Analysis
-
max time kernel
149s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
03-02-2025 02:30
General
-
Target
TWEAK NVDIA.exe
-
Size
11.4MB
-
MD5
3507038edf6b4f164c5149f39cff11b0
-
SHA1
720cae8b2c67d7526837f1fd3a44cbcf80ae6dd5
-
SHA256
916f1b6644b58d164c74b9d5ac14798f1c27958149effdbd85b95709b0d2ad6d
-
SHA512
c420055bfe38ae687e897ea8e5fba7cf2821ccae21819eb6ce92901b940539c107a2c8ee5c987ce07ebc060b3a008752ea5946a01cc56e45a8937da4c6be73ef
-
SSDEEP
196608:EG9LuhOZDB08T3uPqG4d1/1wKEIs52FykwcAFRrj5H8o99skweFOGXdaAPj:Lk2DPTX/Ts5JPfrN9s5eFOGoyj
Score
10/10
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Using powershell.exe command.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 4 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 3 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 64 IoCs
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies data under HKEY_USERS 45 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TWEAK NVDIA.exe"C:\Users\Admin\AppData\Local\Temp\TWEAK NVDIA.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fltMC.exefltmc3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr "REG_SZ"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\sc.exesc qc "TrustedInstaller"3⤵
-
-
C:\Windows\SysWOW64\find.exefind "START_TYPE"3⤵
-
-
C:\Windows\SysWOW64\find.exefind "DISABLED"3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TrustedInstaller start=auto3⤵
-
-
C:\Windows\SysWOW64\net.exenet start TrustedInstaller3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TrustedInstaller4⤵
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\sc.exesc query "WinDefend"3⤵
-
-
C:\Windows\SysWOW64\find.exefind "STATE"3⤵
-
-
C:\Windows\SysWOW64\find.exefind "RUNNING"3⤵
-
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Checkpoint-Computer -Description 'OneClick V7.0 Restore Point'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f3⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f3⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg.exe /hibernate off3⤵
- Power Settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\sc.exesc config HomeGroupListener start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config HomeGroupProvider start=demand3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 03⤵
- UAC bypass
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AJRouter start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config ALG start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config AppIDSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AppMgmt start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AppReadiness start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AppVClient start=disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AppXSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config Appinfo start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config AssignedAccessManagerSvc start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AudioEndpointBuilder start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AudioSrv start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Audiosrv start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config AxInstSV start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config BDESVC start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config BFE start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config BITS start=delayed-auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config BTAGService start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config BcastDVRUserService_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config BluetoothUserService_dc2a4 start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config BrokerInfrastructure start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Browser start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config BthAvctpSvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config BthHFSrv start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config CDPSvc start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config CDPUserSvc_dc2a4 start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config COMSysApp start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config CaptureService_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config CertPropSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config ClipSVC start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config ConsentUxUserSvc_dc2a4 start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config CoreMessagingRegistrar start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config CryptSvc start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config CscService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DPS start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DcomLaunch start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DcpSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config DevQueryBroker start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config DeviceAssociationBrokerSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DeviceAssociationService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DeviceInstall start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config DevicePickerUserSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DevicesFlowUserSvc_dc2a4 start=demand3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config Dhcp start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DiagTrack start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DialogBlockingService start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DispBrokerDesktopSvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DisplayEnhancementService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DmEnrollmentSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Dnscache start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config DoSvc start=delayed-auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DsSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DsmSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config DusmSvc start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config EFS start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config EapHost start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config EntAppSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config EventLog start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config EventSystem start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config FDResPub start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Fax start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config FontCache start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config FrameServer start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config FrameServerMonitor start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config GraphicsPerfSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config HomeGroupListener start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config HomeGroupProvider start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config HvHost start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config IEEtwCollectorService start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config IKEEXT start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config InstallService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config InventorySvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config IpxlatCfgSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config KeyIso start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config KtmRm start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config LSM start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config LanmanServer start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config LanmanWorkstation start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config LicenseManager start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config LxpSvc start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config MSDTC start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config MSiSCSI start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config MapsBroker start=delayed-auto3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config McpManagementService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config MessagingService_dc2a4 start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config MicrosoftEdgeElevationService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config MixedRealityOpenXRSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config MpsSvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config MsKeyboardFilter start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NPSMSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NaturalAuthentication start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NcaSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NcbService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NcdAutoSetup start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config NetSetupSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NetTcpPortSharing start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Netlogon start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config Netman start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config NgcCtnrSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NgcSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config NlaSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config OneSyncSvc_dc2a4 start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config P9RdrService_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PNRPAutoReg start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PNRPsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PcaSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config PeerDistSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PenService_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PerfHost start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PhoneSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PimIndexMaintenanceSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PlugPlay start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config PolicyAgent start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config Power start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PrintNotify start=demand3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config PrintWorkflowUserSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config ProfSvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config PushToInstall start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config QWAVE start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config RasAuto start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RasMan start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RemoteAccess start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RemoteRegistry start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RetailDemo start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RmSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config RpcEptMapper start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RpcLocator start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config RpcSs start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SCPolicySvc start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config SCardSvr start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SDRSVC start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SEMgrSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SENS start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SNMPTRAP start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SNMPTrap start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config SSDPSRV start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config SamSs