ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Modifies security service 2 TTPs 14 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	Process not Found

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Modifies boot configuration data using bcdedit 5 IoCs

pid	Process
2168	bcdedit.exe
2648	bcdedit.exe
1636	bcdedit.exe
2336	bcdedit.exe
2816	bcdedit.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0"	ie4uinit.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 14 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe	reg.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1348	dismhost.exe

Loads dropped DLL 27 IoCs

pid	Process
1500	cleanmgr.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe
1348	dismhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 44 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2008	powershell.exe
2800	powershell.exe
1312	Process not Found
2148	Process not Found
1424	Process not Found
1852	Process not Found
3052	powershell.exe
1308	powershell.exe
856	powershell.exe
980	powershell.exe
2928	powershell.exe
2332	powershell.exe
1356	powershell.exe
2744	powershell.exe
1972	powershell.exe
2084	powershell.exe
1344	Process not Found
2624	Process not Found
900	Process not Found
156	Process not Found
1468	Process not Found
2792	powershell.exe
2900	powershell.exe
1504	powershell.exe
1644	Process not Found
2660	Process not Found
2976	Process not Found
1636	powershell.exe
2660	powershell.exe
1984	powershell.exe
2244	powershell.exe
2800	powershell.exe
2472	powershell.exe
752	powershell.exe
2028	Process not Found
484	powershell.exe
2368	powershell.exe
1348	powershell.exe
3024	Process not Found
1508	Process not Found
2692	powershell.exe
2692	powershell.exe
2372	powershell.exe
2436	powershell.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	cleanmgr.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

Clear Persistence

T1070.009

pid	Process
928	cmd.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Modifies Security services 2 TTPs 56 IoCs

Modifies the startup behavior of a security service.

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4"	reg.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Power Settings 1 TTPs 22 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1920	powercfg.exe
2592	Process not Found
1508	powercfg.exe
2784	cmd.exe
1184	powercfg.exe
2948	cmd.exe
604	powercfg.exe
576	Process not Found
3052	Process not Found
1300	cmd.exe
1376	cmd.exe
2592	Process not Found
652	Process not Found
576	cmd.exe
2192	powercfg.exe
1736	powercfg.exe
3016	powercfg.exe
1784	cmd.exe
316	cmd.exe
2780	powercfg.exe
744	Process not Found
1124	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 13 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

Ignore Process Interrupts

T1564.011

pid	Process
2288	Process not Found
1344	Process not Found
1376	powershell.exe
2184	powershell.exe
300	Process not Found
1912	Process not Found
3040	Process not Found
2848	powershell.exe
2380	powershell.exe
1344	powershell.exe
2656	powershell.exe
2700	powershell.exe
1140	Process not Found

