-1433-0x00000133C7490000-0x00000133C7491000-memory.dmp

Filesize
4KB

Download
memory/6056-1432-0x00000133C74A0000-0x00000133C74A1000-memory.dmp

Filesize
4KB

Download