b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

Analysis

max time kernel
119s
max time network
139s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-11-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V6.7.bat
Size

202KB
MD5

4acd7d1e7294d4ab4e9db8977d5135e4
SHA1

07c5474fcd09ff5843df3f776d665dcf0eef4284
SHA256

b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
SHA512

d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
SSDEEP

1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk

Score

10^/10

defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

OOSU10.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

4336 bcdedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
4336	bcdedit.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 37 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4320	powershell.exe
3400	powershell.exe
3352	powershell.exe
3648	powershell.exe
4200	powershell.exe
4020	powershell.exe
2452	powershell.exe
4460	powershell.exe
4632	powershell.exe
1584	powershell.exe
2060	powershell.exe
4572	powershell.exe
912	powershell.exe
2680	powershell.exe
652	powershell.exe
3828	powershell.exe
3364	powershell.exe
2932	powershell.exe
4532	powershell.exe
2992	powershell.exe
3720	powershell.exe
1728	powershell.exe
4004	powershell.exe
4528	powershell.exe
5104	powershell.exe
5060	powershell.exe
5048	powershell.exe
4732	powershell.exe
3744	powershell.exe
5092	powershell.exe
4084	powershell.exe
224	powershell.exe
2184	powershell.exe
4668	powershell.exe
1964	powershell.exe
3328	powershell.exe
940	powershell.exe

Downloads MZ/PE file

Possible privilege escalation attempt 11 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
960	takeown.exe
4548	takeown.exe
4452	icacls.exe
4376	icacls.exe
3024	takeown.exe
3932	icacls.exe
2916	takeown.exe
4152	icacls.exe
564	icacls.exe
5092	icacls.exe
1624	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Executes dropped EXE 3 IoCs

Processes:

OOSU10.exeNSudoLG.exeNSudoLG.exe

pid process

1768 OOSU10.exe
2140 NSudoLG.exe
2836 NSudoLG.exe

pid	process
1768	OOSU10.exe
2140	NSudoLG.exe
2836	NSudoLG.exe

Modifies file permissions 1 TTPs 11 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
4548	takeown.exe
960	takeown.exe
5092	icacls.exe
3024	takeown.exe
3932	icacls.exe
2916	takeown.exe
4152	icacls.exe
1624	takeown.exe
4376	icacls.exe
4452	icacls.exe
564	icacls.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

70 drive.google.com
71 drive.google.com
24 raw.githubusercontent.com
25 raw.githubusercontent.com
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exe

pid process

3096 powercfg.exe

flow	ioc
70	drive.google.com
71	drive.google.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com

pid	process
3096	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe

Drops file in Windows directory 3 IoCs

Processes:

TiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
defense_evasion

Ignore Process Interrupts
T1564.011

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4320 powershell.exe
4284 powershell.exe
4200 powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3448	sc.exe
4404	sc.exe
412	sc.exe
3804	sc.exe
4408	sc.exe
4956	sc.exe
3880	sc.exe
1616	sc.exe
740	sc.exe
4120	sc.exe
564	sc.exe
528	sc.exe
3768	sc.exe
2892	sc.exe
5016	sc.exe
4064	sc.exe
3364	sc.exe
1536	sc.exe
2140	sc.exe
3620	sc.exe
4544	sc.exe
3316	sc.exe
1792	sc.exe
812	sc.exe
3544	sc.exe
4812	sc.exe
1768	sc.exe
2052	sc.exe
224	sc.exe
1740	sc.exe
2628	sc.exe
2120	sc.exe
4336	sc.exe
4880	sc.exe
1712	sc.exe
2056	sc.exe
1624	sc.exe
5068	sc.exe
1948	sc.exe
4936	sc.exe
1004	sc.exe
3980	sc.exe
332	sc.exe
4776	sc.exe
1328	sc.exe
3100	sc.exe
5104	sc.exe
1728	sc.exe
332	sc.exe
3544	sc.exe
3112	sc.exe
2740	sc.exe
2428	sc.exe
4912	sc.exe
3480	sc.exe
2120	sc.exe
3892	sc.exe
836	sc.exe
4904	sc.exe
4592	sc.exe
1960	sc.exe
1376	sc.exe
3352	sc.exe
828	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeexplorer.exeexplorer.exevssvc.exeTaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 61 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
2024	timeout.exe
2952	timeout.exe
4176	timeout.exe
4284	timeout.exe
3688	timeout.exe
604	timeout.exe
3296	timeout.exe
3516	timeout.exe
4808	timeout.exe
4804	timeout.exe
1840	timeout.exe
1712	timeout.exe
1376	timeout.exe
1844	timeout.exe
3164	timeout.exe
2056	timeout.exe
1848	timeout.exe
4304	timeout.exe
1652	timeout.exe
1096	timeout.exe
2392	timeout.exe
4784	timeout.exe
3808	timeout.exe
3420	timeout.exe
4200	timeout.exe
2360	timeout.exe
1676	timeout.exe
2408	timeout.exe
3144	timeout.exe
3652	timeout.exe
3120	timeout.exe
1072	timeout.exe
2288	timeout.exe
3612	timeout.exe
3124	timeout.exe
4408	timeout.exe
4728	timeout.exe
4936	timeout.exe
4592	timeout.exe
4808	timeout.exe
2272	timeout.exe
4064	timeout.exe
1488	timeout.exe
652	timeout.exe
1960	timeout.exe
3556	timeout.exe
4808	timeout.exe
3780	timeout.exe
3204	timeout.exe
840	timeout.exe
4776	timeout.exe
4112	timeout.exe
2484	timeout.exe
1348	timeout.exe
2536	timeout.exe
4108	timeout.exe
2008	timeout.exe
1608	timeout.exe
228	timeout.exe
3304	timeout.exe
1932	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2732 taskkill.exe
3648 taskkill.exe
1368 taskkill.exe
760 taskkill.exe
828 taskkill.exe
400 taskkill.exe
3344 taskkill.exe
3952 taskkill.exe

pid	process
2732	taskkill.exe
3648	taskkill.exe
1368	taskkill.exe
760	taskkill.exe
828	taskkill.exe
400	taskkill.exe
3344	taskkill.exe
3952	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

Processes:

OOSU10.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	OOSU10.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

SearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeexplorer.exeOOSU10.exeexplorer.exeSearchApp.exeSearchApp.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "CC"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "409;9"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "16000"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Stefan - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1"	OOSU10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Stefan"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	OOSU10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Pablo"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Helena"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Hortense"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Japanese Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Has seleccionado %1 como voz predeterminada."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-870806430-2618236806-3023919190-1000\{8CA01245-8994-4771-8761-77D30B45166C}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{37A9D401-0BF5-4366-9530-C75C6DC23EC9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech Recognition Engine - ja-JP Embedded DNN v11.1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "DebugPlugin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\c1033.fe"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ShowSearchSuggestionsGlobal = "0"	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Katja - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Sie haben %1 als Standardstimme ausgewählt."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David - English (United States)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-870806430-2618236806-3023919190-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-870806430-2618236806-3023919190-1000\{42371C15-1B85-4DF9-B59B-143AE05BF443}	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4956 reg.exe
Runs net.exe

pid	process
4956	reg.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exeNSudoLG.exeNSudoLG.exepowershell.exepowershell.exe

pid	process
4020	powershell.exe
4020	powershell.exe
3720	powershell.exe
3720	powershell.exe
1584	powershell.exe
1584	powershell.exe
4320	powershell.exe
4320	powershell.exe
3400	powershell.exe
3400	powershell.exe
3352	powershell.exe
3352	powershell.exe
5104	powershell.exe
5104	powershell.exe
940	powershell.exe
940	powershell.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
4284	powershell.exe
4284	powershell.exe
4284	powershell.exe
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe
3648	powershell.exe
3648	powershell.exe
3648	powershell.exe
4200	powershell.exe
4200	powershell.exe
4200	powershell.exe
2392	svchost.exe
2392	svchost.exe
2140	NSudoLG.exe
2140	NSudoLG.exe
2836	NSudoLG.exe
2836	NSudoLG.exe
1728	powershell.exe
1728	powershell.exe
224	powershell.exe
224	powershell.exe
224	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exepowershell.exepowershell.exepowershell.exevssvc.exepowershell.exepowershell.exesrtasks.exepowershell.exepowercfg.exepowershell.exe

description	pid	process
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeBackupPrivilege	4804	TiWorker.exe
Token: SeRestorePrivilege	4804	TiWorker.exe
Token: SeSecurityPrivilege	4804	TiWorker.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeBackupPrivilege	3172	vssvc.exe
Token: SeRestorePrivilege	3172	vssvc.exe
Token: SeAuditPrivilege	3172	vssvc.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeBackupPrivilege	4376	srtasks.exe
Token: SeRestorePrivilege	4376	srtasks.exe
Token: SeSecurityPrivilege	4376	srtasks.exe
Token: SeTakeOwnershipPrivilege	4376	srtasks.exe
Token: SeBackupPrivilege	4376	srtasks.exe
Token: SeRestorePrivilege	4376	srtasks.exe
Token: SeSecurityPrivilege	4376	srtasks.exe
Token: SeTakeOwnershipPrivilege	4376	srtasks.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeShutdownPrivilege	3096	powercfg.exe
Token: SeCreatePagefilePrivilege	3096	powercfg.exe
Token: SeShutdownPrivilege	3096	powercfg.exe
Token: SeCreatePagefilePrivilege	3096	powercfg.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeIncreaseQuotaPrivilege	5104	powershell.exe
Token: SeSecurityPrivilege	5104	powershell.exe
Token: SeTakeOwnershipPrivilege	5104	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Taskmgr.exeexplorer.exe

pid	process
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taskmgr.exeexplorer.exeexplorer.exe

pid	process
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
5060	Taskmgr.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
860	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe
760	explorer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

StartMenuExperienceHost.exeTextInputHost.exeSearchApp.exeStartMenuExperienceHost.exeTextInputHost.exeSearchApp.exeStartMenuExperienceHost.exeTextInputHost.exeSearchApp.exe

pid	process
4736	StartMenuExperienceHost.exe
1216	TextInputHost.exe
1216	TextInputHost.exe
3628	SearchApp.exe
5092	StartMenuExperienceHost.exe
1476	TextInputHost.exe
1476	TextInputHost.exe
4480	SearchApp.exe
3420	StartMenuExperienceHost.exe
3316	TextInputHost.exe
3316	TextInputHost.exe
604	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 2172 wrote to memory of 4408	2172	cmd.exe	fltMC.exe
PID 2172 wrote to memory of 4408	2172	cmd.exe	fltMC.exe
PID 2172 wrote to memory of 224	2172	cmd.exe	sc.exe
PID 2172 wrote to memory of 224	2172	cmd.exe	sc.exe
PID 2172 wrote to memory of 2564	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 2564	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 960	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 960	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 4308	2172	cmd.exe	sc.exe
PID 2172 wrote to memory of 4308	2172	cmd.exe	sc.exe
PID 2172 wrote to memory of 5116	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 5116	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 2220	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 2220	2172	cmd.exe	find.exe
PID 2172 wrote to memory of 1868	2172	cmd.exe	sc.exe
PID 2172 wrote to memory of 1868	2172	cmd.exe	sc.exe
PID 2172 wrote to memory of 3896	2172	cmd.exe	net.exe
PID 2172 wrote to memory of 3896	2172	cmd.exe	net.exe
PID 3896 wrote to memory of 1008	3896	net.exe	net1.exe
PID 3896 wrote to memory of 1008	3896	net.exe	net1.exe
PID 2172 wrote to memory of 4952	2172	cmd.exe	curl.exe
PID 2172 wrote to memory of 4952	2172	cmd.exe	curl.exe
PID 2172 wrote to memory of 3296	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 3296	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 1960	2172	cmd.exe	tar.exe
PID 2172 wrote to memory of 1960	2172	cmd.exe	tar.exe
PID 2172 wrote to memory of 1884	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 1884	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 2392	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 2392	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 1640	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 1640	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 4932	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 4932	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 4020	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 4020	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3720	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 3720	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 4784	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 4784	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 1852	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 1852	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 832	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 832	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 3420	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 3420	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 1584	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 1584	2172	cmd.exe	powershell.exe
PID 2172 wrote to memory of 1840	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 1840	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 4896	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 4896	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 2056	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 2056	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 528	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 528	2172	cmd.exe	chcp.com
PID 2172 wrote to memory of 1712	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 1712	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 4336	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 4336	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 4960	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 4960	2172	cmd.exe	reg.exe
PID 2172 wrote to memory of 4936	2172	cmd.exe	timeout.exe
PID 2172 wrote to memory of 4936	2172	cmd.exe	timeout.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

OOSU10.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	OOSU10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

cURL User-Agent 5 IoCs

Uses User-Agent string associated with cURL utility.