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1276	sc.exe
2712	sc.exe
2632	sc.exe
2920	sc.exe
2828	sc.exe
2120	sc.exe
2768	sc.exe
752	sc.exe
2564	sc.exe
1372	sc.exe
2148	sc.exe
684	sc.exe
1808	sc.exe
3052	sc.exe
376	sc.exe
2496	sc.exe
2728	sc.exe
2348	sc.exe
1516	sc.exe
1712	sc.exe
1880	sc.exe
2196	sc.exe
2304	sc.exe
2028	sc.exe
548	sc.exe
1604	sc.exe
2600	sc.exe
556	sc.exe
316	sc.exe
2224	sc.exe
2244	sc.exe
2208	sc.exe
3040	sc.exe
2592	sc.exe
872	sc.exe
2732	sc.exe
2644	sc.exe
744	sc.exe
1980	sc.exe
1840	sc.exe
2008	sc.exe
1240	sc.exe
652	sc.exe
2848	sc.exe
2948	sc.exe
2992	sc.exe
1812	sc.exe
2808	sc.exe
2444	sc.exe
3048	sc.exe
1072	sc.exe
1888	sc.exe
2744	sc.exe
2312	sc.exe
272	sc.exe
2184	sc.exe
1728	sc.exe
1568	sc.exe
2740	sc.exe
2380	sc.exe
552	sc.exe
1124	sc.exe
1776	sc.exe
1664	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "4"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap	Process not Found
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a06bf453f29adb01	SearchProtocolHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\rlogin	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\ = "&Open"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tn3270\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-909"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\ = "svgfile"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\mhtmlfile	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\ = "opennew"	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xslfile\shell\Open\ddeexec\topic	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.website\OpenWithProgIds\Microsoft.Website	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\CLSID	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\ShellEx\IconHandler	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\xhtmlfile	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-913"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-915"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\ = "xhtmlfile"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\rlogin\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-908"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\URL Protocol	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\DefaultIcon	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\ = "mhtmlfile"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\IconHandler	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\ddeexec	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\CommandId = "IE.Protocol"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.url	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\URL Protocol	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\DefaultIcon	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-904"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\EditFlags = "2"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE,-32554"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	ie4uinit.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\CommandId = "IE.File"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\http\DefaultIcon	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-912"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	ie4uinit.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
1152	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	powershell.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2356	4d947659fef83a302fd6b7451b980b19.exe
2436	powershell.exe
2900	powershell.exe
484	powershell.exe
1308	powershell.exe
2692	powershell.exe
856	powershell.exe
1636	powershell.exe
980	powershell.exe
2928	powershell.exe
2848	powershell.exe
2332	powershell.exe
2008	powershell.exe
2744	powershell.exe
1972	powershell.exe
2380	powershell.exe
2368	powershell.exe
1344	powershell.exe
3052	powershell.exe
2792	powershell.exe
2660	powershell.exe
2084	powershell.exe
2656	powershell.exe
2800	powershell.exe
1376	powershell.exe
1984	powershell.exe
1356	powershell.exe
2472	powershell.exe
2800	powershell.exe
2700	powershell.exe
2244	powershell.exe
2184	powershell.exe
1504	powershell.exe
1348	powershell.exe
752	powershell.exe
1852	Process not Found
1140	Process not Found
1344	Process not Found
2288	Process not Found
2624	Process not Found
2028	Process not Found
1312	Process not Found
1644	Process not Found
300	Process not Found
2660	Process not Found
1344	Process not Found
900	Process not Found
3024	Process not Found
2148	Process not Found
156	Process not Found
1912	Process not Found
1468	Process not Found
3040	Process not Found
2976	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2356	4d947659fef83a302fd6b7451b980b19.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2356	4d947659fef83a302fd6b7451b980b19.exe
Token: 33	2356	4d947659fef83a302fd6b7451b980b19.exe
Token: SeIncBasePriorityPrivilege	2356	4d947659fef83a302fd6b7451b980b19.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeBackupPrivilege	2940	vssvc.exe
Token: SeRestorePrivilege	2940	vssvc.exe
Token: SeAuditPrivilege	2940	vssvc.exe
Token: SeRestorePrivilege	2188	DrvInst.exe
Token: SeRestorePrivilege	2188	DrvInst.exe
Token: SeRestorePrivilege	2188	DrvInst.exe
Token: SeRestorePrivilege	2188	DrvInst.exe
Token: SeRestorePrivilege	2188	DrvInst.exe
Token: SeRestorePrivilege	2188	DrvInst.exe
Token: SeRestorePrivilege	2188	DrvInst.exe
Token: SeLoadDriverPrivilege	2188	DrvInst.exe
Token: SeLoadDriverPrivilege	2188	DrvInst.exe
Token: SeLoadDriverPrivilege	2188	DrvInst.exe
Token: SeShutdownPrivilege	1736	powercfg.exe
Token: SeShutdownPrivilege	3016	powercfg.exe
Token: SeShutdownPrivilege	1184	powercfg.exe
Token: SeShutdownPrivilege	1920	powercfg.exe
Token: SeShutdownPrivilege	604	powercfg.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeSecurityPrivilege	1636	powershell.exe
Token: SeBackupPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
660	SearchProtocolHost.exe
660	SearchProtocolHost.exe
660	SearchProtocolHost.exe
660	SearchProtocolHost.exe
660	SearchProtocolHost.exe
660	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
928	SearchProtocolHost.exe
2028	SearchProtocolHost.exe
2028	SearchProtocolHost.exe
2028	SearchProtocolHost.exe
2028	SearchProtocolHost.exe
2028	SearchProtocolHost.exe
1604	Process not Found
1604	Process not Found
1604	Process not Found
1604	Process not Found
1604	Process not Found
1604	Process not Found
2424	Process not Found
2424	Process not Found
2424	Process not Found
2424	Process not Found
2424	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2372	2356	4d947659fef83a302fd6b7451b980b19.exe	30
PID 2356 wrote to memory of 2372	2356	4d947659fef83a302fd6b7451b980b19.exe	30
PID 2356 wrote to memory of 2372	2356	4d947659fef83a302fd6b7451b980b19.exe	30
PID 2372 wrote to memory of 2732	2372	powershell.exe	33
PID 2372 wrote to memory of 2732	2372	powershell.exe	33
PID 2372 wrote to memory of 2732	2372	powershell.exe	33
PID 2356 wrote to memory of 2768	2356	4d947659fef83a302fd6b7451b980b19.exe	34
PID 2356 wrote to memory of 2768	2356	4d947659fef83a302fd6b7451b980b19.exe	34
PID 2356 wrote to memory of 2768	2356	4d947659fef83a302fd6b7451b980b19.exe	34
PID 2356 wrote to memory of 2900	2356	4d947659fef83a302fd6b7451b980b19.exe	36
PID 2356 wrote to memory of 2900	2356	4d947659fef83a302fd6b7451b980b19.exe	36
PID 2356 wrote to memory of 2900	2356	4d947659fef83a302fd6b7451b980b19.exe	36
PID 2900 wrote to memory of 2168	2900	cmd.exe	38
PID 2900 wrote to memory of 2168	2900	cmd.exe	38
PID 2900 wrote to memory of 2168	2900	cmd.exe	38
PID 2356 wrote to memory of 1980	2356	4d947659fef83a302fd6b7451b980b19.exe	39
PID 2356 wrote to memory of 1980	2356	4d947659fef83a302fd6b7451b980b19.exe	39
PID 2356 wrote to memory of 1980	2356	4d947659fef83a302fd6b7451b980b19.exe	39
PID 1980 wrote to memory of 2648	1980	cmd.exe	41
PID 1980 wrote to memory of 2648	1980	cmd.exe	41
PID 1980 wrote to memory of 2648	1980	cmd.exe	41
PID 2356 wrote to memory of 2436	2356	4d947659fef83a302fd6b7451b980b19.exe	43
PID 2356 wrote to memory of 2436	2356	4d947659fef83a302fd6b7451b980b19.exe	43
PID 2356 wrote to memory of 2436	2356	4d947659fef83a302fd6b7451b980b19.exe	43
PID 2356 wrote to memory of 3020	2356	4d947659fef83a302fd6b7451b980b19.exe	49
PID 2356 wrote to memory of 3020	2356	4d947659fef83a302fd6b7451b980b19.exe	49
PID 2356 wrote to memory of 3020	2356	4d947659fef83a302fd6b7451b980b19.exe	49
PID 3020 wrote to memory of 552	3020	cmd.exe	51
PID 3020 wrote to memory of 552	3020	cmd.exe	51
PID 3020 wrote to memory of 552	3020	cmd.exe	51
PID 2356 wrote to memory of 1300	2356	4d947659fef83a302fd6b7451b980b19.exe	52
PID 2356 wrote to memory of 1300	2356	4d947659fef83a302fd6b7451b980b19.exe	52
PID 2356 wrote to memory of 1300	2356	4d947659fef83a302fd6b7451b980b19.exe	52
PID 1300 wrote to memory of 1736	1300	cmd.exe	54
PID 1300 wrote to memory of 1736	1300	cmd.exe	54
PID 1300 wrote to memory of 1736	1300	cmd.exe	54
PID 2356 wrote to memory of 1124	2356	4d947659fef83a302fd6b7451b980b19.exe	55
PID 2356 wrote to memory of 1124	2356	4d947659fef83a302fd6b7451b980b19.exe	55
PID 2356 wrote to memory of 1124	2356	4d947659fef83a302fd6b7451b980b19.exe	55
PID 1124 wrote to memory of 3016	1124	cmd.exe	57
PID 1124 wrote to memory of 3016	1124	cmd.exe	57
PID 1124 wrote to memory of 3016	1124	cmd.exe	57
PID 2356 wrote to memory of 2784	2356	4d947659fef83a302fd6b7451b980b19.exe	58
PID 2356 wrote to memory of 2784	2356	4d947659fef83a302fd6b7451b980b19.exe	58
PID 2356 wrote to memory of 2784	2356	4d947659fef83a302fd6b7451b980b19.exe	58
PID 2784 wrote to memory of 1184	2784	cmd.exe	60
PID 2784 wrote to memory of 1184	2784	cmd.exe	60
PID 2784 wrote to memory of 1184	2784	cmd.exe	60
PID 2356 wrote to memory of 1784	2356	4d947659fef83a302fd6b7451b980b19.exe	61
PID 2356 wrote to memory of 1784	2356	4d947659fef83a302fd6b7451b980b19.exe	61
PID 2356 wrote to memory of 1784	2356	4d947659fef83a302fd6b7451b980b19.exe	61
PID 1784 wrote to memory of 1920	1784	cmd.exe	63
PID 1784 wrote to memory of 1920	1784	cmd.exe	63
PID 1784 wrote to memory of 1920	1784	cmd.exe	63
PID 2356 wrote to memory of 2948	2356	4d947659fef83a302fd6b7451b980b19.exe	64
PID 2356 wrote to memory of 2948	2356	4d947659fef83a302fd6b7451b980b19.exe	64
PID 2356 wrote to memory of 2948	2356	4d947659fef83a302fd6b7451b980b19.exe	64
PID 2948 wrote to memory of 604	2948	cmd.exe	66
PID 2948 wrote to memory of 604	2948	cmd.exe	66
PID 2948 wrote to memory of 604	2948	cmd.exe	66
PID 2356 wrote to memory of 980	2356	4d947659fef83a302fd6b7451b980b19.exe	67
PID 2356 wrote to memory of 980	2356	4d947659fef83a302fd6b7451b980b19.exe	67
PID 2356 wrote to memory of 980	2356	4d947659fef83a302fd6b7451b980b19.exe	67
PID 980 wrote to memory of 1636	980	cmd.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4d947659fef83a302fd6b7451b980b19.exe
"C:\Users\Admin\AppData\Local\Temp\4d947659fef83a302fd6b7451b980b19.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ProcessorType=Get-WMIObject win32_Processor | select Name | findstr /c:AMD /c:Intel; $ProcessorType = $ProcessorType.Replace('(R)','').Replace('(TM)','') > CPUL.txt
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\system32\findstr.exe
    "C:\Windows\system32\findstr.exe" /c:AMD /c:Intel
    3⤵
    PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /q CPUL.txt
  2⤵
  PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\bcdedit.exe
    bcdedit /deletevalue {current} safeboot
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\bcdedit.exe
    bcdedit /deletevalue {current} safeboot
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [console]::WindowWidth=80;[console]::WindowHeight=23;[console]::BufferWidth = [console]::WindowWidth; Enable-ComputerRestore -Drive $env:systemdrive; Checkpoint-Computer -Description "ET-RestorePoint" -RestorePointType "MODIFY_SETTINGS"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f
    3⤵
    PID:552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -setactive scheme_min
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\system32\powercfg.exe
    powercfg -setactive scheme_min
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb61
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\powercfg.exe
    powercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb61
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\powercfg.exe
    powercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\system32\powercfg.exe
    powercfg /X standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\powercfg.exe
    powercfg /X standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set timeout 3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set timeout 3
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /timeout 3
  2⤵
  PID:1768
- - C:\Windows\system32\bcdedit.exe
    bcdedit /timeout 3
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f && reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
    3⤵
    PID:1276
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
  2⤵
  PID:768
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f
  2⤵
  PID:2212
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f
    3⤵
    PID:3036
- - C:\Windows\system32\reg.exe
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f
    3⤵
    PID:1480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "BackgroundServicesPriority" /t REG_DWORD /d 10 /f
  2⤵
  PID:976
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "BackgroundServicesPriority" /t REG_DWORD /d 10 /f
    3⤵
    PID:2836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d 10 /f
  2⤵
  PID:3060
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d 10 /f
    3⤵
    PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f
  2⤵
  PID:652
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f
    3⤵
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:888
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
    3⤵
    PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f
  2⤵
  PID:1812
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f
    3⤵
    PID:1592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f
    3⤵
    PID:2540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
    3⤵
    PID:1996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
  2⤵
  PID:2376
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry class
    PID:2924
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry class
    PID:2792
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f
    3⤵
    PID:2324
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
    3⤵
    PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f
    3⤵
    PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
  2⤵
  PID:2724
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
    3⤵
    PID:2800
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
    3⤵
    PID:2808
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
    3⤵
    PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C bcdedit /set {current} numproc %NUMBER_OF_PROCESSORS%
  2⤵
  PID:2744
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {current} numproc 8
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-WmiObject win32_Processor | findstr /r "Intel" > NOLPi.txt
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- - C:\Windows\system32\findstr.exe
    "C:\Windows\system32\findstr.exe" /r Intel
    3⤵
    PID:1504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f
    3⤵
    PID:1908
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
    3⤵
    PID:1348
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f
    3⤵
    PID:684
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
    3⤵
    PID:1984
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f
    3⤵
