Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 21:19
Static task
static1
Behavioral task
behavioral1
Sample
test.bat
Resource
win7-20241023-en
6 signatures
150 seconds
General
-
Target
test.bat
-
Size
16KB
-
MD5
5d6a734e0c25d661d5639b09f2753b67
-
SHA1
ae5615ca10d41308b7618dc460533bfc6971e0ea
-
SHA256
6a9182c301e4b1ac8de1e5dc35630233e8c406e5184d9f64b8174506d36fab85
-
SHA512
ad5417d2f37aaf8e293c3fdf89d041c8249e9822a4ac088ae28cddca0802e6c268a7d1beafcad527b293613ab45210eca96566e4c356721ffa79bf438fccccaa
-
SSDEEP
384:xU9IxquEDHsUXUXDn6CfFmBd1seQfDNqhFI36oXuuEDHs2OwL:rquEDHsUXUXDn6CfFmBd1seQfDNqhFIw
Malware Config
Signatures
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1280 sc.exe 2344 sc.exe 2168 sc.exe 2056 sc.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Key created \REGISTRY\USER\!USER_SID! reg.exe Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications reg.exe Key created \REGISTRY\USER\!USER_SID! reg.exe Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search reg.exe Key created \REGISTRY\USER\!USER_SID! reg.exe Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost reg.exe Key created \REGISTRY\USER\!USER_SID! reg.exe Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost reg.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeSecurityPrivilege 2244 auditpol.exe Token: SeSecurityPrivilege 848 auditpol.exe Token: SeSecurityPrivilege 1816 auditpol.exe Token: SeSecurityPrivilege 1060 auditpol.exe Token: SeSecurityPrivilege 1928 auditpol.exe Token: SeSecurityPrivilege 2044 auditpol.exe Token: SeSecurityPrivilege 1316 auditpol.exe Token: SeSecurityPrivilege 2008 auditpol.exe Token: SeSecurityPrivilege 1572 auditpol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 2384 2100 cmd.exe 31 PID 2100 wrote to memory of 2384 2100 cmd.exe 31 PID 2100 wrote to memory of 2384 2100 cmd.exe 31 PID 2100 wrote to memory of 2128 2100 cmd.exe 32 PID 2100 wrote to memory of 2128 2100 cmd.exe 32 PID 2100 wrote to memory of 2128 2100 cmd.exe 32 PID 2100 wrote to memory of 2152 2100 cmd.exe 33 PID 2100 wrote to memory of 2152 2100 cmd.exe 33 PID 2100 wrote to memory of 2152 2100 cmd.exe 33 PID 2100 wrote to memory of 2160 2100 cmd.exe 34 PID 2100 wrote to memory of 2160 2100 cmd.exe 34 PID 2100 wrote to memory of 2160 2100 cmd.exe 34 PID 2100 wrote to memory of 2096 2100 cmd.exe 35 PID 2100 wrote to memory of 2096 2100 cmd.exe 35 PID 2100 wrote to memory of 2096 2100 cmd.exe 35 PID 2100 wrote to memory of 2608 2100 cmd.exe 36 PID 2100 wrote to memory of 2608 2100 cmd.exe 36 PID 2100 wrote to memory of 2608 2100 cmd.exe 36 PID 2100 wrote to memory of 2612 2100 cmd.exe 37 PID 2100 wrote to memory of 2612 2100 cmd.exe 37 PID 2100 wrote to memory of 2612 2100 cmd.exe 37 PID 2100 wrote to memory of 2620 2100 cmd.exe 38 PID 2100 wrote to memory of 2620 2100 cmd.exe 38 PID 2100 wrote to memory of 2620 2100 cmd.exe 38 PID 2100 wrote to memory of 2616 2100 cmd.exe 39 PID 2100 wrote to memory of 2616 2100 cmd.exe 39 PID 2100 wrote to memory of 2616 2100 cmd.exe 39 PID 2100 wrote to memory of 2312 2100 cmd.exe 40 PID 2100 wrote to memory of 2312 2100 cmd.exe 40 PID 2100 wrote to memory of 2312 2100 cmd.exe 40 PID 2100 wrote to memory of 2536 2100 cmd.exe 41 PID 2100 wrote to memory of 2536 2100 cmd.exe 41 PID 2100 wrote to memory of 2536 2100 cmd.exe 41 PID 2100 wrote to memory of 2020 2100 cmd.exe 42 PID 2100 wrote to memory of 2020 2100 cmd.exe 42 PID 2100 wrote to memory of 2020 2100 cmd.exe 42 PID 2100 wrote to memory of 1992 2100 cmd.exe 43 PID 2100 wrote to memory of 1992 2100 cmd.exe 43 PID 2100 wrote to memory of 1992 2100 cmd.exe 43 PID 2100 wrote to memory of 1152 2100 cmd.exe 44 PID 2100 wrote to memory of 1152 2100 cmd.exe 44 PID 2100 wrote to memory of 1152 2100 cmd.exe 44 PID 2100 wrote to memory of 1088 2100 cmd.exe 45 PID 2100 wrote to memory of 1088 2100 cmd.exe 45 PID 2100 wrote to memory of 1088 2100 cmd.exe 45 PID 2100 wrote to memory of 1372 2100 cmd.exe 46 PID 2100 wrote to memory of 1372 2100 cmd.exe 46 PID 2100 wrote to memory of 1372 2100 cmd.exe 46 PID 2100 wrote to memory of 2576 2100 cmd.exe 47 PID 2100 wrote to memory of 2576 2100 cmd.exe 47 PID 2100 wrote to memory of 2576 2100 cmd.exe 47 PID 2100 wrote to memory of 2868 2100 cmd.exe 48 PID 2100 wrote to memory of 2868 2100 cmd.exe 48 PID 2100 wrote to memory of 2868 2100 cmd.exe 48 PID 2100 wrote to memory of 3004 2100 cmd.exe 49 PID 2100 wrote to memory of 3004 2100 cmd.exe 49 PID 2100 wrote to memory of 3004 2100 cmd.exe 49 PID 2100 wrote to memory of 2472 2100 cmd.exe 50 PID 2100 wrote to memory of 2472 2100 cmd.exe 50 PID 2100 wrote to memory of 2472 2100 cmd.exe 50 PID 2100 wrote to memory of 2300 2100 cmd.exe 51 PID 2100 wrote to memory of 2300 2100 cmd.exe 51 PID 2100 wrote to memory of 2300 2100 cmd.exe 51 PID 2100 wrote to memory of 2584 2100 cmd.exe 52 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f2⤵PID:2384
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f2⤵PID:2128
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2152
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f2⤵PID:2160
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f2⤵PID:2096
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:2608
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:2612
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisablediagnosticTracing" /t REG_DWORD /d "1" /f2⤵PID:2620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f2⤵PID:2616
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /Disabling2⤵PID:2312
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"2⤵PID:2536
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disabling2⤵PID:2020
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"2⤵PID:1992
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /Disabling2⤵PID:1152
-
-
C:\Windows\system32\schtasks.exeschtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"2⤵PID:1088
-
-
C:\Windows\system32\schtasks.exeschtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disabling2⤵PID:1372
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f2⤵PID:2576
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f2⤵PID:2868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnablingTransparency" /t REG_DWORD /d "0" /f2⤵PID:3004
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f2⤵
- Modifies data under HKEY_USERS
PID:2472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:2300
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2584
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2820