Processes:

description	flow	ioc
HTTP User-Agent header	15	curl/8.7.1
HTTP User-Agent header	25	curl/8.7.1
HTTP User-Agent header	66	curl/8.7.1
HTTP User-Agent header	71	curl/8.7.1
HTTP User-Agent header	79	curl/8.7.1

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  - Launches sc.exe
  PID:224
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:2564
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:960
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:4308
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:5116
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=auto
  2⤵
  PID:1868
- C:\Windows\system32\net.exe
  net start TrustedInstaller
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start TrustedInstaller
    3⤵
    PID:1008
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
  2⤵
  PID:4952
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3296
- C:\Windows\system32\tar.exe
  tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
  2⤵
  PID:1960
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1884
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2392
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1640
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:4784
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:1852
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:832
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Checkpoint-Computer -Description 'OneClick V6.7 Restore Point'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1840
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4896
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2056
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:528
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:1712
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:4960
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4936
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4004
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:4300
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:3064
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3604
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4200
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:3296
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3724
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3780
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:1932
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1848
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:4436
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4784
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4260
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4304
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:1636
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2024
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:4732
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2484
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:4608
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:996
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:4808
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:4236
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:2196
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:3944
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:1072
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1712
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:4872
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:3880
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3876
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3652
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4900
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4408
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2008
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:5060
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4592
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:4956
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2360
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:1568
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:4932
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:4820
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3516
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1100
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:1844
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2952
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:3924
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:4744
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4176
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:1912
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3120
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:772
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3808
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:3540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4808
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:4380
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1376
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1092
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1348
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:3132
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  PID:4120
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  - Launches sc.exe
  PID:332
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  PID:1220
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:528
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  - Launches sc.exe
  PID:3352
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  - Launches sc.exe
  PID:4904
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  PID:2364
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:5044
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  PID:860
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  PID:3188
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  - Launches sc.exe
  PID:5016
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:4300
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  PID:3052
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  PID:2200
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:836
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:4412
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  PID:1964
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  - Launches sc.exe
  PID:4880
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:3660
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:4332
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  PID:3608
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:2592
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:1332
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  PID:2348
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:3516
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  PID:1100
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  PID:1844
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:3096
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  PID:4020
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  - Launches sc.exe
  PID:1536
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:2084
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:4176
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:404
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:1904
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  - Launches sc.exe
  PID:3804
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:4392
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:2104
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  PID:3632
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:1576
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:4472
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:4944
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  PID:604
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:4964
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  - Launches sc.exe
  PID:1740
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:2872
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:1372
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  PID:2620
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:4812
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  PID:764
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  PID:412
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  PID:3328
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:2852
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:1072
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:3844
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  PID:2056
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:1672
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  PID:3364
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:1584
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:1044
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:4572
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  PID:3320
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  PID:1544
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  - Launches sc.exe
  PID:1624
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:4740
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:4804
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  PID:3216
- C:\Windows\system32\sc.exe
  sc config MSDTC start=demand
  2⤵
  PID:2688
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:1452
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:1980
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  PID:3316
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  PID:3880
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:648
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2140
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:652
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:3984
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  PID:2008
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:3296
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:4956
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5068
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:3768
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  - Launches sc.exe
  PID:3448
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:2548
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  PID:4320
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1328
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:2064
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  PID:3140
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:532
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  PID:3432
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:4560
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:2192
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:3788
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:2368
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:1608
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:1900
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:4416
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:2108
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  - Launches sc.exe
  PID:3100
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:3676
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:788
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:4388
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:4260
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:576
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:4136
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:4724
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:3640
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  PID:3824
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:1880
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:1936
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  - Launches sc.exe
  PID:2628
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:3228
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:1088
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:3160
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  PID:1348
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  PID:3832
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  - Launches sc.exe
  PID:1948
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  - Launches sc.exe
  PID:3980
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:1096
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  PID:4912
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  PID:4676
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:3556
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:5100
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:2908
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:4336
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  - Launches sc.exe
  PID:4936
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:940
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  PID:3876
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:3652
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:4900
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  PID:2160
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:1828
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  - Launches sc.exe
  PID:4592
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  - Launches sc.exe
  PID:1960
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:4544
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:2868
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  - Launches sc.exe
  PID:3544
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  PID:4192
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  PID:1284
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:3780
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3112
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:1848
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  - Launches sc.exe
  PID:2740
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  PID:4076
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:1004
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:384
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  - Launches sc.exe
  PID:812
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:2580
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:436
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:3120
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:4000
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  PID:4768
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:1428
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:4368
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  PID:3572
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  - Launches sc.exe
  PID:828
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:4044
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:740
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3620
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:1740
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  PID:3400
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:5048
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5104
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:4808
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  PID:4380
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  PID:1376
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:1092
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  PID:3628
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:3132
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  PID:4120
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  - Launches sc.exe
  PID:332
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:1220
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  - Launches sc.exe
  PID:4404
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  PID:528
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:3352
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:2364
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:5044
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  PID:860
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:3188
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:1980
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:3316
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:3880
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  PID:648
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:2140
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:652
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  PID:3984
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  PID:2008
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:1828
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  PID:1960
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  - Launches sc.exe
  PID:4544
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  PID:2868
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:3544
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  PID:4192
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:1284
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  PID:3780
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:3112
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:1848
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:2740
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  PID:4076
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  - Launches sc.exe
  PID:1004
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  PID:384
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  PID:812
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  PID:2580
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:436
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:3120
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:4000
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:4768
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  PID:1428
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  PID:4368
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:3572
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:828
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:4044
- C:\Windows\system32\sc.exe
  sc config smphost start=demand
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:740
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:3620
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:1740
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  PID:3400
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  PID:5048
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:4808
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  PID:4380
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  PID:1376
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:1092
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:3628
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  PID:3132
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  - Launches sc.exe
  PID:4776
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  - Launches sc.exe
  PID:4120
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:332
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:1220
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  PID:528
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:3352
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:2364
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:5044
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:860
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:3188
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:1980
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  PID:3316
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:3880
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  PID:648
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:2140
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1676
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:3984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:3724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:3116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:2360
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:1568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:1332
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:4820
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:1440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:4984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:1932
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:4432
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:4436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:1140
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:4516
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:3612
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3816
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2444
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:444
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:772
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3808
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3540
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4784
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3080
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:3416
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:1364
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:3300
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:1768
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:4284
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:3220
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2704
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:1244
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:2776
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:760
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:3944
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:4352
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:2536
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:2516
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:3896
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:1008
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:3648
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:3076
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:3952
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:2272
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:4376
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1712
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1652
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:4936
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:2052
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:3188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:940
- - C:\Windows\system32\Taskmgr.exe
    "C:\Windows\system32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5060
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:1960
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:3572
- C:\Windows\system32\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:828
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
  2⤵
  PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
  2⤵
  PID:412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3648
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1608
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3416
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1960
- C:\Windows\system32\curl.exe
  curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
  2⤵
  PID:1628
- C:\Windows\system32\curl.exe
  curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"
  2⤵
  PID:5068
- C:\Oneclick Tools\OOShutup10\OOSU10.exe
  "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Modifies Control Panel
  - Modifies registry class
  - System policy modification
  PID:1768
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4808
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:764
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2536