    PID:2944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /f /q NOLPi.txt && del /f /q NOLP.txt
  2⤵
  PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f
  2⤵
  PID:2208
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f
    3⤵
    PID:680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
  2⤵
  PID:1432
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f
  2⤵
  PID:1108
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f
    3⤵
    PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f
  2⤵
  PID:2824
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f
    3⤵
    PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
  2⤵
  PID:552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:856
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2304
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:3016
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1128
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2452
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:692
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1184
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f
  2⤵
  PID:1356
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f
    3⤵
    PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command disable-windowsoptionalfeature -online -featureName Printing-XPSServices-Features -NoRestart; disable-windowsoptionalfeature -online -featureName Xps-Foundation-Xps-Viewer -NoRestart
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop DiagTrack
  2⤵
  PID:1548
- - C:\Windows\system32\sc.exe
    sc stop DiagTrack
    3⤵
    - Launches sc.exe
    PID:744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config DiagTrack start= disabled
  2⤵
  PID:1292
- - C:\Windows\system32\sc.exe
    sc config DiagTrack start= disabled
    3⤵
    - Launches sc.exe
    PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop diagnosticshub.standardcollector.service
  2⤵
  PID:768
- - C:\Windows\system32\sc.exe
    sc stop diagnosticshub.standardcollector.service
    3⤵
    - Launches sc.exe
    PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:3044
- - C:\Windows\system32\sc.exe
    sc config diagnosticshub.standardcollector.service start= disabled
    3⤵
    - Launches sc.exe
    PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop dmwappushservice
  2⤵
  PID:676
- - C:\Windows\system32\sc.exe
    sc stop dmwappushservice
    3⤵
    - Launches sc.exe
    PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config dmwappushservice start= disabled
  2⤵
  PID:3060
- - C:\Windows\system32\sc.exe
    sc config dmwappushservice start= disabled
    3⤵
    - Launches sc.exe
    PID:652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop RemoteRegistry
  2⤵
  PID:880
- - C:\Windows\system32\sc.exe
    sc stop RemoteRegistry
    3⤵
    - Launches sc.exe
    PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config RemoteRegistry start= disabled
  2⤵
  PID:1572
- - C:\Windows\system32\sc.exe
    sc config RemoteRegistry start= disabled
    3⤵
    - Launches sc.exe
    PID:1812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop RemoteAccess
  2⤵
  PID:2540
- - C:\Windows\system32\sc.exe
    sc stop RemoteAccess
    3⤵
    - Launches sc.exe
    PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config RemoteAccess start= disabled
  2⤵
  PID:2696
- - C:\Windows\system32\sc.exe
    sc config RemoteAccess start= disabled
    3⤵
    - Launches sc.exe
    PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop SCardSvr
  2⤵
  PID:2792
- - C:\Windows\system32\sc.exe
    sc stop SCardSvr
    3⤵
    - Launches sc.exe
    PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config SCardSvr start= disabled
  2⤵
  PID:2376
- - C:\Windows\system32\sc.exe
    sc config SCardSvr start= disabled
    3⤵
    - Launches sc.exe
    PID:2920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop SCPolicySvc
  2⤵
  PID:2640
- - C:\Windows\system32\sc.exe
    sc stop SCPolicySvc
    3⤵
    - Launches sc.exe
    PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config SCPolicySvc start= disabled
  2⤵
  PID:864
- - C:\Windows\system32\sc.exe
    sc config SCPolicySvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop fax
  2⤵
  PID:2908
- - C:\Windows\system32\sc.exe
    sc stop fax
    3⤵
    - Launches sc.exe
    PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config fax start= disabled
  2⤵
  PID:2092
- - C:\Windows\system32\sc.exe
    sc config fax start= disabled
    3⤵
    - Launches sc.exe
    PID:272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop WerSvc
  2⤵
  PID:1964
- - C:\Windows\system32\sc.exe
    sc stop WerSvc
    3⤵
    - Launches sc.exe
    PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config WerSvc start= disabled
  2⤵
  PID:660
- - C:\Windows\system32\sc.exe
    sc config WerSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop NvTelemetryContainer
  2⤵
  PID:2008
- - C:\Windows\system32\sc.exe
    sc stop NvTelemetryContainer
    3⤵
    - Launches sc.exe
    PID:684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config NvTelemetryContainer start= disabled
  2⤵
  PID:2644
- - C:\Windows\system32\sc.exe
    sc config NvTelemetryContainer start= disabled
    3⤵
    - Launches sc.exe
    PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop gadjservice
  2⤵
  PID:1364
- - C:\Windows\system32\sc.exe
    sc stop gadjservice
    3⤵
    - Launches sc.exe
    PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config gadjservice start= disabled
  2⤵
  PID:264
- - C:\Windows\system32\sc.exe
    sc config gadjservice start= disabled
    3⤵
    - Launches sc.exe
    PID:752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop AdobeARMservice
  2⤵
  PID:2288
- - C:\Windows\system32\sc.exe
    sc stop AdobeARMservice
    3⤵
    - Launches sc.exe
    PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config AdobeARMservice start= disabled
  2⤵
  PID:2692
- - C:\Windows\system32\sc.exe
    sc config AdobeARMservice start= disabled
    3⤵
    - Launches sc.exe
    PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop PSI_SVC_2
  2⤵
  PID:1700
- - C:\Windows\system32\sc.exe
    sc stop PSI_SVC_2
    3⤵
    - Launches sc.exe
    PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config PSI_SVC_2 start= disabled
  2⤵
  PID:1716
- - C:\Windows\system32\sc.exe
    sc config PSI_SVC_2 start= disabled
    3⤵
    - Launches sc.exe
    PID:552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop lfsvc
  2⤵
  PID:628
- - C:\Windows\system32\sc.exe
    sc stop lfsvc
    3⤵
    - Launches sc.exe
    PID:1124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config lfsvc start= disabled
  2⤵
  PID:2452
- - C:\Windows\system32\sc.exe
    sc config lfsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop WalletService
  2⤵
  PID:444
- - C:\Windows\system32\sc.exe
    sc stop WalletService
    3⤵
    - Launches sc.exe
    PID:2828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config WalletService start= disabled
  2⤵
  PID:928
- - C:\Windows\system32\sc.exe
    sc config WalletService start= disabled
    3⤵
    - Launches sc.exe
    PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop RetailDemo
  2⤵
  PID:980
- - C:\Windows\system32\sc.exe
    sc stop RetailDemo
    3⤵
    - Launches sc.exe
    PID:2948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config RetailDemo start= disabled
  2⤵
  PID:2336
- - C:\Windows\system32\sc.exe
    sc config RetailDemo start= disabled
    3⤵
    - Launches sc.exe
    PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop SEMgrSvc
  2⤵
  PID:828
- - C:\Windows\system32\sc.exe
    sc stop SEMgrSvc
    3⤵
    - Launches sc.exe
    PID:1276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config SEMgrSvc start= disabled
  2⤵
  PID:1008
- - C:\Windows\system32\sc.exe
    sc config SEMgrSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop diagsvc
  2⤵
  PID:1480
- - C:\Windows\system32\sc.exe
    sc stop diagsvc
    3⤵
    - Launches sc.exe
    PID:376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config diagsvc start= disabled
  2⤵
  PID:2836
- - C:\Windows\system32\sc.exe
    sc config diagsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop AJRouter
  2⤵
  PID:1272
- - C:\Windows\system32\sc.exe
    sc stop AJRouter
    3⤵
    - Launches sc.exe
    PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config AJRouter start= disabled
  2⤵
  PID:1608
- - C:\Windows\system32\sc.exe
    sc config AJRouter start= disabled
    3⤵
    - Launches sc.exe
    PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop amdfendr
  2⤵
  PID:2272
- - C:\Windows\system32\sc.exe
    sc stop amdfendr
    3⤵
    - Launches sc.exe
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config amdfendr start= disabled
  2⤵
  PID:676
- - C:\Windows\system32\sc.exe
    sc config amdfendr start= disabled
    3⤵
    - Launches sc.exe
    PID:548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop amdfendrmgr
  2⤵
  PID:3060
- - C:\Windows\system32\sc.exe
    sc stop amdfendrmgr
    3⤵
    - Launches sc.exe
    PID:1840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config amdfendrmgr start= disabled
  2⤵
  PID:880
- - C:\Windows\system32\sc.exe
    sc config amdfendrmgr start= disabled
    3⤵
    - Launches sc.exe
    PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config BITS start= demand
  2⤵
  PID:1572
- - C:\Windows\system32\sc.exe
    sc config BITS start= demand
    3⤵
    - Launches sc.exe
    PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config SamSs start= demand
  2⤵
  PID:2540
- - C:\Windows\system32\sc.exe
    sc config SamSs start= demand
    3⤵
    - Launches sc.exe
    PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config TapiSrv start= demand
  2⤵
  PID:2696
- - C:\Windows\system32\sc.exe
    sc config TapiSrv start= demand
    3⤵
    - Launches sc.exe
    PID:2740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config seclogon start= demand
  2⤵
  PID:2792
- - C:\Windows\system32\sc.exe
    sc config seclogon start= demand
    3⤵
    - Launches sc.exe
    PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config wuauserv start= demand
  2⤵
  PID:2376
- - C:\Windows\system32\sc.exe
    sc config wuauserv start= demand
    3⤵
    - Launches sc.exe
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config PhoneSvc start= demand
  2⤵
  PID:2896
- - C:\Windows\system32\sc.exe
    sc config PhoneSvc start= demand
    3⤵
    - Launches sc.exe
    PID:2992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config lmhosts start= demand
  2⤵
  PID:864
- - C:\Windows\system32\sc.exe
    sc config lmhosts start= demand
    3⤵
    - Launches sc.exe
    PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config iphlpsvc start= demand
  2⤵
  PID:2628
- - C:\Windows\system32\sc.exe
    sc config iphlpsvc start= demand
    3⤵
    - Launches sc.exe
    PID:2312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config gupdate start= demand
  2⤵
  PID:2128
- - C:\Windows\system32\sc.exe
    sc config gupdate start= demand
    3⤵
    - Launches sc.exe
    PID:2600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config gupdatem start= demand
  2⤵
  PID:2676
- - C:\Windows\system32\sc.exe
    sc config gupdatem start= demand
    3⤵
    - Launches sc.exe
    PID:1776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config edgeupdate start= demand
  2⤵
  PID:2964
- - C:\Windows\system32\sc.exe
    sc config edgeupdate start= demand
    3⤵
    - Launches sc.exe
    PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config edgeupdatem start= demand
  2⤵
  PID:1984
- - C:\Windows\system32\sc.exe
    sc config edgeupdatem start= demand
    3⤵
    - Launches sc.exe
    PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config MapsBroker start= demand
  2⤵
  PID:1644
- - C:\Windows\system32\sc.exe
    sc config MapsBroker start= demand
    3⤵
    - Launches sc.exe
    PID:556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config PnkBstrA start= demand
  2⤵
  PID:1364
- - C:\Windows\system32\sc.exe
    sc config PnkBstrA start= demand
    3⤵
    - Launches sc.exe
    PID:2208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config brave start= demand
  2⤵
  PID:264
- - C:\Windows\system32\sc.exe
    sc config brave start= demand
    3⤵
    - Launches sc.exe
    PID:2120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config bravem start= demand
  2⤵
  PID:2288
- - C:\Windows\system32\sc.exe
    sc config bravem start= demand
    3⤵
    - Launches sc.exe
    PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config asus start= demand
  2⤵
  PID:2692
- - C:\Windows\system32\sc.exe
    sc config asus start= demand
    3⤵
    - Launches sc.exe
    PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config asusm start= demand
  2⤵
  PID:1700
- - C:\Windows\system32\sc.exe
    sc config asusm start= demand
    3⤵
    - Launches sc.exe
    PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config adobeupdateservice start= demand
  2⤵
  PID:1716
- - C:\Windows\system32\sc.exe
    sc config adobeupdateservice start= demand
    3⤵
    - Launches sc.exe
    PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config adobeflashplayerupdatesvc start= demand
  2⤵
  PID:3008
- - C:\Windows\system32\sc.exe
    sc config adobeflashplayerupdatesvc start= demand
    3⤵
    - Launches sc.exe
    PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config WSearch start= demand
  2⤵
  PID:692
- - C:\Windows\system32\sc.exe
    sc config WSearch start= demand
    3⤵
    - Launches sc.exe
    PID:1072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config CCleanerPerformanceOptimizerService start= demand
  2⤵
  PID:1300
- - C:\Windows\system32\sc.exe
    sc config CCleanerPerformanceOptimizerService start= demand
    3⤵
    - Launches sc.exe
    PID:1372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable && schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable && schtasks /Change /TN "Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvent" /Disable && schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable && schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable && schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable && schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable && schtasks /Change /TN "NIUpdateServiceStartupTask" /Disable && schtasks /Change /TN "CCleaner Update" /Disable && schtasks /Change /TN "CCleanerCrashReportings" /Disable && schtasks /Change /TN "CCleanerSkipUAC - $env:username" /Disable && schtasks /Change /TN "updater" /Disable && schtasks /Change /TN "Adobe Acrobat Update Task" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable && schtasks /Change /TN "MiniToolPartitionWizard" /Disable && schtasks /Change /TN "AMDLinkUpdate" /Disable && schtasks /Change /TN "Microsoft\Office\Office Automatic Updates 2.0" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates Logon" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineCore" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineUA" /Disable && schtasks /DELETE /TN "AMDInstallLauncher" /f && schtasks /DELETE /TN "AMDLinkUpdate" /f && schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f && schtasks /DELETE /TN "DUpdaterTask" /f && schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  - Indicator Removal: Clear Persistence
  PID:928
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable
    3⤵
    PID:576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /q %temp%\NVIDIA Corporation\NV_Cache\* && del /q %programdata%\NVIDIA Corporation\NV_Cache\*
  2⤵