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:2952
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:2980
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:2960
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f2⤵PID:2848
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f2⤵PID:2268
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f2⤵PID:2836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:3052
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:2972
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:2976
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:2696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:2228
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f2⤵PID:3012
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f2⤵PID:2808
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f2⤵PID:2984
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f2⤵PID:2964
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaCapabilities" /t REG_SZ /d "" /f2⤵PID:2864
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsAssignedAccess" /t REG_DWORD /d "0" /f2⤵PID:3024
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsWindowsHelloActive" /t REG_DWORD /d "0" /f2⤵PID:2876
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f2⤵PID:2712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d 3 /f2⤵PID:1808
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchSafeSearch" /t REG_DWORD /d 3 /f2⤵PID:2856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f2⤵PID:2740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d 0 /f2⤵PID:2968
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d "0" /f2⤵PID:2688
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\SearchCompanion" /v "DisablingContentFileUpdates" /t REG_DWORD /d "1" /f2⤵PID:2684
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f2⤵PID:2704
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f2⤵PID:2720
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f2⤵PID:2752
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d "3" /f2⤵PID:2760
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f2⤵PID:2592
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f2⤵PID:2340
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisablingWebSearch" /t REG_DWORD /d "1" /f2⤵PID:2732
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DoNotUseWebResults" /t REG_DWORD /d "1" /f2⤵PID:2552
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Process Termination" /success:Disabling /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"RPC Events" /success:Disabling /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Filtering Platform Connection" /success:Disabling /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"DPAPI Activity" /success:Disabling /failure:Disabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"IPsec Driver" /success: /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Other System Events" /success:Disabling /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Security State Change" /success:Disabling /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"Security System Extension" /success:Disabling /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\system32\auditpol.exeAuditpol /set /subcategory:"System Integrity" /success:Disabling /failure:Enabling2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1308
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1668
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2028
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1720
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f2⤵PID:1708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f2⤵PID:1824
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnablingFeeds" /t REG_DWORD /d "0" /f2⤵PID:1784
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f2⤵PID:2036
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:1680
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f2⤵PID:1056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f2⤵PID:1944
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f2⤵PID:1252
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f2⤵PID:1820
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f2⤵PID:1620
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f2⤵PID:1976
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1300
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:828
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:640
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1424
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2892
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2916
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisablingNotificationCenter" /t REG_DWORD /d "1" /f2⤵PID:2888
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:560
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:556
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2908
-
-
C:\Windows\system32\sc.exesc config DiagTrack start= Disabled2⤵
- Launches sc.exe
PID:1280
-
-
C:\Windows\system32\sc.exesc config dmwappushservice start= Disabled2⤵
- Launches sc.exe
PID:2344
-
-
C:\Windows\system32\sc.exesc config DPS start= Disabled2⤵
- Launches sc.exe
PID:2168
-
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= Disabled2⤵
- Launches sc.exe
PID:2056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:2136
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f2⤵PID:2784
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2996
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2924
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:2992
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:316
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1632
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1920
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:448
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1108
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f2⤵PID:1488
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:2792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:2912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f2⤵
- Modifies data under HKEY_USERS
PID:1964
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:1744
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:972
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f2⤵PID:1348
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f2⤵PID:1612
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f2⤵PID:1200
-
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0"2⤵PID:2308
-