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4120
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4284
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:704
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4352
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1348
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3844
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2992
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5052
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3228
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4376
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:1712
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3952
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3556
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:2060
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:3648
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  - Launches sc.exe
  PID:4064
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:4332
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:1136
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:2352
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4408
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:4936
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:4256
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  - Launches sc.exe
  PID:836
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:2140
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:4196
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:4784
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  PID:3632
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:3804
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:2360
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  PID:1364
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:3572
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:4932
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  - Launches sc.exe
  PID:3768
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:3096
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  - Launches sc.exe
  PID:564
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  PID:224
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:2740
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:4544
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:3220
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:4360
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:2628
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:2408
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:740
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:1740
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:4380
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:4500
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  PID:4808
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  PID:764
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:1768
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  - Launches sc.exe
  PID:2120
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:3488
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2056
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:1008
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:4260
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:1092
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:3896
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  PID:332
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:1220
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:3944
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:2696
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:2364
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  PID:3352
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:2492
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  - Launches sc.exe
  PID:1712
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  - Launches sc.exe
  PID:4912
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:2272
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:4952
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:2160
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:648
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  PID:356
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:3316
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:4416
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:2688
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:4300
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:1792
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:4200
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:4768
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:4000
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:772
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  - Launches sc.exe
  PID:4956
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:4472
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:1568
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:3116
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:532
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:2476
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:4136
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:4660
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:960
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:4584
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:604
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:1844
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:5068
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:4884
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:760
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:5104
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:2540
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:2620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:3480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:1880
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:2196
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:2516
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2780
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:2572
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:4492
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:4248
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:1580
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:1516
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:2852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:4532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:1672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:3628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:3328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:1624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:4740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:4628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:2364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:400
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:3352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:2492
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:1712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:4912
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:2272
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:4084
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:1840
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:4952
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:2160
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:4896
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:356
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:3316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:4416
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:2688
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:4968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:4300
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:1792
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:4200
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:4768
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:4000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:772
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:4956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:2016
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:4472
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:1568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:3116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:2476
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:4136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:4660
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:960
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:4584
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:4944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:2740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:4544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:5024
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:4520
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:5104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:2540
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:2620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:3480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:1532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:3304
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:3300
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:4500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:1072
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:764
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:1488
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:1728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:2536
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:3364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:1044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:1088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:3160
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:1348
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1096
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  - Launches sc.exe
  PID:1376
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  - Launches sc.exe
  PID:412
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:5100
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:4376
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:528
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:2908
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:2288
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:220
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:3076
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:4912
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4336
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2892
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:652
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  - Launches sc.exe
  PID:3880
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3876
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2008
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2352
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:1536
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:860
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1980
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4788
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4900
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:3676
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:1428
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:4388
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:1608
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:3608
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:1364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:3572
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:4592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:3296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:2064
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:4044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:2220
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:3716
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:3440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:4940
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1844
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  - Launches sc.exe
  PID:3544
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  PID:1936
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:4360
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:2704
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2408
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:2540
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:2620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:3480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:1532
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3304
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:3300
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:4500
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1072
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:764
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:1488
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  - Launches sc.exe
  PID:1728
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:2536
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  - Launches sc.exe
  PID:3364
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:1044
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:1088
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:3160
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:1348
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:1220
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:548
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:1624
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:4740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:3412
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:2364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:1736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:4080
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3144
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3952
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3204
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4676
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3164
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2940
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2272
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:2060
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:1964
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:3652
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:648
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  - Launches sc.exe
  PID:3316
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:4416
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:2688
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:3732
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  - Launches sc.exe
  PID:1792
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:4196
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:4784
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:4000
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:3120
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:1296
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1616
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:3416
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:4472
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:3724
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  PID:3096
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:564
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:2428
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:224
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:4944
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:2456
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:4616
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:2740
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:3220
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:236
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:3640
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  - Launches sc.exe
  PID:4812
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:2936
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  PID:2408
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:2540
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:2620
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  - Launches sc.exe
  PID:3480
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:1532
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:1632
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:4808
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:2516
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  - Launches sc.exe
  PID:1768
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2120
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:4120
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  PID:1516
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:4352
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=disabled
  2⤵
  PID:3844
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3124
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:1096
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:3944
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:1376
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:412
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:1452
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  - Launches sc.exe
  PID:528
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  PID:4356
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:3344
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2288
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  PID:220
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  PID:3200
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  PID:1712
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  PID:1544
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:3892
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:3216
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:5044
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  - Launches sc.exe
  PID:2052
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4064
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:1136
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:3876
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:2008
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:1828
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:1536
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:4412
- C:\Windows\system32\sc.exe
  sc config esifsvc start=disabled
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config LMS start=disabled
  2⤵
  PID:4004
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:840
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2836
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:1568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:3116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:2476
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:4136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:4660
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:5116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:4920
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:4496
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:1368
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:1116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:1940
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:4568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:2396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:4436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:4544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:2692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:4520
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:2704
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:1244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:1740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:3044
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:2824
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:1372
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:4668
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:3304
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:3300
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:4500
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:4724
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:1072
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:764
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1728
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4804
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1624
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4376
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4728
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  PID:400
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:3344
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:3952
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3556
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "OneDrive.exe"
  2⤵
  - Kills process with taskkill
  PID:2732
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "explorer.exe"
  2⤵
  - Kills process with taskkill
  PID:3648
- C:\Windows\system32\reg.exe
  reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:1840
- C:\Windows\system32\reg.exe
  reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:4064
- C:\Windows\system32\reg.exe
  reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"
  2⤵
  PID:3052
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg unload "hku\Default"
  2⤵
  PID:2352
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "OneDrive*" /f
  2⤵
  PID:1476
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:860
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4408
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3024
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3932
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1932
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WidgetService.exe
  2⤵
  - Kills process with taskkill
  PID:1368
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Widgets.exe
  2⤵
  - Kills process with taskkill
  PID:760
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:3488
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:2056
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4776
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\smartscreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2916
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4152
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4548
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4452
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4108
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:960
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:564
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:228
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list
  2⤵
  PID:700
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic startup get caption /format:list
    3⤵
    PID:3052
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "gpjy-h " /t REG_SZ /d "" /f
  2⤵
  PID:3792
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3688
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  PID:3744
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  PID:3388
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  PID:908
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
  2⤵
  PID:1832
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
  2⤵
  PID:3620
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:604
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4632