  PID:980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f && REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v PreventHandwritingErrorReports /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowDeviceNameInTelemetry /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v HideRecentlyAddedApps /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v NoActiveHelp /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\StorageTelemetry" /v DeviceDumpEnabled /t REG_DWORD /d 0 /f && && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\17.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && sc stop VSStandardCollectorService150 && sc config VSStandardCollectorService150 start= disabled && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && cmd /c taskkill /f /im ccleaner.exe && cmd /c taskkill /f /im ccleaner64.exe && reg add "HKCU\Software\Piriform\CCleaner" /v "HomeScreen" /t REG_SZ /d 2 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f
  2⤵
  PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C setx POWERSHELL_TELEMETRY_OPTOUT 1
  2⤵
  PID:1824
- - C:\Windows\system32\setx.exe
    setx POWERSHELL_TELEMETRY_OPTOUT 1
    3⤵
    PID:828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\Tracing\WPPMedia" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\WPPMedia" /f
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f
    3⤵
    PID:300
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f
    3⤵
    PID:3036
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f
    3⤵
    PID:564
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\Tracing\WPPMedia" /f
    3⤵
    PID:2472
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\WPPMedia" /f
    3⤵
    PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f
    3⤵
    PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f
  2⤵
  PID:2932
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f
    3⤵
    - Modifies registry key
    PID:1152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1268
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:3048
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
    3⤵
    PID:1240
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
    3⤵
    PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f
    3⤵
    PID:2272
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
    3⤵
    PID:352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f
  2⤵
  PID:548
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f
    3⤵
    PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f
  2⤵
  PID:884
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f
    3⤵
    PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
  2⤵
  PID:2144
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
    3⤵
    PID:2076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
    3⤵
    PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f
  2⤵
  PID:2924
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f
    3⤵
    PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:2540
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /t REG_DWORD /d 0 /f
    3⤵
    PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f
  2⤵
  PID:2696
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f
    3⤵
    PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v "HubsSidebarEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2920
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v "HubsSidebarEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f
    3⤵
    PID:2372
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f
  2⤵
  PID:2992
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f
    3⤵
    PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f
    3⤵
    PID:864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f
  2⤵
  PID:1388
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f
    3⤵
    PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like '*Microsoft.Copilot*'} | Remove-AppxPackage -AllUsers -ErrorAction Continue
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
    3⤵
    PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f && REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f && REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
  2⤵
  PID:2644
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f
    3⤵
    PID:2000
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f
    3⤵
    PID:2188
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f
    3⤵
    PID:1344
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
    3⤵
    PID:2968
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f
    3⤵
    PID:680
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
    3⤵
    PID:2208
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
    3⤵
    PID:752
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
    3⤵
    PID:900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f
    3⤵
    PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f
  2⤵
  PID:264
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f
    3⤵
    PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" / v "{2cc5ca98-6485-489a-920e-b3e88a6ccce3}" /t REG_DWORD /d 1 /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" / v "{2cc5ca98-6485-489a-920e-b3e88a6ccce3}" /t REG_DWORD /d 1 /f
    3⤵
    PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ram = (Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value $ram -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2784
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1692
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage *XboxGamingOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxGameOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /q "%temp%\NVIDIA Corporation\NV_Cache\*" && del /q "%programdata%\NVIDIA Corporation\NV_Cache\*"
  2⤵
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-EventLog -LogName * | % { Clear-EventLog -LogName $_.Log }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C del /s /f /q "%userprofile%\Recent\*.*"
  2⤵
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command erase /f /s /q "%systemdrive%\Windows\SoftwareDistribution\*.*"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Windows\SoftwareDistribution"
  2⤵
  PID:1288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %localappdata%\Microsoft\Windows\WebCache /F /Q /S
  2⤵
  PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\logs /F /Q /S
  2⤵
  PID:828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\webcache /F /Q /S
  2⤵
  PID:1548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %appdata%\Microsoft\Teams\Cache /F /Q /S
  2⤵
  PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %localappdata%\Yarn\Cache /F /Q /S
  2⤵
  PID:376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem.Out /F /Q /S
  2⤵
  PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem /F /Q /S
  2⤵
  PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %Temp%\VSRemoteControl /F /Q /S
  2⤵
  PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackVSRTCLogs /F /Q /S
  2⤵
  PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackPerfWatsonData /F /Q /S
  2⤵
  PID:1888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFaultInfo /F /Q /S
  2⤵
  PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %Temp%\Microsoft\VSApplicationInsights /F /Q /S
  2⤵
  PID:1152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %ProgramData%\Microsoft\VSApplicationInsights /F /Q /S
  2⤵
  PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\Microsoft\VSApplicationInsights /F /Q /S
  2⤵
  PID:1468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %AppData%stelemetry
  2⤵
  PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del /S /F /Q %windir%\Prefetch
  2⤵
  PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C %WinDir%\SysNative\ie4uinit.exe -show
  2⤵
  PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C %WinDir%\System32\ie4uinit.exe -show
  2⤵
  PID:2372
- - C:\Windows\System32\ie4uinit.exe
    C:\Windows\System32\ie4uinit.exe -show
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\IconCache.db /F /Q /S
  2⤵
  PID:2636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\Explorer\iconcache_*.db" /F /Q /S
  2⤵
  PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q
  2⤵
  PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q
  2⤵
  PID:556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\.jrs" /F /Q
  2⤵
  PID:584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.log" /F /Q
  2⤵
  PID:2708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.chk" /F /Q
  2⤵
  PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\DISM" /F /Q
  2⤵
  PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs" /F /Q
  2⤵
  PID:1364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\ScreenOn\*.etl" /F /Q
  2⤵
  PID:1984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\*.etl" /F /Q
  2⤵
  PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\ScreenOn\*.etl" /F /Q
  2⤵
  PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\*.etl" /F /Q
  2⤵
  PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\LogFiles\HTTPERR\*.*" /F /Q
  2⤵
  PID:1380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\WindowsBackup\*.etl" /F /Q
  2⤵
  PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q
  2⤵
  PID:1536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q
  2⤵
  PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\PerfLogs\System\Diagnostics\*.*" /F /Q
  2⤵
  PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\debug\WIA\*.log" /F /Q
  2⤵
  PID:2280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.app.log" /F /Q
  2⤵
  PID:744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.offline.log" /F /Q
  2⤵
  PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FontCache3.0.0.0
  2⤵
  PID:1608
- - C:\Windows\system32\net.exe
    net stop FontCache3.0.0.0
    3⤵
    PID:2792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FontCache3.0.0.0
      4⤵
      PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FontCache
  2⤵
  PID:2328
- - C:\Windows\system32\net.exe
    net stop FontCache
    3⤵
    PID:2800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FontCache
      4⤵
      PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\LocalService\AppData\Local\FontCache\*.dat" /F /Q /S
  2⤵
  PID:880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\FNTCACHE.DAT" /F /Q /S
  2⤵
  PID:2300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\FNTCACHE.DAT" /F /Q /S
  2⤵
  PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net start FontCache
  2⤵
  PID:2540
- - C:\Windows\system32\net.exe
    net start FontCache
    3⤵
    PID:3012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FontCache
      4⤵
      PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net start FontCache3.0.0.0
  2⤵
  PID:2144
- - C:\Windows\system32\net.exe
    net start FontCache3.0.0.0
    3⤵
    PID:1920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start FontCache3.0.0.0
      4⤵
      PID:928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagwrn.xml" /F /Q
  2⤵
  PID:3044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagerr.xml" /F /Q
  2⤵
  PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\repair\setup.log" /F /Q
  2⤵
  PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\DDACLSys.log" /F /Q
  2⤵
  PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\cbs.log" /F /Q
  2⤵
  PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\WebCache\*.log" /F /Q
  2⤵
  PID:352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\*.log" /F /Q
  2⤵
  PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.log" /F /Q
  2⤵
  PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DPX\*.log" /F /Q
  2⤵
  PID:1124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.lo_" /F /Q
  2⤵
  PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q
  2⤵
  PID:1140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\APPLOG\*.*" /F /Q
  2⤵
  PID:2252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log.txt" /F /Q
  2⤵
  PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DISM\*.log" /F /Q
  2⤵
  PID:2672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\setuplog.txt" /F /Q
  2⤵
  PID:1504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\OEWABLog.txt" /F /Q
  2⤵
  PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q
  2⤵
  PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.bak" /F /Q
  2⤵
  PID:2624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.log" /F /Q
  2⤵
  PID:980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.bak" /F /Q
  2⤵
  PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\*.log" /F /Q
  2⤵
  PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.log" /F /Q
  2⤵
  PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.old" /F /Q
  2⤵
  PID:1552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log" /F /Q
  2⤵
  PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SchedLgU.txt" /F /Q
  2⤵
  PID:1700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Directx.log" /F /Q
  2⤵
  PID:680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\*.log" /F /Q
  2⤵
  PID:1984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C start cleanmgr.exe /sagerun:5
  2⤵
  PID:572
- - C:\Windows\system32\cleanmgr.exe
    cleanmgr.exe /sagerun:5
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in Windows directory
    PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\E5FBF486-9620-44E5-8AEE-3594B80AC6A0\dismhost.exe
      C:\Users\Admin\AppData\Local\Temp\E5FBF486-9620-44E5-8AEE-3594B80AC6A0\dismhost.exe {BE4DB221-12A8-4F0C-8D88-393944855B7D}
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      PID:1348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:900
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
    3⤵
    PID:2452
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
    3⤵
    PID:1368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2828
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2956
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2224
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:984
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3032
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2792
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:1760
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2300
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1468
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:888
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1728
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2212
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:1268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    PID:2160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
  2⤵
  PID:1548
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
    3⤵
    PID:1300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)
  2⤵
  PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f
  2⤵
  PID:2372
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
  2⤵
  PID:2924
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
    3⤵
    PID:352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2936
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
  2⤵
  PID:2680
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
    3⤵
    PID:1996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
  2⤵
  PID:2652
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
    3⤵
    PID:1140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
    3⤵
    PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
  2⤵
  PID:2908
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    3⤵
    PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:2712
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:1128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:2660
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2588
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1552
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:2196
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1364
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:2944
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:2028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:2452
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1712
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:3032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1812
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2512
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1728
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2212
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -hibernate off
  2⤵
  - Power Settings
  PID:316
- - C:\Windows\system32\powercfg.exe
    powercfg -hibernate off
    3⤵
    - Power Settings
    PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f
  2⤵
  PID:1912
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f
    3⤵
    PID:1124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f
  2⤵
  PID:3068
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f
    3⤵
    PID:2640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" /f
  2⤵
  PID:2968
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f
    3⤵
    PID:2848
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f
    3⤵
    PID:1888
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2288
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2768
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2708
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2992
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1688
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2996
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:820
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2780
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1128
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2624
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f
    3⤵
    PID:2336
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f
    3⤵
    PID:2564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2184
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2644
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f
    3⤵
    PID:1716
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:980
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2308
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED
  2⤵
  PID:1516
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED
    3⤵
    PID:2188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop wsearch /y
  2⤵
  PID:2828
- - C:\Windows\system32\net.exe
    net stop wsearch /y
    3⤵
    PID:2824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wsearch /y
      4⤵
      PID:572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C esentutl /d %programdata%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
  2⤵
  PID:2840
- - C:\Windows\system32\esentutl.exe
    esentutl /d C:\ProgramData\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
    3⤵
    PID:1492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net start wsearch
  2⤵
  PID:1108
- - C:\Windows\system32\net.exe
    net start wsearch
    3⤵
    PID:2468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start wsearch
      4⤵
      PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-Volume | Optimize-Volume -defrag -ReTrim
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $RemoveAppPkgs = (Get-AppxPackage -AllUsers).Name; $whitelistapps = @('Microsoft.MicrosoftOfficeHub','Microsoft.Office.OneNote','Microsoft.WindowsAlarms','Microsoft.WindowsCalculator','Microsoft.WindowsCamera','microsoft.windowscommunicationsapps','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.0','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.0','Microsoft.WindowsAppRuntime.1.3','Microsoft.NET.Native.Framework.1.7','MicrosoftWindows.Client.Core','Microsoft.LockApp','Microsoft.ECApp','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.Search','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.SecHealthUI','Microsoft.SecHealthUI','Microsoft.WindowsAppRuntime.CBS','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.120.00.UWPDesktop','Microsoft.VCLibs.110.00.UWPDesktop','Microsoft.DirectXRuntime','Microsoft.XboxGameOverlay','Microsoft.XboxGamingOverlay','Microsoft.GamingApp','Microsoft.GamingServices','Microsoft.XboxIdentityProvider','Microsoft.Xbox.TCUI','Microsoft.AccountsControl','Microsoft.WindowsStore','Microsoft.StorePurchaseApp','Microsoft.VP9VideoExtensions','Microsoft.RawImageExtension','Microsoft.HEIFImageExtension','Microsoft.HEIFImageExtension','Microsoft.WebMediaExtensions','RealtekSemiconductorCorp.RealtekAudioControl','Microsoft.MicrosoftEdge','Microsoft.MicrosoftEdge.Stable','MicrosoftWindows.Client.FileExp','NVIDIACorp.NVIDIAControlPanel','AppUp.IntelGraphicsExperience','Microsoft.Paint','Microsoft.Messaging','Microsoft.AsyncTextService','Microsoft.CredDialogHost','Microsoft.Win32WebViewHost','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.SecondaryTileExperience','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','Windows.MiracastView','Windows.ContactSupport','Windows.PrintDialog','c5e2524a-ea46-4f67-841f-6a9465d9d515','windows.immersivecontrolpanel','WinRAR.ShellExtension','Microsoft.WindowsNotepad','MicrosoftWindows.Client.WebExperience','Microsoft.ZuneMusic','Microsoft.ZuneVideo','Microsoft.OutlookForWindows','MicrosoftWindows.Ai.Copilot.Provider','Microsoft.WindowsTerminal','Microsoft.Windows.Terminal','WindowsTerminal','Microsoft.Winget.Source','Microsoft.DesktopAppInstaller','Microsoft.Services.Store.Engagement','Microsoft.HEVCVideoExtension','Microsoft.WebpImageExtension','MicrosoftWindows.CrossDevice','NotepadPlusPlus','MicrosoftCorporationII.WinAppRuntime.Main.1.5','Microsoft.WindowsAppRuntime.1.5','MicrosoftCorporationII.WinAppRuntime.Singleton','Microsoft.WindowsSoundRecorder','MicrosoftCorporationII.WinAppRuntime.Main.1.4','MicrosoftWindows.Client.LKG','MicrosoftWindows.Client.CBS','Microsoft.VCLibs.140.00','Microsoft.Windows.CloudExperienceHost','SpotifyAB.SpotifyMusic','Microsoft.SkypeApp','5319275A.WhatsAppDesktop','FACEBOOK.317180B0BB486','TelegramMessengerLLP.TelegramDesktop','4DF9E0F8.Netflix','Discord','Paint','mspaint','Microsoft.Windows.Paint','Microsoft.MicrosoftEdge.Stable','1527c705-839a-4832-9118-54d4Bd6a0c89','c5e2524a-ea46-4f67-841f-6a9465d9d515','E2A4F912-2574-4A75-9BB0-0D023378592B','F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE','Microsoft.AAD.BrokerPlugin','Microsoft.AccountsControl','Microsoft.AsyncTextService','Microsoft.BioEnrollment','Microsoft.CredDialogHost','Microsoft.ECApp','Microsoft.LockApp','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.UI.Xaml.CBS','Microsoft.Win32WebViewHost','Microsoft.Windows.Apprep.ChxApp','Microsoft.Windows.AssignedAccessLockApp','Microsoft.Windows.CapturePicker','Microsoft.Windows.CloudExperienceHost','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.NarratorQuickStart','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.ParentalControls','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.PrintQueueActionCenter','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.Client.AIX','MicrosoftWindows.Client.FileExp','MicrosoftWindows.Client.OOBE','MicrosoftWindows.LKG.Search','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','windows.immersivecontrolpanel','Windows.PrintDialog','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.SecHealthUI','Microsoft.Services.Store.Engagement','Microsoft.UI.Xaml.2.8','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.140.00','Microsoft.VCLibs.140.00','Microsoft.WindowsAppRuntime.1.3','Microsoft.WindowsCamera','Microsoft.XboxIdentityProvider','Microsoft.ZuneMusic','RealtekSemiconductorCorp.RealtekAudioControl','DolbyLaboratories.DolbyAudioPremium','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.0','AppUp.IntelGraphicsExperience','Microsoft.NET.Native.Runtime.2.0','Microsoft.Windows.AugLoop.CBS','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.WindowsAppRuntime.CBS.1.6','Microsoft.WindowsAppRuntime.CBS','MicrosoftWindows.Client.CBS','MicrosoftWindows.Client.Core','MicrosoftWindows.Client.Photon','MicrosoftWindows.LKG.AccountsService','MicrosoftWindows.LKG.DesktopSpotlight','MicrosoftWindows.LKG.IrisService','MicrosoftWindows.LKG.RulesEngine','MicrosoftWindows.LKG.SpeechRuntime','MicrosoftWindows.LKG.TwinSxS','Microsoft.VCLibs.140.00','Microsoft.Copilot','Microsoft.OneDriveSync','Microsoft.OutlookForWindows','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.WindowsAppRuntime.1.5','Microsoft.WindowsAppRuntime.1.5','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.Windows.DevHome','Microsoft.UI.Xaml.2.8','Microsoft.Paint','MicrosoftWindows.Client.WebExperience','Microsoft.WindowsStore','Microsoft.WindowsNotepad','Microsoft.WidgetsPlatformRuntime','Microsoft.Xbox.TCUI','Microsoft.WebpImageExtension','Microsoft.WebMediaExtensions','Microsoft.RawImageExtension','Microsoft.HEVCVideoExtension','Microsoft.HEIFImageExtension','Microsoft.WindowsTerminal','Microsoft.DesktopAppInstaller','Microsoft.StartExperiencesApp','Microsoft.StorePurchaseApp','Microsoft.GamingApp','Microsoft.VP9VideoExtensions','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.7','Microsoft.XboxGamingOverlay','Microsoft.WindowsCalculator','Microsoft.WindowsSoundRecorder','Microsoft.WindowsAlarms','Microsoft.MicrosoftOfficeHub','Microsoft.WindowsAppRuntime.1.6','Microsoft.WindowsAppRuntime.1.6','MicrosoftWindows.CrossDevice'); ForEach($TargetApp in $RemoveAppPkgs){ If( $whitelistapps -notcontains $TargetApp) { Get-AppxPackage -Name $TargetApp -AllUsers | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue; Get-AppXProvisionedPackage -Online | Where-Object DisplayName -EQ $TargetApp | Remove-AppxProvisionedPackage -Online }}
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MTPW" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CiscoMeetingDaemon" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Smart Cleaning" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Monitor" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Spotify Web Helper" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Gaijin.Net Updater" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "com.squirrel.Teams.Teams" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "BitTorrent Bleep" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "adobeAAMUpdater-1.0" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "AdobeAAMUpdater" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "iTunesHelper" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdatePPShortCut" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Opera Browser Assistant" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Steam" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EADM" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EpicGamesLauncher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GogGalaxy" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype for Desktop" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Wargaming.net Game Center" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ut" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Lync" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Google Chrome" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Microsoft Edge" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_E9C49D8E9BDC4095F482C844743B9E82" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_D3AB3F7FBB44621987441AECEC1156AD" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Edge Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_31CF12C7FD715D87B15C2DF57BBF8D3E" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Discord" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Ubisoft Game Launcher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "com.blitz.app" /f
  2⤵
  PID:1784
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f
    3⤵
    PID:812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1808
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:2920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
  2⤵
  PID:884
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
    3⤵
    PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
  2⤵
  PID:684
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
    3⤵
    PID:2288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
  2⤵
  PID:2768
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
    3⤵
    PID:1688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
  2⤵
  PID:2648
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
    3⤵
    PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:680
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
    3⤵
    PID:2024
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
    3⤵
    PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2084
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1276
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2836
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2468
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2148
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2500
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2372
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1372
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1668
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2784
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:2640
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
  2⤵
  PID:2708
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
  2⤵
  PID:1964
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
  2⤵
  PID:2304
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
    3⤵
    PID:1840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:2968
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:2000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)
  2⤵
  PID:2200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f
  2⤵
  PID:1532
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
  2⤵
  PID:572
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
    3⤵
    PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
  2⤵
  PID:2840
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
    3⤵
    PID:1504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
    3⤵
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:960
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
  2⤵
  PID:2432
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
    3⤵
    PID:2104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    3⤵
    PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:2864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:2664
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1092
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:1108
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:2944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2728
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:352
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:2772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1972
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1568
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:1184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
  2⤵
  PID:2716