start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config ScDeviceEnum start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config Schedule start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SecurityHealthService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Sense start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SensorDataService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SensorService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SensrSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SessionEnv start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SgrmBroker start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SharedAccess start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SharedRealitySvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config ShellHWDetection start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config SmsRouter start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Spooler start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config SstpSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config StateRepository start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config StiSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config StorSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config SysMain start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config SystemEventsBroker start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TabletInputService start=demand3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config TapiSrv start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TermService start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TextInputManagementService start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config Themes start=auto3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config TieringEngineService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TimeBroker start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TimeBrokerSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TokenBroker start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TrkWks start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TroubleshootingSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config TrustedInstaller start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config UI0Detect start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config UdkUserSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config UevAgentService start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config UmRdpService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config UnistoreSvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config UserDataSvc_dc2a4 start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config UserManager start=auto3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config UsoSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config VGAuthService start=auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config VMTools start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config VSS start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config VacSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config VaultSvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config W32Time start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WEPHOSTSVC start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WFDSConMgrSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WMPNetworkSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WManSvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WPDBusEnum start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WSService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WSearch start=delayed-auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WaaSMedicSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WalletService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WarpJITSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WbioSrvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Wcmsvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WcsPlugInService start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WdNisSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WdiServiceHost start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WdiSystemHost start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WebClient start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Wecsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WerSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WiaRpc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WinHttpAutoProxySvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WinRM start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config Winmgmt start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WlanSvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WpcMonSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WpnService start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config WpnUserService_dc2a4 start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config WwanSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config XblAuthManager start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config XblGameSave start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config XboxGipSvc start=demand3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config XboxNetApiSvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config autotimesvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config bthserv start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config camsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config cbdhsvc_dc2a4 start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config cloudidsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config dcsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config defragsvc start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config diagnosticshub.standardcollector.service start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config diagsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config dmwappushservice start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config dot3svc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config edgeupdate start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config edgeupdatem start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config embeddedmode start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config fdPHost start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config fhsvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config gpsvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config hidserv start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config icssvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config iphlpsvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config lfsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config lltdsvc start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config lmhosts start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config mpssvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config msiserver start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config netprofm start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config nsi start=auto3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config p2pimsvc start=demand3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config p2psvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config perceptionsimulation start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config pla start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config seclogon start=demand3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\sc.exesc config shpamsvc start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config smphost start=disabled3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config spectrum start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config sppsvc start=delayed-auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config ssh-agent start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config svsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config swprv start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config tiledatamodelsvc start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config tzautoupdate start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config uhssvc start=disabled3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config upnphost start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config vds start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vm3dservice start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmicguestinterface start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmicheartbeat start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmickvpexchange start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config vmicrdv start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmicshutdown start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmictimesync start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmicvmsession start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmicvss start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config vmvss start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config wbengine start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config wcncsvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config webthreatdefsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config webthreatdefusersvc_dc2a4 start=auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config wercplsupport start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config wisvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config wlidsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config wlpasvc start=demand3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exesc config wmiApSrv start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config workfolderssvc start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config wscsvc start=delayed-auto3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config wuauserv start=demand3⤵
-
-
C:\Windows\SysWOW64\sc.exesc config wudfsvc start=demand3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f3⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"3⤵
-
C:\Windows\SysWOW64\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild4⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /r /c:"CurrentBuild"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\system32\taskmgr.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 23⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences3⤵
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 13⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000320" "0000000000000494"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
2Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
201KB
MD5061be0f53c7febeb3e363c867b9c128d
SHA13629f358e24dddc04c05fdd4b9899f57a8091286
SHA25658729cdacc6ce4ea7e168a598fd3e29a1d3d017adbf85badbfb6de818b0de45c
SHA512d1c520e4565ed492f312e8fe611913f013fe2e05539e42f9185271e8a811b50af8a1cd2e5445959c068c5d4adf1633c06d6a387d3b6cb1fa5c5fa84faff31e2d
-
Filesize
1.6MB
MD5db09c9bbec6134db1766d369c339a0a1
SHA1c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45
-
Filesize
7KB
MD546b5d6953d94627432afed7aa366c29d
SHA11a96f7b134b7cc19ccbfb3e8808e163f50d45ba1
SHA2563ae83dd776edc6e1bd0f87509713a7428c0bddcb0047530664ae7cc2c4443e85
SHA512229f71c958d698a619ccda69e8621e9779a98e64105efdc1ab98e69a55ae603d1fbb72bd62dc37d85c5c5da339d14f46f04ee4d87e0f0219ac73860389097657
-
Filesize
10.8MB
MD5325bc1091d3aa90371df0e8f9095ab63
SHA128084aa70ddd36fe43e9c2078c5438c5048ab0cb
SHA256097826ecce3278e1da5f0bee44a75a35ef38ca4c56e1f64c43a40c7b47cd9c17
SHA5123f67b1bd376f3246900be4c7324e82cc71b3c890a87b76c51ea282d8f04db615435152063405c5ed402c88f44ef75b4c0f4260dd958044f96fb7775b11634996
-
Filesize
5.9MB
-
Filesize
120KB
-
Filesize
3.3MB