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:4320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:1848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:1092

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
PID:2540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4576

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1604

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4388

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1368

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:1532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3556

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2352

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2636

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1080

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3208

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3988

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Oneclick Tools.zip

Filesize
564KB

MD5
d2be90c23063c07c5bf6e02c9400ac35

SHA1
c2ca99de035c17ba9b7912c26725efffe290b1db

SHA256
9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3

SHA512
13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

Download Submit
C:\Oneclick Tools\NSudo\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Oneclick Tools\OOShutup10\OOSU10.exe

Filesize
1.9MB

MD5
4803e06db91fdb8b6d1b65c0010d2f87

SHA1
f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c

SHA256
beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b

SHA512
f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

Download Submit
C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg

Filesize
2KB

MD5
109f47ced5da3f92362c49069fc4624e

SHA1
79b611073aa0006f1bb4058a6ecb6f3cc97391d6

SHA256
2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b

SHA512
55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79154b9aa74de7020ecb3309c887f7e4

SHA1
0bb101d00d4caeb53f3d3ec03577db07d2cc68f6

SHA256
a11e0deb30fe2a074ee85f749036eeb8394e4575252e04b573e067ce1c5211ea

SHA512
5ef9f996f5d49c4e3d2dcd65f1b8a8a5526aade794defcee6107f1558d536829e78d60cc51f237de11d58ed56865c6ba7fdb35620537756b9e2699e8554b8164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3688f6456e4c5f081f77a5eca168b50c

SHA1
92f2c1ae8b5a25a3a404eb5de207864db0153465

SHA256
72ecb833d0d9c96aeffae902e6e3081ee79d94a3b997f8ab1367df185b6b3737

SHA512
7ba440be93295f70575d48a40a7100a9d0d9fd1f8f8403628cc7feb612ffbf6d7cd928a344278eed0d73d79e19113c9a8e3801e1994f9d1db4543be98c50eb1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
19b92f154aed4530738fb8ee26af74fd

SHA1
db93c80269b5cba4cf647e84f4f02a641e27f60f

SHA256
2402891426aa3cf16e5fd30f2a545adc7469137190ae62139e207548fadf1513

SHA512
3f9ef9ddb10386aee95bdb9739a734c9cb5619358f0236fa273704fc7fd86a8a14c7729569aa097c82b0aac677da1975bf3084343ff2daa36096eab6b82d0ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
21aaab8b1032973d9ea135246ea523f0

SHA1
3ee330b95925a1c01b0d94e52aac15be80dd4367

SHA256
60b281a06db010c6f611ae377b270d90abbd701213e2293767af60dda66b340d

SHA512
2bff1508269eeb5875fe7ef25cf02b910afaff64edf4149274d4661428734c608a275afb5e206198987df4bff1f97a06854c3d71b0a94977d1aaea1db9e0e714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c6ce1acab86b6ee9066925e74fb0797

SHA1
0e3aa725431fc7acffdab8ddfab1b437ad9452bf

SHA256
4d998b704122628ef370134a0ed268c60976acd4060888108f0893ac9ca27588

SHA512
b8ef07e43a154865c97b41b1113df5840f6ad99db7cd914d7872905fc6a6f87e51739e64d2a31cd05cd2caa1144d47970c546a5b88922e6f0eaca39d43d4aa38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a34cd9aa99b5b7134f6856954fed7b36

SHA1
60a21ba13ef54a604bd41823866d542205f61b62

SHA256
a3fbeef6ecd8b674bbb637e5061c459259420b83d0373bc39aff63f8979f56d0

SHA512
51d83bf958e35e96d0f8764981fbb738d49c73d4cc7db78a51b96be9da12fb0fb5501054da3d7ce64a992a86c9f9648dc4e196a7a50a2c4b3fea20031d5afedd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b5eb4ea9bb01b0cc741bea90f491413

SHA1
32fc354afa09b184adff7b1c1adabda3cce25deb

SHA256
1380e4957d25fb4bf5abc9867c31de27a833bf7160c2c34c7446e102bd8bdf75

SHA512
18ce2951a156b6f9d8652826134920adee4cbdc20abbc7f13136cf54ffe5f5efb3b4f8a6cf692c6938dd0e5928faeaeb78434ac9c0530b1119411f81aca1f679

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e7f73c0970575749de7ab59e76f554e0

SHA1
bf89cddd11ad12312a2ebccbc11b36b8f9dcf7bf

SHA256
70b63191cc811cee57f4d50847ce7c99d0564ff06f76373b06f30e0b41ce0d00

SHA512
62f077947e90395e7b484ae33790e25662461c30db9e964f88f0e7e5b2aedd54bb91a65a61df9911f70378a0a5bc5eca9ea3b3526b18b4889fb93d962fad4441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3020f3754fe80c7d2b5fb3b8ee7869b6