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:2844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:2752
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2936
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2144
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2640
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2708
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2624
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -hibernate off
  2⤵
  - Power Settings
  PID:576
- - C:\Windows\system32\powercfg.exe
    powercfg -hibernate off
    3⤵
    - Power Settings
    PID:2192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f
  2⤵
  PID:976
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f
    3⤵
    PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f
  2⤵
  PID:2084
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f
    3⤵
    PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" /f
  2⤵
  PID:3056
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f
    3⤵
    PID:2244
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f
    3⤵
    PID:300
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1048
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:984
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1700
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:900
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f
    3⤵
    PID:2468
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1108
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2148
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2672
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2900
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2124
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f
    3⤵
    PID:2872
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f
    3⤵
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f
    3⤵
    PID:2924
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2348
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED
  2⤵
  PID:2612
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED
    3⤵
    PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop wsearch /y
  2⤵
  PID:2844
- - C:\Windows\system32\net.exe
    net stop wsearch /y
    3⤵
    PID:1808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wsearch /y
      4⤵
      PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C esentutl /d %programdata%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
  2⤵
  PID:1688
- - C:\Windows\system32\esentutl.exe
    esentutl /d C:\ProgramData\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
    3⤵
    PID:2640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net start wsearch
  2⤵
  PID:2460
- - C:\Windows\system32\net.exe
    net start wsearch
    3⤵
    PID:2516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start wsearch
      4⤵
      PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-Volume | Optimize-Volume -defrag -ReTrim
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $RemoveAppPkgs = (Get-AppxPackage -AllUsers).Name; $whitelistapps = @('Microsoft.MicrosoftOfficeHub','Microsoft.Office.OneNote','Microsoft.WindowsAlarms','Microsoft.WindowsCalculator','Microsoft.WindowsCamera','microsoft.windowscommunicationsapps','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.0','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.0','Microsoft.WindowsAppRuntime.1.3','Microsoft.NET.Native.Framework.1.7','MicrosoftWindows.Client.Core','Microsoft.LockApp','Microsoft.ECApp','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.Search','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.SecHealthUI','Microsoft.SecHealthUI','Microsoft.WindowsAppRuntime.CBS','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.120.00.UWPDesktop','Microsoft.VCLibs.110.00.UWPDesktop','Microsoft.DirectXRuntime','Microsoft.XboxGameOverlay','Microsoft.XboxGamingOverlay','Microsoft.GamingApp','Microsoft.GamingServices','Microsoft.XboxIdentityProvider','Microsoft.Xbox.TCUI','Microsoft.AccountsControl','Microsoft.WindowsStore','Microsoft.StorePurchaseApp','Microsoft.VP9VideoExtensions','Microsoft.RawImageExtension','Microsoft.HEIFImageExtension','Microsoft.HEIFImageExtension','Microsoft.WebMediaExtensions','RealtekSemiconductorCorp.RealtekAudioControl','Microsoft.MicrosoftEdge','Microsoft.MicrosoftEdge.Stable','MicrosoftWindows.Client.FileExp','NVIDIACorp.NVIDIAControlPanel','AppUp.IntelGraphicsExperience','Microsoft.Paint','Microsoft.Messaging','Microsoft.AsyncTextService','Microsoft.CredDialogHost','Microsoft.Win32WebViewHost','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.SecondaryTileExperience','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','Windows.MiracastView','Windows.ContactSupport','Windows.PrintDialog','c5e2524a-ea46-4f67-841f-6a9465d9d515','windows.immersivecontrolpanel','WinRAR.ShellExtension','Microsoft.WindowsNotepad','MicrosoftWindows.Client.WebExperience','Microsoft.ZuneMusic','Microsoft.ZuneVideo','Microsoft.OutlookForWindows','MicrosoftWindows.Ai.Copilot.Provider','Microsoft.WindowsTerminal','Microsoft.Windows.Terminal','WindowsTerminal','Microsoft.Winget.Source','Microsoft.DesktopAppInstaller','Microsoft.Services.Store.Engagement','Microsoft.HEVCVideoExtension','Microsoft.WebpImageExtension','MicrosoftWindows.CrossDevice','NotepadPlusPlus','MicrosoftCorporationII.WinAppRuntime.Main.1.5','Microsoft.WindowsAppRuntime.1.5','MicrosoftCorporationII.WinAppRuntime.Singleton','Microsoft.WindowsSoundRecorder','MicrosoftCorporationII.WinAppRuntime.Main.1.4','MicrosoftWindows.Client.LKG','MicrosoftWindows.Client.CBS','Microsoft.VCLibs.140.00','Microsoft.Windows.CloudExperienceHost','SpotifyAB.SpotifyMusic','Microsoft.SkypeApp','5319275A.WhatsAppDesktop','FACEBOOK.317180B0BB486','TelegramMessengerLLP.TelegramDesktop','4DF9E0F8.Netflix','Discord','Paint','mspaint','Microsoft.Windows.Paint','Microsoft.MicrosoftEdge.Stable','1527c705-839a-4832-9118-54d4Bd6a0c89','c5e2524a-ea46-4f67-841f-6a9465d9d515','E2A4F912-2574-4A75-9BB0-0D023378592B','F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE','Microsoft.AAD.BrokerPlugin','Microsoft.AccountsControl','Microsoft.AsyncTextService','Microsoft.BioEnrollment','Microsoft.CredDialogHost','Microsoft.ECApp','Microsoft.LockApp','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.UI.Xaml.CBS','Microsoft.Win32WebViewHost','Microsoft.Windows.Apprep.ChxApp','Microsoft.Windows.AssignedAccessLockApp','Microsoft.Windows.CapturePicker','Microsoft.Windows.CloudExperienceHost','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.NarratorQuickStart','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.ParentalControls','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.PrintQueueActionCenter','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.Client.AIX','MicrosoftWindows.Client.FileExp','MicrosoftWindows.Client.OOBE','MicrosoftWindows.LKG.Search','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','windows.immersivecontrolpanel','Windows.PrintDialog','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.SecHealthUI','Microsoft.Services.Store.Engagement','Microsoft.UI.Xaml.2.8','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.140.00','Microsoft.VCLibs.140.00','Microsoft.WindowsAppRuntime.1.3','Microsoft.WindowsCamera','Microsoft.XboxIdentityProvider','Microsoft.ZuneMusic','RealtekSemiconductorCorp.RealtekAudioControl','DolbyLaboratories.DolbyAudioPremium','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.0','AppUp.IntelGraphicsExperience','Microsoft.NET.Native.Runtime.2.0','Microsoft.Windows.AugLoop.CBS','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.WindowsAppRuntime.CBS.1.6','Microsoft.WindowsAppRuntime.CBS','MicrosoftWindows.Client.CBS','MicrosoftWindows.Client.Core','MicrosoftWindows.Client.Photon','MicrosoftWindows.LKG.AccountsService','MicrosoftWindows.LKG.DesktopSpotlight','MicrosoftWindows.LKG.IrisService','MicrosoftWindows.LKG.RulesEngine','MicrosoftWindows.LKG.SpeechRuntime','MicrosoftWindows.LKG.TwinSxS','Microsoft.VCLibs.140.00','Microsoft.Copilot','Microsoft.OneDriveSync','Microsoft.OutlookForWindows','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.WindowsAppRuntime.1.5','Microsoft.WindowsAppRuntime.1.5','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.Windows.DevHome','Microsoft.UI.Xaml.2.8','Microsoft.Paint','MicrosoftWindows.Client.WebExperience','Microsoft.WindowsStore','Microsoft.WindowsNotepad','Microsoft.WidgetsPlatformRuntime','Microsoft.Xbox.TCUI','Microsoft.WebpImageExtension','Microsoft.WebMediaExtensions','Microsoft.RawImageExtension','Microsoft.HEVCVideoExtension','Microsoft.HEIFImageExtension','Microsoft.WindowsTerminal','Microsoft.DesktopAppInstaller','Microsoft.StartExperiencesApp','Microsoft.StorePurchaseApp','Microsoft.GamingApp','Microsoft.VP9VideoExtensions','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.7','Microsoft.XboxGamingOverlay','Microsoft.WindowsCalculator','Microsoft.WindowsSoundRecorder','Microsoft.WindowsAlarms','Microsoft.MicrosoftOfficeHub','Microsoft.WindowsAppRuntime.1.6','Microsoft.WindowsAppRuntime.1.6','MicrosoftWindows.CrossDevice'); ForEach($TargetApp in $RemoveAppPkgs){ If( $whitelistapps -notcontains $TargetApp) { Get-AppxPackage -Name $TargetApp -AllUsers | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue; Get-AppXProvisionedPackage -Online | Where-Object DisplayName -EQ $TargetApp | Remove-AppxProvisionedPackage -Online }}
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MTPW" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CiscoMeetingDaemon" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Smart Cleaning" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Monitor" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Spotify Web Helper" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Gaijin.Net Updater" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "com.squirrel.Teams.Teams" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "BitTorrent Bleep" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "adobeAAMUpdater-1.0" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "AdobeAAMUpdater" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "iTunesHelper" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdatePPShortCut" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Opera Browser Assistant" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Steam" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EADM" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EpicGamesLauncher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GogGalaxy" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype for Desktop" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Wargaming.net Game Center" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ut" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Lync" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Google Chrome" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Microsoft Edge" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_E9C49D8E9BDC4095F482C844743B9E82" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_D3AB3F7FBB44621987441AECEC1156AD" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Edge Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_31CF12C7FD715D87B15C2DF57BBF8D3E" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Discord" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Ubisoft Game Launcher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "com.blitz.app" /f
  2⤵
  PID:2348
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f
    3⤵
    PID:1312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1572
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
  2⤵
  PID:2612
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
    3⤵
    PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
  2⤵
  PID:888
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
    3⤵
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
    3⤵
    PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
  2⤵
  PID:1140
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
  2⤵
  PID:1424
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
    3⤵
    PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:2168
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
    3⤵
    PID:1728
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
    3⤵
    PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:376
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2864
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1092
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1696
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2976
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2500
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1484
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1684
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2636
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
  2⤵
  PID:1124
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
  2⤵
  PID:1424
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
    3⤵
    PID:2932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:2572
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:2488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)
  2⤵
  PID:2548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
  2⤵
  PID:2432
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
    3⤵
    PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
    3⤵
    PID:584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
  2⤵
  PID:2896
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
    3⤵
    PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:1376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1748
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
  2⤵
  PID:2072
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
    3⤵
    PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    3⤵
    PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:2336
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2440
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:620
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:2516
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:2992
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:2412
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2468
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:1048
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
  2⤵
  PID:900
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:3056
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3060
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:444
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:288
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2380
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1308
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:884
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -hibernate off
  2⤵
  - Power Settings
  PID:1376
- - C:\Windows\system32\powercfg.exe
    powercfg -hibernate off
    3⤵
    - Power Settings
    PID:2780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f
  2⤵
  PID:1364
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f
    3⤵
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f
  2⤵
  PID:1640
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f
    3⤵
    PID:1292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" /f
  2⤵
  PID:2308
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f
    3⤵
    PID:880
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f
    3⤵
    PID:1708
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:856