SHA1
081386c5fb2700ca3cea7b448e4f63d87d2707e6

SHA256
413223afdbabcb450eec35c9f187568e4e81663fe869cec50ee8ca465c9be9bc

SHA512
e313820401d9b596365a1b7e7b3d0f09030ae2a954df55b7bc4e10d61f7149f1c8defed1747d13d7df0711d8656dacca182893c720a9725ead0bde437c7c71af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85d90ed2346a7ca5b66db5a610ab56d4

SHA1
41601ee1589585166cf0ff4e9077917175b8551a

SHA256
8a2cfc2a2757d8e45cbfa6a86b2aa9b3d70fa4254e6004c7d8d616fe29be5822

SHA512
6b881dcd0f37ba5b36f22c0d90b4301c87b605af9c08ed27ddf32b0cf56fb3d47a7e7f34d165729d984d637b17720a60f68c7362d8b2b2cc3888df8a4013e4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd14405bea8145ff3969f84970fe36c9

SHA1
5ad79a3ec228a2b738418e5171283716f19426ef

SHA256
e51f2c74f1db88e8f155b87ac29517ea9e2bcd7df565e03dcc5fcec914c97fc8

SHA512
e35496543aa17ca04ad7bd2d46693f06750339bd76b6c73af0361d5e772ae7764a68d03579d15b18adf8a7e1aa0eb3b611a26d260c784a4a76294626ac031b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8499498ec94a86c3c97e7b31cce297ac

SHA1
bab115bdba0aecf31297bdcb60dc38446d8e44b2

SHA256
a1ed1b87241a5cc019b98fc77c2abe382549373d547fa2753dff7c6bd7bba379

SHA512
30ca85ec1961322d26e01039a61974ede9d8f77e16e28dba64fd6589019dd115e3a0c9c3d982ebc14cab778bac4e77142b6b63f82a1e8c4b57f1c78c783115c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25843dfd706cbe740cc3b3103ac3d043

SHA1
884c73b60d81c723acccf5cf6995afcc27b2572a

SHA256
215c18d94795a03c7f0515ab2ccd0f83b31f5fbafc6c4cedcfe31f2038348a51

SHA512
8481f0125ba75ee27b5b88a59fbfc31098c5c69264245ee51e94e746a77889f69bb32d661edcad776847ec58acc0cd8a41e346994e1ab62bd575004bde2a4fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8aee4e2c4610a93f365aaed0604c775b

SHA1
b797e08796b5627a1f9e5bad867aca579ae9bcc9

SHA256
51d34e44afd04e67c78c8ac616a176d4b35c84cf503859a99e4d172d6b144b8b

SHA512
c5c373ec7a1445cbc7bae1472beaaaade663b8f4fdf69439448def66eddef82deb0614bab89bac9ea481afa3e6fec5b332c8aa6c412fa029ea4e60b1922a3a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
477c056e35922ccc04fd1c48c7262b1e

SHA1
1fec1e4d34c656011d6595909cca78afef3befd8

SHA256
cc9723f3cefcd87e436f8bfc83ffd5bbe9a8ee7d6b24c6518c1abe1551df1420

SHA512
d894bc6ff06cb5835decf84d58d8e195bf0f47732214a68b9ecd4467f13c7b464625be01081564701575afe2d38b52540b77d6ff8f863eaff3640dd8cedddbd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ee0b8820c7d05b6373323fb9fe86b03

SHA1
903a38b30017911439016430da005d50a0be6f1d

SHA256
6139a2bc3de6b9e99ada678d6b875e63b02aa64b9667d1281a021bdf7d923f25

SHA512
79c94bcad00ccbcf0961a86bff7a06d6bc75fd83f50836747be6ba9ca74efc1290da84d91646dade522755047d3ba7783738fcbc770480310e541989419d0e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8604063d3b1449932092d18faab1746

SHA1
e3d9f2e5d39a454cef14846b5db727ac4540ecaf

SHA256
be361fe0cba50865d5f816a65aca5cd91622390788910cd995aeb9e313f62391

SHA512
21d89a1267c46699d6d00da1a103f52bf5fface9c2b272fcbb02f0e19813fc9d3779cb152606e959285c8e303f517d4a7dd40fa5259a327105e00e4905e95f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
00419acdbbafc5eabe7f72b0187bd666

SHA1
9a396e9ac7cda81ca3fccd629881d7ce7e8e916d

SHA256
bdc7fbe963ef9fcaa64cef43c9c8e1b9f944b5b0ac518ad25cf11ff8240c74ef

SHA512
1cd423d26723e396e2d4b5dfc18d9f5f8bde71cacfbda0a3cb604454ab4f3e68b21c3ec53c90bcaff559a42b94092a32dfdcc58792c4b1fc967cfe73d2a02847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddbce69b410e4819cf63c2d78cef1efc

SHA1
91844be6fdd8a3f07c78437799ccae931258605f

SHA256
648bc93a7aef845cfad6ea718bc6c46055f963bcd1687c5471530f0546413911

SHA512
3b33e1cec7863cf4701081d95334f6a8c5b819fae4204e2e121442ad69b558ce1039bee9a9f998942a74830e90109268e526c56f40f7a503814c924983728c8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
851e868fbd4b466f39fb44bf7de703ef

SHA1
a402555980151d8290df9ca73b38905f27249994

SHA256
ede289aa5c43fb8db1c9e8791c5cee2236cfa6fcb4c7f7d88f0873764c9d7182

SHA512
9cc670e8e598a10900b3650ed53b8f2282a6329843965a531f6cf7195151a2cde4c57152de386248b6c3d8a137a62bea05caf548b8c372fb8ff08f48a981adfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
105bb7e3a42b31fa19e80cb7a1150fc5

SHA1
0d13dfb3789d3636a5c5214576116dccaa2392c7

SHA256
138e6d540e1a17c4a660135a6779311160ead13f272b394f57f1c2eed634b57b

SHA512
d2afeef6d66561163f17d01aca7c0bfec128272a4eea1359b3d6102b526bc94319610187a3b948ac290b6e30248b8c4ecc14ca7d4bd31fa37aed18cd2add0f6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b393e1aae554dd45961c38666996e0dd

SHA1
ecdbf730b4bdbb19b63824f20726ed621c224fb8

SHA256
3bf951123b475242f39407221b43207386af7a5fef5dc70f3eb262ce9ee7cdc4

SHA512
283c040139a98d82dedbbebd5bf9875bcb668c17eaf7b1ebe3c76ca17f3d5b06f7d9820ea17878c96560c305a4c006c076da4b76106aa72120f3d41cafd56380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef0a79283c512ca91bcf778cd7f90c54