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2336
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:564
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:744
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:980
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1516
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f
    3⤵
    PID:3036
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1716
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2592
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2440
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:976
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2400
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f
    3⤵
    PID:2988
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f
    3⤵
    PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:376
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f
    3⤵
    PID:1648
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2864
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2516
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED
  2⤵
  PID:1108
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED
    3⤵
    PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop wsearch /y
  2⤵
  PID:3028
- - C:\Windows\system32\net.exe
    net stop wsearch /y
    3⤵
    PID:2528
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop wsearch /y
      4⤵
      PID:300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C esentutl /d %programdata%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
  2⤵
  PID:156
- - C:\Windows\system32\esentutl.exe
    esentutl /d C:\ProgramData\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
    3⤵
    PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net start wsearch
  2⤵
  PID:776
- - C:\Windows\system32\net.exe
    net start wsearch
    3⤵
    PID:556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start wsearch
      4⤵
      PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-Volume | Optimize-Volume -defrag -ReTrim
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $RemoveAppPkgs = (Get-AppxPackage -AllUsers).Name; $whitelistapps = @('Microsoft.MicrosoftOfficeHub','Microsoft.Office.OneNote','Microsoft.WindowsAlarms','Microsoft.WindowsCalculator','Microsoft.WindowsCamera','microsoft.windowscommunicationsapps','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.0','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.0','Microsoft.WindowsAppRuntime.1.3','Microsoft.NET.Native.Framework.1.7','MicrosoftWindows.Client.Core','Microsoft.LockApp','Microsoft.ECApp','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.Search','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.SecHealthUI','Microsoft.SecHealthUI','Microsoft.WindowsAppRuntime.CBS','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.120.00.UWPDesktop','Microsoft.VCLibs.110.00.UWPDesktop','Microsoft.DirectXRuntime','Microsoft.XboxGameOverlay','Microsoft.XboxGamingOverlay','Microsoft.GamingApp','Microsoft.GamingServices','Microsoft.XboxIdentityProvider','Microsoft.Xbox.TCUI','Microsoft.AccountsControl','Microsoft.WindowsStore','Microsoft.StorePurchaseApp','Microsoft.VP9VideoExtensions','Microsoft.RawImageExtension','Microsoft.HEIFImageExtension','Microsoft.HEIFImageExtension','Microsoft.WebMediaExtensions','RealtekSemiconductorCorp.RealtekAudioControl','Microsoft.MicrosoftEdge','Microsoft.MicrosoftEdge.Stable','MicrosoftWindows.Client.FileExp','NVIDIACorp.NVIDIAControlPanel','AppUp.IntelGraphicsExperience','Microsoft.Paint','Microsoft.Messaging','Microsoft.AsyncTextService','Microsoft.CredDialogHost','Microsoft.Win32WebViewHost','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.SecondaryTileExperience','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','Windows.MiracastView','Windows.ContactSupport','Windows.PrintDialog','c5e2524a-ea46-4f67-841f-6a9465d9d515','windows.immersivecontrolpanel','WinRAR.ShellExtension','Microsoft.WindowsNotepad','MicrosoftWindows.Client.WebExperience','Microsoft.ZuneMusic','Microsoft.ZuneVideo','Microsoft.OutlookForWindows','MicrosoftWindows.Ai.Copilot.Provider','Microsoft.WindowsTerminal','Microsoft.Windows.Terminal','WindowsTerminal','Microsoft.Winget.Source','Microsoft.DesktopAppInstaller','Microsoft.Services.Store.Engagement','Microsoft.HEVCVideoExtension','Microsoft.WebpImageExtension','MicrosoftWindows.CrossDevice','NotepadPlusPlus','MicrosoftCorporationII.WinAppRuntime.Main.1.5','Microsoft.WindowsAppRuntime.1.5','MicrosoftCorporationII.WinAppRuntime.Singleton','Microsoft.WindowsSoundRecorder','MicrosoftCorporationII.WinAppRuntime.Main.1.4','MicrosoftWindows.Client.LKG','MicrosoftWindows.Client.CBS','Microsoft.VCLibs.140.00','Microsoft.Windows.CloudExperienceHost','SpotifyAB.SpotifyMusic','Microsoft.SkypeApp','5319275A.WhatsAppDesktop','FACEBOOK.317180B0BB486','TelegramMessengerLLP.TelegramDesktop','4DF9E0F8.Netflix','Discord','Paint','mspaint','Microsoft.Windows.Paint','Microsoft.MicrosoftEdge.Stable','1527c705-839a-4832-9118-54d4Bd6a0c89','c5e2524a-ea46-4f67-841f-6a9465d9d515','E2A4F912-2574-4A75-9BB0-0D023378592B','F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE','Microsoft.AAD.BrokerPlugin','Microsoft.AccountsControl','Microsoft.AsyncTextService','Microsoft.BioEnrollment','Microsoft.CredDialogHost','Microsoft.ECApp','Microsoft.LockApp','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.UI.Xaml.CBS','Microsoft.Win32WebViewHost','Microsoft.Windows.Apprep.ChxApp','Microsoft.Windows.AssignedAccessLockApp','Microsoft.Windows.CapturePicker','Microsoft.Windows.CloudExperienceHost','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.NarratorQuickStart','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.ParentalControls','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.PrintQueueActionCenter','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.Client.AIX','MicrosoftWindows.Client.FileExp','MicrosoftWindows.Client.OOBE','MicrosoftWindows.LKG.Search','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','windows.immersivecontrolpanel','Windows.PrintDialog','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.SecHealthUI','Microsoft.Services.Store.Engagement','Microsoft.UI.Xaml.2.8','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.140.00','Microsoft.VCLibs.140.00','Microsoft.WindowsAppRuntime.1.3','Microsoft.WindowsCamera','Microsoft.XboxIdentityProvider','Microsoft.ZuneMusic','RealtekSemiconductorCorp.RealtekAudioControl','DolbyLaboratories.DolbyAudioPremium','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.0','AppUp.IntelGraphicsExperience','Microsoft.NET.Native.Runtime.2.0','Microsoft.Windows.AugLoop.CBS','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.WindowsAppRuntime.CBS.1.6','Microsoft.WindowsAppRuntime.CBS','MicrosoftWindows.Client.CBS','MicrosoftWindows.Client.Core','MicrosoftWindows.Client.Photon','MicrosoftWindows.LKG.AccountsService','MicrosoftWindows.LKG.DesktopSpotlight','MicrosoftWindows.LKG.IrisService','MicrosoftWindows.LKG.RulesEngine','MicrosoftWindows.LKG.SpeechRuntime','MicrosoftWindows.LKG.TwinSxS','Microsoft.VCLibs.140.00','Microsoft.Copilot','Microsoft.OneDriveSync','Microsoft.OutlookForWindows','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.WindowsAppRuntime.1.5','Microsoft.WindowsAppRuntime.1.5','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.Windows.DevHome','Microsoft.UI.Xaml.2.8','Microsoft.Paint','MicrosoftWindows.Client.WebExperience','Microsoft.WindowsStore','Microsoft.WindowsNotepad','Microsoft.WidgetsPlatformRuntime','Microsoft.Xbox.TCUI','Microsoft.WebpImageExtension','Microsoft.WebMediaExtensions','Microsoft.RawImageExtension','Microsoft.HEVCVideoExtension','Microsoft.HEIFImageExtension','Microsoft.WindowsTerminal','Microsoft.DesktopAppInstaller','Microsoft.StartExperiencesApp','Microsoft.StorePurchaseApp','Microsoft.GamingApp','Microsoft.VP9VideoExtensions','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.7','Microsoft.XboxGamingOverlay','Microsoft.WindowsCalculator','Microsoft.WindowsSoundRecorder','Microsoft.WindowsAlarms','Microsoft.MicrosoftOfficeHub','Microsoft.WindowsAppRuntime.1.6','Microsoft.WindowsAppRuntime.1.6','MicrosoftWindows.CrossDevice'); ForEach($TargetApp in $RemoveAppPkgs){ If( $whitelistapps -notcontains $TargetApp) { Get-AppxPackage -Name $TargetApp -AllUsers | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue; Get-AppXProvisionedPackage -Online | Where-Object DisplayName -EQ $TargetApp | Remove-AppxProvisionedPackage -Online }}
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MTPW" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CiscoMeetingDaemon" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Smart Cleaning" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Monitor" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Spotify Web Helper" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Gaijin.Net Updater" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "com.squirrel.Teams.Teams" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "BitTorrent Bleep" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "adobeAAMUpdater-1.0" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "AdobeAAMUpdater" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "iTunesHelper" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdatePPShortCut" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Opera Browser Assistant" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Steam" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EADM" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EpicGamesLauncher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GogGalaxy" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype for Desktop" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Wargaming.net Game Center" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ut" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Lync" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Google Chrome" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Microsoft Edge" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_E9C49D8E9BDC4095F482C844743B9E82" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_D3AB3F7FBB44621987441AECEC1156AD" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Edge Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_31CF12C7FD715D87B15C2DF57BBF8D3E" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Discord" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Ubisoft Game Launcher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "com.blitz.app" /f
  2⤵
  PID:2632
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f
    3⤵
    PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1292
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
    3⤵
    PID:2436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
    3⤵
    PID:1536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
  2⤵
  PID:1356
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
    3⤵
    PID:576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
    3⤵
    PID:2664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
  2⤵
  PID:1812
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
    3⤵
    PID:2864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:2516
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
    3⤵
    PID:1476
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
    3⤵
    PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2784
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1872
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2528
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2816
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:800
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:2144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2936
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:3044
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:1740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1744
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1668
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:684
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2768
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
  2⤵
  PID:1612
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:2472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1688
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:2488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
  2⤵
  PID:2632
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    PID:1816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
  2⤵
  PID:1292
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f
    3⤵
    PID:2884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)
  2⤵
  PID:652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:1760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
  2⤵
  PID:2792
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
    3⤵
    PID:2308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:1648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
  2⤵
  PID:2512
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
    3⤵
    PID:2460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
  2⤵
  PID:2076
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
    3⤵
    PID:2872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:1108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1092
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
  2⤵
  PID:984
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
    3⤵
    PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    3⤵
    PID:1712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:3012
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
  2⤵
  PID:3056
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
    3⤵
    PID:1368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1276
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2900
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
  2⤵
  PID:2628
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:2908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
  2⤵
  PID:1312
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
  2⤵
  PID:1924
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
  2⤵
  PID:1260
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
  2⤵
  PID:2744
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
  2⤵
  PID:2280
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
  2⤵
  PID:2272
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:3032
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1372
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:2936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
  2⤵
  PID:1120
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:308
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:748
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1604
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies Security services
    PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2916
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003E8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-33606343-16574787499753275491895431221150362152212016239001445442535671619862"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-161672260440114241448697740-50800903-696109317-117604240018444196221312953779"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14452525411707739676-1248069831-539255364-374945345-746655841946203352496578857"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14885031851117959986673163554-1485636742552509948-348461025-16357125991757287769"
1⤵
PID:2780