SHA1
22ccfdba38fd34adb3449367a18847c080769d6e

SHA256
0b2abfe7630ffee3a895eab58da0ad9cb95d23563f2e9609c124c90835dc8d05

SHA512
b7906cf69a1fe924016a1b345e288cafe1a557f4e443dfafb704642aa78682f44bf1c1fd5525ea9b4c523f3656ee9d8421343fec2c45864d8a6926ef95bf920a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f7c09c72ba5740197b14d6b3e536a5d

SHA1
10e0cb277ab2d946e58fdecc831adb5dcbc144dc

SHA256
ea593d0711e98aade96282090be0c35adf5eb8ce7df3a024437b267754e5cce2

SHA512
1160f3c8aaf774b4902888c30f55079a4aac0b64e59243456ccd53459019bc5047cdac3750bbf90651da42efa4e061e74e8ab6b168f3af9304cd0169905172d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
48c57b510241b4abe69eea47f2c5b474

SHA1
60daead0df67ea902625ae7207309bdc97f09d09

SHA256
ac9e15b180a591a63024b5a275842fbd7e4705b100ee59fae39af5619673ca18

SHA512
c2b005d401a499bcda9e31cf00c5b387394d44f60e28922225cc3c9615735ce2cce2e17ac830de39ec12f0cb0b233d1c5114283153c81c22ea513082b429f751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8808438add32916f0256ca6cc09dc2ef

SHA1
7e4884e08640227d8889e042c609939c016bba92

SHA256
372cd45580a47ce114eb710a3be747aff8d8f1a6bc7f5a97b78347b6063c3375

SHA512
2a684fb57502aa384cb3c67d9ef82cbf8bb80548164ad0f042265862a1702ad1608795fa2ce6031b7db89383e39a40572809ff42ac25f8e9a8f2f57baef84669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c13458f96afd320227fccffecfccaa7

SHA1
2b085cecd8548d11e44e9a2c214920a85d91d1ed

SHA256
e41811de134fd534d88060202bee590db9210d2636d719c26ad55356d5616bf1

SHA512
718e6e6c464ce64686ca25edaab9ec7166aa8cd5ca997a38978ffcc2cb08d17aaea05dbbb165f2294677902790e6367070467202ff807bc77596143c0a64673d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ab00b2c1828d081ba484a7ae1a5b198c

SHA1
4efea1f864e83fe87be58defaab3c16bdf470f57

SHA256
6e75f7a6bcfdf0f7a241c64207f34d273e76d90a89327d8de5b968234c869c4c

SHA512
63a7c3894e0b483e309843e7e5671e876b3c4b80224cd53395eb78645c95790df12119210b6c2aa38d23e37f998b729d868ccf5aa85316637ff288f124a472df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0caa5dcaef18f4ee50fd5d4f0fd85171

SHA1
b31744a142fd220f5cbb66d9f07ec68e244055a5

SHA256
f22135aa5df81404c4c8a2b9f375a89a1362f7669594740c038a43eeceecc01b

SHA512
53be6bbf592ff9425af0091b4e6ad101ebfe1fd9a995cb571f754719f8eb29a62b9809d4be0895aa0e2dd448f06e86c06ef0d77dd7fcfed269554d35f719f2b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba9b62db2c5a672a3bcb30a7b92a89bc

SHA1
d147ca957ac6e8467bb7bfbdae384f8fca0234f7

SHA256
400ed8f32218fa218c821fb65a19a3866c3f1b6923409a1ea1cd4e9a295c6135

SHA512
77e370ffc3ab3f2eb3af574ceae03052b023c883b232e455cf3e3bfba8dfc9f223d294aa8172a6e81980ad9b639ff60dcbf06a6e47bcc9129b7764cfcb8ac4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03c20ffdd52e6a95e52cfb7bc9eee942

SHA1
2ddaf7693f57d71cd97c42e95daeec4b37f1656c

SHA256
86c20c4274464893cdb00e2168a95edb39d72b687fd0cb492411b6bd71b97d2e

SHA512
74c30f2bf615088c1f580055fa42998136aae3648b8bd153ad8ea281de452ef668e84dba8c0fd743edee7ed6453fd56e84f46c7dbe859ee40d9800dd435c6cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9e477debd1c73bb22e0432ba0e4edd98

SHA1
f200cb3bbd90d6e7463b52f3280f89fea5a88f15

SHA256
009012498e896eb58019a5094f250eef14ce2959df7c24ea2b6eb44e2ab14507

SHA512
ffd6497697d594023bdb5442a325acae4196f1c6e59cd8f534b25b8e870ed6abf5af0d2f9eeb0e9d3a39fac8b5cf6e619db17fde62fc6991a0d1f3e5d49ac80f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
14afa058c877ffe962979bd1b382bd66

SHA1
9401ca1d5965fe9b5d8e7cd74ba657beb0dfa0f4

SHA256
c88a1410d4d02cf93bc4bc53534343e75dd73be1acd6f1a5fd988b931c1c2797

SHA512
f8211f514c3e65010c1e63bf0e86933b1464e8331e099d7c960f0c583a85a88563222f9823d2cac054cbaefbaa06a6d9b9d4fab44684728160765635adb90d21

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
e30d4db205003f1032872bb2b6332208

SHA1
8bd3f4bde82b5ea4fbac07b3926fbcb35098cc4c

SHA256
390c1af3810c7ab50da50c0e296baa2d5b72dfc94282765912ea5f4c03da6019

SHA512
790b7c3236e2e15848db8cbb22c7eafadd134e8b2c5f8a49652cf3fc78616b279a8bce2dad4c9f4dc920df84cbba60a57b81cb60f7465279a59a43dd5f70d10c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4NUNBTRQ\microsoft.windows[1].xml

Filesize
96B

MD5
d6c1b4bb94dc9522fb7c83c87ea5d841

SHA1
19ea83a7d4fe8b02f285c684bdb48727c97e9196

SHA256
f1551216ac0ba29d3b3ad772ff70fd8baa6ca6194df69d51248e425884027608

SHA512
05b9aaf43e5464d43f8b4baf7ba913f0a87b5c5adc5c5a8c865982fa341380542fc6c6dd6953bdfd826dfd0cba7db120be206730cead002dcb1b743c80cf4e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pogb0x2b.50f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/604-425-0x00000242D2200000-0x00000242D2300000-memory.dmp

Filesize
1024KB

Download
memory/604-457-0x0000024AD9980000-0x0000024AD99A0000-memory.dmp

Filesize
128KB

Download
memory/604-458-0x0000024ADA780000-0x0000024ADA7A0000-memory.dmp

Filesize
128KB

Download
memory/604-459-0x0000024AD99A0000-0x0000024AD99C0000-memory.dmp

Filesize
128KB

Download
memory/1728-195-0x0000027DCB590000-0x0000027DCB59A000-memory.dmp

Filesize
40KB

Download
memory/1728-196-0x0000027DCB640000-0x0000027DCB666000-memory.dmp

Filesize
152KB

Download
memory/1728-194-0x0000027DCB5B0000-0x0000027DCB5C6000-memory.dmp

Filesize
88KB

Download
memory/1768-173-0x0000021E32A80000-0x0000021E32AAC000-memory.dmp

Filesize
176KB

Download
memory/1768-172-0x0000021E32500000-0x0000021E326F0000-memory.dmp

Filesize
1.9MB

Download
memory/1768-175-0x0000021E32B50000-0x0000021E32B6A000-memory.dmp

Filesize
104KB

Download
memory/1768-174-0x0000021E34450000-0x0000021E344F6000-memory.dmp

Filesize
664KB

Download
memory/1768-176-0x0000021E4CD90000-0x0000021E4CE4A000-memory.dmp

Filesize
744KB

Download
memory/1872-844-0x000002112D7C0000-0x000002112D7E0000-memory.dmp

Filesize
128KB

Download
memory/1872-830-0x000002112D780000-0x000002112D7A0000-memory.dmp

Filesize
128KB

Download
memory/2392-161-0x0000020680D40000-0x0000020680D50000-memory.dmp

Filesize
64KB

Download
memory/2392-165-0x0000020680EC0000-0x0000020680EC1000-memory.dmp

Filesize
4KB

Download
memory/2392-157-0x0000020680D00000-0x0000020680D10000-memory.dmp

Filesize
64KB

Download
memory/2636-720-0x00000188B0640000-0x00000188B0660000-memory.dmp

Filesize
128KB

Download
memory/2636-688-0x00000188AF100000-0x00000188AF200000-memory.dmp

Filesize
1024KB

Download
memory/2636-735-0x00000188C3A10000-0x00000188C3B10000-memory.dmp

Filesize
1024KB

Download
memory/2636-721-0x00000188B0620000-0x00000188B0640000-memory.dmp

Filesize
128KB

Download
memory/2636-701-0x00000188B0600000-0x00000188B0620000-memory.dmp

Filesize
128KB

Download
memory/2636-687-0x00000188AF100000-0x00000188AF200000-memory.dmp

Filesize
1024KB

Download
memory/3328-132-0x0000018EFEC40000-0x0000018EFEC6A000-memory.dmp

Filesize
168KB

Download
memory/3328-133-0x0000018EFEC40000-0x0000018EFEC64000-memory.dmp

Filesize
144KB

Download
memory/3516-504-0x000001FEA9DB0000-0x000001FEA9DD0000-memory.dmp

Filesize
128KB

Download
memory/3516-521-0x000001FEBDA30000-0x000001FEBDB30000-memory.dmp

Filesize
1024KB

Download
memory/3516-506-0x000001FEAA500000-0x000001FEAA520000-memory.dmp

Filesize
128KB

Download
memory/3516-507-0x000001FEA9DD0000-0x000001FEA9DF0000-memory.dmp

Filesize
128KB

Download
memory/3516-474-0x000001FEA9150000-0x000001FEA9250000-memory.dmp

Filesize
1024KB

Download
memory/3628-232-0x00000262DCA90000-0x00000262DCAB0000-memory.dmp

Filesize
128KB

Download
memory/3628-233-0x00000262DC3E0000-0x00000262DC400000-memory.dmp

Filesize
128KB

Download
memory/3628-215-0x00000262DC3C0000-0x00000262DC3E0000-memory.dmp

Filesize
128KB

Download
memory/3628-200-0x00000262DB380000-0x00000262DB480000-memory.dmp

Filesize
1024KB

Download
memory/3628-247-0x00000262EEBC0000-0x00000262EECC0000-memory.dmp

Filesize
1024KB

Download
memory/3628-313-0x00000262EE770000-0x00000262EE870000-memory.dmp

Filesize
1024KB

Download
memory/4020-13-0x0000025EF3200000-0x0000025EF3222000-memory.dmp

Filesize
136KB

Download
memory/4480-354-0x000002AF1BEB0000-0x000002AF1BED0000-memory.dmp

Filesize
128KB

Download
memory/4480-323-0x000002A719D20000-0x000002A719E20000-memory.dmp

Filesize
1024KB

Download
memory/4480-333-0x000002AF1BE90000-0x000002AF1BEB0000-memory.dmp

Filesize
128KB

Download
memory/4480-371-0x000002AF2F690000-0x000002AF2F790000-memory.dmp

Filesize
1024KB

Download
memory/4480-348-0x000002AF1C160000-0x000002AF1C180000-memory.dmp

Filesize
128KB

Download
memory/4924-573-0x0000024215340000-0x0000024215440000-memory.dmp

Filesize
1024KB

Download
memory/4924-675-0x0000024228960000-0x0000024228A60000-memory.dmp

Filesize
1024KB

Download
memory/4924-621-0x0000024228CB0000-0x0000024228DB0000-memory.dmp

Filesize
1024KB

Download
memory/4924-589-0x00000242161B0000-0x00000242161D0000-memory.dmp

Filesize
128KB

Download
memory/4924-607-0x00000242161D0000-0x00000242161F0000-memory.dmp

Filesize
128KB

Download
memory/4924-606-0x0000024216D80000-0x0000024216DA0000-memory.dmp

Filesize
128KB

Download
memory/4924-575-0x0000024215340000-0x0000024215440000-memory.dmp

Filesize
1024KB

Download
memory/5060-110-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-109-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-107-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-106-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-104-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-105-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-100-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-98-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-99-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download
memory/5060-108-0x0000026F133D0000-0x0000026F133D1000-memory.dmp

Filesize
4KB

Download