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "242170742-1016024445-16656062651960623335-62192812411163940321236656956565094839"
1⤵
PID:2840

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-594991085-1262394452-20381278801829001322-74328554-175106799310114981221619190495"
1⤵
PID:2080

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13449306342406677828800284671604941087-20133686931586516124382509485-646558998"
1⤵
PID:1920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2088564432-593342215-117395344811924802221316889072573202791581520409-1432208420"
1⤵
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1856749349-150360431-3015913441726834216-784575795-1674825705-680623011-73582905"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "191413517-15507142712093527470116218631120338212051539400233223021131-681499516"
1⤵
PID:2328

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "823538525-359398056-1800956328-752589612531723066-30272455-9482621081519568965"
1⤵
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-429690661-110268484811961037311743008444-652890579-1495146797-2014444969-721992621"
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-492467930846078094-1574488978-13746668551349480913-197721655212217356641400411721"
1⤵
PID:2400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1229803517-20939131281437020320-4972159801542803769-1784328575-1852983463-845679195"
1⤵
PID:3056

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
PID:2452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:660
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  - Modifies data under HKEY_USERS
  PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1070608082-1791478455295324646-41365058-5775718391689074650-759833237788724367"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11899270331034922621336833963-645002340-1194493049-511762199-1972626188487227799"
1⤵
PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-106929274-18734849801371860527-1436410824-5963455301260343723-12144262201118359733"
1⤵
PID:2272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20874152178230131431601085913-299957430-11427883514784569301744635065-1728955751"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1009239634467654830-4906701451615097867157119449-442428074-15412044051888852491"
1⤵
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-668633543-574307207-3520684722059681463-1056380071-2591676861230871488-536964425"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158568954220153648991035680095-17832759521166832807356455267-351084897-1223094259"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-971977201-389036578-1845105683-18840061401521175313-45082689-3996778441787504025"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-171174380-767624034-1923982098182571768791180215-1820772942139472700-1088834179"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1642992931724541005-1143643933611670412-1667771524-1332013909369785087-1322598339"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-851006397-473192584-403188820-19156770463197548221813009140-200045751-2013502826"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1009333233-1974912206-2599954646821610641270035085125768122-18529947321580341043"
1⤵
PID:2024

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1928297706-1821072020-991978948109542731720849303744375144121423657593305636334"
1⤵
PID:352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-79845987-9932613951454417800210502204-762312212760191408-13137970271456491782"
1⤵
PID:1524

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:2908
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:928
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  - Modifies data under HKEY_USERS
  PID:960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "878045291-1027844578-19413402501818904422111685450-936388355455286302056155081"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-738306258-1711544222-1324381258-19401187591582981053-10795927532046933838-454230230"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12441575531307150674-9564801481111082676154513133611459394-7086729261635660500"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1038513950-13331217951322184421-2019675657-87277585615328631261336129524753313"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "783782080-3259347436570272971380935289-486422288-19718314421840300301-503407204"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "857547201803956725-1640510074-18379009641932198942-1069415397-1320819549-1902198876"
1⤵
PID:888

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-508843538-19075548092039729530-2072970627-77091741516209074911378901573734172045"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1152733895-1452682313-129222291516243744032796743071399586187815398732-1196373947"
1⤵
PID:2468

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1996
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 516
  2⤵
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry