Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
104b5d342b8c...86.exe
windows7-x64
94b5d342b8c...86.exe
windows10-2004-x64
94bb452a3de...a3.exe
windows7-x64
104bb452a3de...a3.exe
windows10-2004-x64
74bbf1f33d0...4d.exe
windows7-x64
84bbf1f33d0...4d.exe
windows10-2004-x64
84bc17871c1...64.exe
windows7-x64
104bc17871c1...64.exe
windows10-2004-x64
104be84836f6...c8.exe
windows7-x64
104be84836f6...c8.exe
windows10-2004-x64
104c2f38b994...d5.exe
windows7-x64
104c2f38b994...d5.exe
windows10-2004-x64
104c948e4226...26.exe
windows7-x64
104c948e4226...26.exe
windows10-2004-x64
104ca1d61a24...2e.exe
windows7-x64
104ca1d61a24...2e.exe
windows10-2004-x64
104cc3e6fe69...22.exe
windows7-x64
104cc3e6fe69...22.exe
windows10-2004-x64
104cf9706999...8e.exe
windows7-x64
104cf9706999...8e.exe
windows10-2004-x64
104d8cd82fa6...d5.exe
windows7-x64
104d8cd82fa6...d5.exe
windows10-2004-x64
104d947659fe...19.exe
windows7-x64
104d947659fe...19.exe
windows10-2004-x64
104dac62ad00...ec.exe
windows7-x64
104dac62ad00...ec.exe
windows10-2004-x64
104dde57eed0...7b.exe
windows7-x64
104dde57eed0...7b.exe
windows10-2004-x64
104e1fdde317...d3.exe
windows7-x64
104e1fdde317...d3.exe
windows10-2004-x64
104e248cce2f...a7.exe
windows7-x64
104e248cce2f...a7.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 06:10
Behavioral task
behavioral1
Sample
4b5d342b8c5a5b19fac86b1315802786.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4b5d342b8c5a5b19fac86b1315802786.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral3
Sample
4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
4bb452a3de5825053bceee8fd5ee6db144ef8c4615a71a8408ee7de4df789fa3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral5
Sample
4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
4bbf1f33d0196e9a4ffae1877690bd000c7f728d546252ced45e60ecfe25e04d.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral7
Sample
4bc17871c10bb28c4e2b5e2f1d9e4664.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
4bc17871c10bb28c4e2b5e2f1d9e4664.exe
Resource
win10v2004-20250313-en
Behavioral task
behavioral9
Sample
4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8.exe
Resource
win7-20250207-en
Behavioral task
behavioral10
Sample
4be84836f68985fd15cbf992a7b0e782d1bab4439960e27c6e252e76a89ce2c8.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral11
Sample
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
4c2f38b99403c4aaca4e0a524b094c17b8d7b462af1041dee9e7562c512af4d5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral13
Sample
4c948e42267877c379b01be5faa66926.exe
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
4c948e42267877c379b01be5faa66926.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral15
Sample
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
4ca1d61a2465b19118d75478ec45e38cf03e101fd7422cfb04e4a526251ac92e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral17
Sample
4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
4cc3e6fe699a661d5a6ea786a93cfacd887570860b351476e5f5a1d3616bf922.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral19
Sample
4cf97069999c57b9ff02fc34f4efbe8e.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
4cf97069999c57b9ff02fc34f4efbe8e.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral21
Sample
4d8cd82fa6662df02eb5af2abbf815d5.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
4d8cd82fa6662df02eb5af2abbf815d5.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral23
Sample
4d947659fef83a302fd6b7451b980b19.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
4d947659fef83a302fd6b7451b980b19.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral25
Sample
4dac62ad007ffed0e0d4b738af6da8ec.exe
Resource
win7-20250207-en
Behavioral task
behavioral26
Sample
4dac62ad007ffed0e0d4b738af6da8ec.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral27
Sample
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
4dde57eed00149aa841c1408694ff4614ca0f5c17c6b4ef8040bef7639be857b.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral29
Sample
4e1fdde317913d69f35aa03397b5ded3.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
4e1fdde317913d69f35aa03397b5ded3.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral31
Sample
4e248cce2fb9b5f155ca62d21c6e9da7.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
4e248cce2fb9b5f155ca62d21c6e9da7.exe
Resource
win10v2004-20250314-en
General
-
Target
4d947659fef83a302fd6b7451b980b19.exe
-
Size
950KB
-
MD5
4d947659fef83a302fd6b7451b980b19
-
SHA1
7468328d4d3e8b2524a934da3b640bee161f7df6
-
SHA256
b3a6071623729a413d12130d4ad6b6f633ffaceb69c965f19e815283d3a08700
-
SHA512
bc71f8f4495bc9272f727e7c097eb5a4404ffd4fa87d99dc72470c439b3470146e704f289ab47ea00a22d8e50c9d808455344792aa717c8d252196299df7408a
-
SSDEEP
6144:gUnwuPAbvR+LEx+R2EmwY9JpoY+T2QmwU:gUwyE+1mwY9+XmwU
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" Process not Found Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" reg.exe -
Modifies security service 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" Process not Found -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" reg.exe -
Modifies boot configuration data using bcdedit 5 IoCs
pid Process 2168 bcdedit.exe 2648 bcdedit.exe 1636 bcdedit.exe 2336 bcdedit.exe 2816 bcdedit.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} ie4uinit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" ie4uinit.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" ie4uinit.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 14 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe reg.exe -
Stops running service(s) 4 TTPs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 1 IoCs
pid Process 1348 dismhost.exe -
Loads dropped DLL 27 IoCs
pid Process 1500 cleanmgr.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe 1348 dismhost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
pid Process 2008 powershell.exe 2800 powershell.exe 1312 Process not Found 2148 Process not Found 1424 Process not Found 1852 Process not Found 3052 powershell.exe 1308 powershell.exe 856 powershell.exe 980 powershell.exe 2928 powershell.exe 2332 powershell.exe 1356 powershell.exe 2744 powershell.exe 1972 powershell.exe 2084 powershell.exe 1344 Process not Found 2624 Process not Found 900 Process not Found 156 Process not Found 1468 Process not Found 2792 powershell.exe 2900 powershell.exe 1504 powershell.exe 1644 Process not Found 2660 Process not Found 2976 Process not Found 1636 powershell.exe 2660 powershell.exe 1984 powershell.exe 2244 powershell.exe 2800 powershell.exe 2472 powershell.exe 752 powershell.exe 2028 Process not Found 484 powershell.exe 2368 powershell.exe 1348 powershell.exe 3024 Process not Found 1508 Process not Found 2692 powershell.exe 2692 powershell.exe 2372 powershell.exe 2436 powershell.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: cleanmgr.exe -
Indicator Removal: Clear Persistence 1 TTPs 1 IoCs
Clear artifacts associated with previously established persistence like scheduletasks on a host.
pid Process 928 cmd.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Modifies Security services 2 TTPs 56 IoCs
Modifies the startup behavior of a security service.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SecurityHealthService\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisSvc\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdBoot\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdNisDrv\Start = "4" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WdFilter\Start = "4" reg.exe -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Power Settings 1 TTPs 22 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 1920 powercfg.exe 2592 Process not Found 1508 powercfg.exe 2784 cmd.exe 1184 powercfg.exe 2948 cmd.exe 604 powercfg.exe 576 Process not Found 3052 Process not Found 1300 cmd.exe 1376 cmd.exe 2592 Process not Found 652 Process not Found 576 cmd.exe 2192 powercfg.exe 1736 powercfg.exe 3016 powercfg.exe 1784 cmd.exe 316 cmd.exe 2780 powercfg.exe 744 Process not Found 1124 cmd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat SearchProtocolHost.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Logs\DISM\dism.log cleanmgr.exe File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 13 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2288 Process not Found 1344 Process not Found 1376 powershell.exe 2184 powershell.exe 300 Process not Found 1912 Process not Found 3040 Process not Found 2848 powershell.exe 2380 powershell.exe 1344 powershell.exe 2656 powershell.exe 2700 powershell.exe 1140 Process not Found -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1276 sc.exe 2712 sc.exe 2632 sc.exe 2920 sc.exe 2828 sc.exe 2120 sc.exe 2768 sc.exe 752 sc.exe 2564 sc.exe 1372 sc.exe 2148 sc.exe 684 sc.exe 1808 sc.exe 3052 sc.exe 376 sc.exe 2496 sc.exe 2728 sc.exe 2348 sc.exe 1516 sc.exe 1712 sc.exe 1880 sc.exe 2196 sc.exe 2304 sc.exe 2028 sc.exe 548 sc.exe 1604 sc.exe 2600 sc.exe 556 sc.exe 316 sc.exe 2224 sc.exe 2244 sc.exe 2208 sc.exe 3040 sc.exe 2592 sc.exe 872 sc.exe 2732 sc.exe 2644 sc.exe 744 sc.exe 1980 sc.exe 1840 sc.exe 2008 sc.exe 1240 sc.exe 652 sc.exe 2848 sc.exe 2948 sc.exe 2992 sc.exe 1812 sc.exe 2808 sc.exe 2444 sc.exe 3048 sc.exe 1072 sc.exe 1888 sc.exe 2744 sc.exe 2312 sc.exe 272 sc.exe 2184 sc.exe 1728 sc.exe 1568 sc.exe 2740 sc.exe 2380 sc.exe 552 sc.exe 1124 sc.exe 1776 sc.exe 1664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation ie4uinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main ie4uinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "4" ie4uinit.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" ie4uinit.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-308 = "Landscapes" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-101 = "Windows PowerShell ISE" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe,-102 = "Windows PowerShell ISE (x86)" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\eHome\ehepgres.dll,-312 = "Sample Media" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\wucltux.dll,-2 = "Delivers software updates and drivers, and provides automatic updating options." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\displayswitch.exe,-320 = "Connect to a Projector" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wsecedit.dll,-718 = "Local Security Policy" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft SearchFilterHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\authFWGP.dll,-21 = "Configure policies that provide enhanced network security for Windows computers." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10311 = "More Games from Microsoft" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-103 = "Hydrangeas" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthQuantumSeconds = "180" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpClientsCount = "32" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\syncCenter.dll,-3001 = "Sync files between your computer and network folders" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap Process not Found Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Process not Found Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\TipTsf.dll,-60 = "Enter text by using handwriting or a touch keyboard instead of a standard keyboard. You can use the writing pad or the character pad to convert your handwriting into typed text or the touch keyboard to enter characters." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10082 = "Games Explorer" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\windows journal\journal.exe,-62005 = "Tablet PC" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-106 = "Tulips" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\mblctr.exe,-1004 = "Opens the Windows Mobility Center so you can adjust display brightness, volume, power options, and other mobile PC settings." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%CommonProgramFiles%\Microsoft Shared\Ink\ShapeCollector.exe,-299 = "Provide writing samples to help improve the recognition of your handwriting." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sdcpl.dll,-101 = "Backup and Restore" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\wdc.dll,-10031 = "Monitor the usage and performance of the following resources in real time: CPU, Disk, Network and Memory." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10101 = "Internet Checkers" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems." SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents." SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheWaitForSize = "32" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10059 = "Mahjong Titans" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} {0000013A-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a06bf453f29adb01 SearchProtocolHost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\rlogin ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\ = "&Open" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\tn3270\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-909" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\ = "svgfile" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\mhtmlfile ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\ = "opennew" ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\xslfile\shell\Open\ddeexec\topic ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.website\OpenWithProgIds\Microsoft.Website ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\CLSID ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\ShellEx\IconHandler ie4uinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\xhtmlfile ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-913" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-915" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xht\ = "xhtmlfile" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\rlogin\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-908" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\URL Protocol ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\DefaultIcon ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\ = "mhtmlfile" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\IconHandler ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\ddeexec ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\command ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\CommandId = "IE.Protocol" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.url ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\URL Protocol ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\DefaultIcon ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\opennew\command ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-904" ie4uinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\EditFlags = "2" ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE,-32554" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command ie4uinit.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew\CommandId = "IE.File" ie4uinit.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\http\DefaultIcon ie4uinit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-912" ie4uinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open ie4uinit.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1152 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2372 powershell.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2356 4d947659fef83a302fd6b7451b980b19.exe 2436 powershell.exe 2900 powershell.exe 484 powershell.exe 1308 powershell.exe 2692 powershell.exe 856 powershell.exe 1636 powershell.exe 980 powershell.exe 2928 powershell.exe 2848 powershell.exe 2332 powershell.exe 2008 powershell.exe 2744 powershell.exe 1972 powershell.exe 2380 powershell.exe 2368 powershell.exe 1344 powershell.exe 3052 powershell.exe 2792 powershell.exe 2660 powershell.exe 2084 powershell.exe 2656 powershell.exe 2800 powershell.exe 1376 powershell.exe 1984 powershell.exe 1356 powershell.exe 2472 powershell.exe 2800 powershell.exe 2700 powershell.exe 2244 powershell.exe 2184 powershell.exe 1504 powershell.exe 1348 powershell.exe 752 powershell.exe 1852 Process not Found 1140 Process not Found 1344 Process not Found 2288 Process not Found 2624 Process not Found 2028 Process not Found 1312 Process not Found 1644 Process not Found 300 Process not Found 2660 Process not Found 1344 Process not Found 900 Process not Found 3024 Process not Found 2148 Process not Found 156 Process not Found 1912 Process not Found 1468 Process not Found 3040 Process not Found 2976 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2356 4d947659fef83a302fd6b7451b980b19.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 2356 4d947659fef83a302fd6b7451b980b19.exe Token: 33 2356 4d947659fef83a302fd6b7451b980b19.exe Token: SeIncBasePriorityPrivilege 2356 4d947659fef83a302fd6b7451b980b19.exe Token: SeDebugPrivilege 2436 powershell.exe Token: SeBackupPrivilege 2940 vssvc.exe Token: SeRestorePrivilege 2940 vssvc.exe Token: SeAuditPrivilege 2940 vssvc.exe Token: SeRestorePrivilege 2188 DrvInst.exe Token: SeRestorePrivilege 2188 DrvInst.exe Token: SeRestorePrivilege 2188 DrvInst.exe Token: SeRestorePrivilege 2188 DrvInst.exe Token: SeRestorePrivilege 2188 DrvInst.exe Token: SeRestorePrivilege 2188 DrvInst.exe Token: SeRestorePrivilege 2188 DrvInst.exe Token: SeLoadDriverPrivilege 2188 DrvInst.exe Token: SeLoadDriverPrivilege 2188 DrvInst.exe Token: SeLoadDriverPrivilege 2188 DrvInst.exe Token: SeShutdownPrivilege 1736 powercfg.exe Token: SeShutdownPrivilege 3016 powercfg.exe Token: SeShutdownPrivilege 1184 powercfg.exe Token: SeShutdownPrivilege 1920 powercfg.exe Token: SeShutdownPrivilege 604 powercfg.exe Token: SeDebugPrivilege 2900 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeDebugPrivilege 1308 powershell.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 856 powershell.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 980 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeSecurityPrivilege 1636 powershell.exe Token: SeBackupPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 660 SearchProtocolHost.exe 660 SearchProtocolHost.exe 660 SearchProtocolHost.exe 660 SearchProtocolHost.exe 660 SearchProtocolHost.exe 660 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 928 SearchProtocolHost.exe 2028 SearchProtocolHost.exe 2028 SearchProtocolHost.exe 2028 SearchProtocolHost.exe 2028 SearchProtocolHost.exe 2028 SearchProtocolHost.exe 1604 Process not Found 1604 Process not Found 1604 Process not Found 1604 Process not Found 1604 Process not Found 1604 Process not Found 2424 Process not Found 2424 Process not Found 2424 Process not Found 2424 Process not Found 2424 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2372 2356 4d947659fef83a302fd6b7451b980b19.exe 30 PID 2356 wrote to memory of 2372 2356 4d947659fef83a302fd6b7451b980b19.exe 30 PID 2356 wrote to memory of 2372 2356 4d947659fef83a302fd6b7451b980b19.exe 30 PID 2372 wrote to memory of 2732 2372 powershell.exe 33 PID 2372 wrote to memory of 2732 2372 powershell.exe 33 PID 2372 wrote to memory of 2732 2372 powershell.exe 33 PID 2356 wrote to memory of 2768 2356 4d947659fef83a302fd6b7451b980b19.exe 34 PID 2356 wrote to memory of 2768 2356 4d947659fef83a302fd6b7451b980b19.exe 34 PID 2356 wrote to memory of 2768 2356 4d947659fef83a302fd6b7451b980b19.exe 34 PID 2356 wrote to memory of 2900 2356 4d947659fef83a302fd6b7451b980b19.exe 36 PID 2356 wrote to memory of 2900 2356 4d947659fef83a302fd6b7451b980b19.exe 36 PID 2356 wrote to memory of 2900 2356 4d947659fef83a302fd6b7451b980b19.exe 36 PID 2900 wrote to memory of 2168 2900 cmd.exe 38 PID 2900 wrote to memory of 2168 2900 cmd.exe 38 PID 2900 wrote to memory of 2168 2900 cmd.exe 38 PID 2356 wrote to memory of 1980 2356 4d947659fef83a302fd6b7451b980b19.exe 39 PID 2356 wrote to memory of 1980 2356 4d947659fef83a302fd6b7451b980b19.exe 39 PID 2356 wrote to memory of 1980 2356 4d947659fef83a302fd6b7451b980b19.exe 39 PID 1980 wrote to memory of 2648 1980 cmd.exe 41 PID 1980 wrote to memory of 2648 1980 cmd.exe 41 PID 1980 wrote to memory of 2648 1980 cmd.exe 41 PID 2356 wrote to memory of 2436 2356 4d947659fef83a302fd6b7451b980b19.exe 43 PID 2356 wrote to memory of 2436 2356 4d947659fef83a302fd6b7451b980b19.exe 43 PID 2356 wrote to memory of 2436 2356 4d947659fef83a302fd6b7451b980b19.exe 43 PID 2356 wrote to memory of 3020 2356 4d947659fef83a302fd6b7451b980b19.exe 49 PID 2356 wrote to memory of 3020 2356 4d947659fef83a302fd6b7451b980b19.exe 49 PID 2356 wrote to memory of 3020 2356 4d947659fef83a302fd6b7451b980b19.exe 49 PID 3020 wrote to memory of 552 3020 cmd.exe 51 PID 3020 wrote to memory of 552 3020 cmd.exe 51 PID 3020 wrote to memory of 552 3020 cmd.exe 51 PID 2356 wrote to memory of 1300 2356 4d947659fef83a302fd6b7451b980b19.exe 52 PID 2356 wrote to memory of 1300 2356 4d947659fef83a302fd6b7451b980b19.exe 52 PID 2356 wrote to memory of 1300 2356 4d947659fef83a302fd6b7451b980b19.exe 52 PID 1300 wrote to memory of 1736 1300 cmd.exe 54 PID 1300 wrote to memory of 1736 1300 cmd.exe 54 PID 1300 wrote to memory of 1736 1300 cmd.exe 54 PID 2356 wrote to memory of 1124 2356 4d947659fef83a302fd6b7451b980b19.exe 55 PID 2356 wrote to memory of 1124 2356 4d947659fef83a302fd6b7451b980b19.exe 55 PID 2356 wrote to memory of 1124 2356 4d947659fef83a302fd6b7451b980b19.exe 55 PID 1124 wrote to memory of 3016 1124 cmd.exe 57 PID 1124 wrote to memory of 3016 1124 cmd.exe 57 PID 1124 wrote to memory of 3016 1124 cmd.exe 57 PID 2356 wrote to memory of 2784 2356 4d947659fef83a302fd6b7451b980b19.exe 58 PID 2356 wrote to memory of 2784 2356 4d947659fef83a302fd6b7451b980b19.exe 58 PID 2356 wrote to memory of 2784 2356 4d947659fef83a302fd6b7451b980b19.exe 58 PID 2784 wrote to memory of 1184 2784 cmd.exe 60 PID 2784 wrote to memory of 1184 2784 cmd.exe 60 PID 2784 wrote to memory of 1184 2784 cmd.exe 60 PID 2356 wrote to memory of 1784 2356 4d947659fef83a302fd6b7451b980b19.exe 61 PID 2356 wrote to memory of 1784 2356 4d947659fef83a302fd6b7451b980b19.exe 61 PID 2356 wrote to memory of 1784 2356 4d947659fef83a302fd6b7451b980b19.exe 61 PID 1784 wrote to memory of 1920 1784 cmd.exe 63 PID 1784 wrote to memory of 1920 1784 cmd.exe 63 PID 1784 wrote to memory of 1920 1784 cmd.exe 63 PID 2356 wrote to memory of 2948 2356 4d947659fef83a302fd6b7451b980b19.exe 64 PID 2356 wrote to memory of 2948 2356 4d947659fef83a302fd6b7451b980b19.exe 64 PID 2356 wrote to memory of 2948 2356 4d947659fef83a302fd6b7451b980b19.exe 64 PID 2948 wrote to memory of 604 2948 cmd.exe 66 PID 2948 wrote to memory of 604 2948 cmd.exe 66 PID 2948 wrote to memory of 604 2948 cmd.exe 66 PID 2356 wrote to memory of 980 2356 4d947659fef83a302fd6b7451b980b19.exe 67 PID 2356 wrote to memory of 980 2356 4d947659fef83a302fd6b7451b980b19.exe 67 PID 2356 wrote to memory of 980 2356 4d947659fef83a302fd6b7451b980b19.exe 67 PID 980 wrote to memory of 1636 980 cmd.exe 69 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d947659fef83a302fd6b7451b980b19.exe"C:\Users\Admin\AppData\Local\Temp\4d947659fef83a302fd6b7451b980b19.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ProcessorType=Get-WMIObject win32_Processor | select Name | findstr /c:AMD /c:Intel; $ProcessorType = $ProcessorType.Replace('(R)','').Replace('(TM)','') > CPUL.txt2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" /c:AMD /c:Intel3⤵PID:2732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f /q CPUL.txt2⤵PID:2768
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot2⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\bcdedit.exebcdedit /deletevalue {current} safeboot3⤵
- Modifies boot configuration data using bcdedit
PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\system32\bcdedit.exebcdedit /deletevalue {current} safeboot3⤵
- Modifies boot configuration data using bcdedit
PID:2648
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command [console]::WindowWidth=80;[console]::WindowHeight=23;[console]::BufferWidth = [console]::WindowWidth; Enable-ComputerRestore -Drive $env:systemdrive; Checkpoint-Computer -Description "ET-RestorePoint" -RestorePointType "MODIFY_SETTINGS"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f3⤵PID:552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -setactive scheme_min2⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\powercfg.exepowercfg -setactive scheme_min3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb612⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\powercfg.exepowercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb613⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d2⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\powercfg.exepowercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\powercfg.exepowercfg /X standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\powercfg.exepowercfg /X standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set timeout 32⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\system32\bcdedit.exebcdedit /set timeout 33⤵
- Modifies boot configuration data using bcdedit
PID:1636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /timeout 32⤵PID:1768
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 33⤵
- Modifies boot configuration data using bcdedit
PID:2336
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f && reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f2⤵PID:1824
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f3⤵PID:1276
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f3⤵PID:828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f2⤵PID:768
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f3⤵PID:3040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f2⤵PID:2212
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f3⤵PID:3036
-
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f3⤵PID:1480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "BackgroundServicesPriority" /t REG_DWORD /d 10 /f2⤵PID:976
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "BackgroundServicesPriority" /t REG_DWORD /d 10 /f3⤵PID:2836
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d 10 /f2⤵PID:3060
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d 10 /f3⤵PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f2⤵PID:652
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f3⤵PID:1628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵PID:888
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f3⤵PID:2296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f2⤵PID:1812
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f3⤵PID:1592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f2⤵PID:2104
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f3⤵PID:2540
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f2⤵PID:2016
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f3⤵PID:1996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f2⤵PID:2376
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f3⤵
- Modifies registry class
PID:2924
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f3⤵
- Modifies registry class
PID:2792
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f3⤵PID:2324
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f3⤵PID:2740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f2⤵PID:2996
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f3⤵PID:1688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f2⤵PID:2724
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:2896
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:2800
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:2808
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f3⤵PID:2844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {current} numproc %NUMBER_OF_PROCESSORS%2⤵PID:2744
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} numproc 83⤵
- Modifies boot configuration data using bcdedit
PID:2816
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-WmiObject win32_Processor | findstr /r "Intel" > NOLPi.txt2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" /r Intel3⤵PID:1504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f2⤵PID:556
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f3⤵PID:1908
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f3⤵PID:1348
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f3⤵PID:684
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f3⤵PID:1508
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f3⤵PID:2956
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f3⤵PID:1984
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f3⤵PID:2944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /f /q NOLPi.txt && del /f /q NOLP.txt2⤵PID:2968
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f2⤵PID:2208
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f3⤵PID:680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f2⤵PID:2120
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f3⤵PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f2⤵PID:1432
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f3⤵PID:812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f2⤵PID:1108
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f3⤵PID:820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f2⤵PID:2824
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f3⤵PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C SET DEVMGR_SHOW_NONPRESENT_DEVICES=12⤵PID:552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵PID:856
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f3⤵PID:2304
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f3⤵PID:2200
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f3⤵PID:3016
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f3⤵PID:1128
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f3⤵PID:2452
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f3⤵PID:692
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f3⤵PID:1184
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f3⤵PID:2028
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f3⤵PID:1692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f2⤵PID:1356
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f3⤵PID:1368
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command disable-windowsoptionalfeature -online -featureName Printing-XPSServices-Features -NoRestart; disable-windowsoptionalfeature -online -featureName Xps-Foundation-Xps-Viewer -NoRestart2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop DiagTrack2⤵PID:1548
-
C:\Windows\system32\sc.exesc stop DiagTrack3⤵
- Launches sc.exe
PID:744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config DiagTrack start= disabled2⤵PID:1292
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled3⤵
- Launches sc.exe
PID:3040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop diagnosticshub.standardcollector.service2⤵PID:768
-
C:\Windows\system32\sc.exesc stop diagnosticshub.standardcollector.service3⤵
- Launches sc.exe
PID:2592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config diagnosticshub.standardcollector.service start= disabled2⤵PID:3044
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled3⤵
- Launches sc.exe
PID:1240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop dmwappushservice2⤵PID:676
-
C:\Windows\system32\sc.exesc stop dmwappushservice3⤵
- Launches sc.exe
PID:1728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config dmwappushservice start= disabled2⤵PID:3060
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled3⤵
- Launches sc.exe
PID:652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop RemoteRegistry2⤵PID:880
-
C:\Windows\system32\sc.exesc stop RemoteRegistry3⤵
- Launches sc.exe
PID:2148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config RemoteRegistry start= disabled2⤵PID:1572
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled3⤵
- Launches sc.exe
PID:1812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop RemoteAccess2⤵PID:2540
-
C:\Windows\system32\sc.exesc stop RemoteAccess3⤵
- Launches sc.exe
PID:872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config RemoteAccess start= disabled2⤵PID:2696
-
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled3⤵
- Launches sc.exe
PID:2848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop SCardSvr2⤵PID:2792
-
C:\Windows\system32\sc.exesc stop SCardSvr3⤵
- Launches sc.exe
PID:2732
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SCardSvr start= disabled2⤵PID:2376
-
C:\Windows\system32\sc.exesc config SCardSvr start= disabled3⤵
- Launches sc.exe
PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop SCPolicySvc2⤵PID:2640
-
C:\Windows\system32\sc.exesc stop SCPolicySvc3⤵
- Launches sc.exe
PID:2808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SCPolicySvc start= disabled2⤵PID:864
-
C:\Windows\system32\sc.exesc config SCPolicySvc start= disabled3⤵
- Launches sc.exe
PID:2768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop fax2⤵PID:2908
-
C:\Windows\system32\sc.exesc stop fax3⤵
- Launches sc.exe
PID:316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config fax start= disabled2⤵PID:2092
-
C:\Windows\system32\sc.exesc config fax start= disabled3⤵
- Launches sc.exe
PID:272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop WerSvc2⤵PID:1964
-
C:\Windows\system32\sc.exesc stop WerSvc3⤵
- Launches sc.exe
PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config WerSvc start= disabled2⤵PID:660
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled3⤵
- Launches sc.exe
PID:1980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop NvTelemetryContainer2⤵PID:2008
-
C:\Windows\system32\sc.exesc stop NvTelemetryContainer3⤵
- Launches sc.exe
PID:684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config NvTelemetryContainer start= disabled2⤵PID:2644
-
C:\Windows\system32\sc.exesc config NvTelemetryContainer start= disabled3⤵
- Launches sc.exe
PID:1808
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop gadjservice2⤵PID:1364
-
C:\Windows\system32\sc.exesc stop gadjservice3⤵
- Launches sc.exe
PID:3052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config gadjservice start= disabled2⤵PID:264
-
C:\Windows\system32\sc.exesc config gadjservice start= disabled3⤵
- Launches sc.exe
PID:752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop AdobeARMservice2⤵PID:2288
-
C:\Windows\system32\sc.exesc stop AdobeARMservice3⤵
- Launches sc.exe
PID:2348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config AdobeARMservice start= disabled2⤵PID:2692
-
C:\Windows\system32\sc.exesc config AdobeARMservice start= disabled3⤵
- Launches sc.exe
PID:1516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop PSI_SVC_22⤵PID:1700
-
C:\Windows\system32\sc.exesc stop PSI_SVC_23⤵
- Launches sc.exe
PID:2444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config PSI_SVC_2 start= disabled2⤵PID:1716
-
C:\Windows\system32\sc.exesc config PSI_SVC_2 start= disabled3⤵
- Launches sc.exe
PID:552
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop lfsvc2⤵PID:628
-
C:\Windows\system32\sc.exesc stop lfsvc3⤵
- Launches sc.exe
PID:1124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config lfsvc start= disabled2⤵PID:2452
-
C:\Windows\system32\sc.exesc config lfsvc start= disabled3⤵
- Launches sc.exe
PID:2028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop WalletService2⤵PID:444
-
C:\Windows\system32\sc.exesc stop WalletService3⤵
- Launches sc.exe
PID:2828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config WalletService start= disabled2⤵PID:928
-
C:\Windows\system32\sc.exesc config WalletService start= disabled3⤵
- Launches sc.exe
PID:2224
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop RetailDemo2⤵PID:980
-
C:\Windows\system32\sc.exesc stop RetailDemo3⤵
- Launches sc.exe
PID:2948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config RetailDemo start= disabled2⤵PID:2336
-
C:\Windows\system32\sc.exesc config RetailDemo start= disabled3⤵
- Launches sc.exe
PID:1568
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop SEMgrSvc2⤵PID:828
-
C:\Windows\system32\sc.exesc stop SEMgrSvc3⤵
- Launches sc.exe
PID:1276
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SEMgrSvc start= disabled2⤵PID:1008
-
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled3⤵
- Launches sc.exe
PID:2244
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop diagsvc2⤵PID:1480
-
C:\Windows\system32\sc.exesc stop diagsvc3⤵
- Launches sc.exe
PID:376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config diagsvc start= disabled2⤵PID:2836
-
C:\Windows\system32\sc.exesc config diagsvc start= disabled3⤵
- Launches sc.exe
PID:1888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop AJRouter2⤵PID:1272
-
C:\Windows\system32\sc.exesc stop AJRouter3⤵
- Launches sc.exe
PID:1712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config AJRouter start= disabled2⤵PID:1608
-
C:\Windows\system32\sc.exesc config AJRouter start= disabled3⤵
- Launches sc.exe
PID:3048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop amdfendr2⤵PID:2272
-
C:\Windows\system32\sc.exesc stop amdfendr3⤵
- Launches sc.exe
PID:2496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config amdfendr start= disabled2⤵PID:676
-
C:\Windows\system32\sc.exesc config amdfendr start= disabled3⤵
- Launches sc.exe
PID:548
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop amdfendrmgr2⤵PID:3060
-
C:\Windows\system32\sc.exesc stop amdfendrmgr3⤵
- Launches sc.exe
PID:1840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config amdfendrmgr start= disabled2⤵PID:880
-
C:\Windows\system32\sc.exesc config amdfendrmgr start= disabled3⤵
- Launches sc.exe
PID:1880
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config BITS start= demand2⤵PID:1572
-
C:\Windows\system32\sc.exesc config BITS start= demand3⤵
- Launches sc.exe
PID:1604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config SamSs start= demand2⤵PID:2540
-
C:\Windows\system32\sc.exesc config SamSs start= demand3⤵
- Launches sc.exe
PID:2712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config TapiSrv start= demand2⤵PID:2696
-
C:\Windows\system32\sc.exesc config TapiSrv start= demand3⤵
- Launches sc.exe
PID:2740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config seclogon start= demand2⤵PID:2792
-
C:\Windows\system32\sc.exesc config seclogon start= demand3⤵
- Launches sc.exe
PID:2380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config wuauserv start= demand2⤵PID:2376
-
C:\Windows\system32\sc.exesc config wuauserv start= demand3⤵
- Launches sc.exe
PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config PhoneSvc start= demand2⤵PID:2896
-
C:\Windows\system32\sc.exesc config PhoneSvc start= demand3⤵
- Launches sc.exe
PID:2992
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config lmhosts start= demand2⤵PID:864
-
C:\Windows\system32\sc.exesc config lmhosts start= demand3⤵
- Launches sc.exe
PID:2744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config iphlpsvc start= demand2⤵PID:2628
-
C:\Windows\system32\sc.exesc config iphlpsvc start= demand3⤵
- Launches sc.exe
PID:2312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config gupdate start= demand2⤵PID:2128
-
C:\Windows\system32\sc.exesc config gupdate start= demand3⤵
- Launches sc.exe
PID:2600
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config gupdatem start= demand2⤵PID:2676
-
C:\Windows\system32\sc.exesc config gupdatem start= demand3⤵
- Launches sc.exe
PID:1776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config edgeupdate start= demand2⤵PID:2964
-
C:\Windows\system32\sc.exesc config edgeupdate start= demand3⤵
- Launches sc.exe
PID:2008
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config edgeupdatem start= demand2⤵PID:1984
-
C:\Windows\system32\sc.exesc config edgeupdatem start= demand3⤵
- Launches sc.exe
PID:2644
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config MapsBroker start= demand2⤵PID:1644
-
C:\Windows\system32\sc.exesc config MapsBroker start= demand3⤵
- Launches sc.exe
PID:556
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config PnkBstrA start= demand2⤵PID:1364
-
C:\Windows\system32\sc.exesc config PnkBstrA start= demand3⤵
- Launches sc.exe
PID:2208
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config brave start= demand2⤵PID:264
-
C:\Windows\system32\sc.exesc config brave start= demand3⤵
- Launches sc.exe
PID:2120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config bravem start= demand2⤵PID:2288
-
C:\Windows\system32\sc.exesc config bravem start= demand3⤵
- Launches sc.exe
PID:2564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config asus start= demand2⤵PID:2692
-
C:\Windows\system32\sc.exesc config asus start= demand3⤵
- Launches sc.exe
PID:2184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config asusm start= demand2⤵PID:1700
-
C:\Windows\system32\sc.exesc config asusm start= demand3⤵
- Launches sc.exe
PID:2196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config adobeupdateservice start= demand2⤵PID:1716
-
C:\Windows\system32\sc.exesc config adobeupdateservice start= demand3⤵
- Launches sc.exe
PID:2304
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config adobeflashplayerupdatesvc start= demand2⤵PID:3008
-
C:\Windows\system32\sc.exesc config adobeflashplayerupdatesvc start= demand3⤵
- Launches sc.exe
PID:1664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config WSearch start= demand2⤵PID:692
-
C:\Windows\system32\sc.exesc config WSearch start= demand3⤵
- Launches sc.exe
PID:1072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc config CCleanerPerformanceOptimizerService start= demand2⤵PID:1300
-
C:\Windows\system32\sc.exesc config CCleanerPerformanceOptimizerService start= demand3⤵
- Launches sc.exe
PID:1372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable && schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable && schtasks /Change /TN "Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvent" /Disable && schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable && schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable && schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable && schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable && schtasks /Change /TN "NIUpdateServiceStartupTask" /Disable && schtasks /Change /TN "CCleaner Update" /Disable && schtasks /Change /TN "CCleanerCrashReportings" /Disable && schtasks /Change /TN "CCleanerSkipUAC - $env:username" /Disable && schtasks /Change /TN "updater" /Disable && schtasks /Change /TN "Adobe Acrobat Update Task" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable && schtasks /Change /TN "MiniToolPartitionWizard" /Disable && schtasks /Change /TN "AMDLinkUpdate" /Disable && schtasks /Change /TN "Microsoft\Office\Office Automatic Updates 2.0" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates Logon" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineCore" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineUA" /Disable && schtasks /DELETE /TN "AMDInstallLauncher" /f && schtasks /DELETE /TN "AMDLinkUpdate" /f && schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f && schtasks /DELETE /TN "DUpdaterTask" /f && schtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵
- Indicator Removal: Clear Persistence
PID:928 -
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable3⤵PID:576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /q %temp%\NVIDIA Corporation\NV_Cache\* && del /q %programdata%\NVIDIA Corporation\NV_Cache\*2⤵PID:980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f && REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v PreventHandwritingErrorReports /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowDeviceNameInTelemetry /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v HideRecentlyAddedApps /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v NoActiveHelp /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\StorageTelemetry" /v DeviceDumpEnabled /t REG_DWORD /d 0 /f && && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\17.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && sc stop VSStandardCollectorService150 && sc config VSStandardCollectorService150 start= disabled && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && cmd /c taskkill /f /im ccleaner.exe && cmd /c taskkill /f /im ccleaner64.exe && reg add "HKCU\Software\Piriform\CCleaner" /v "HomeScreen" /t REG_SZ /d 2 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f2⤵PID:604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C setx POWERSHELL_TELEMETRY_OPTOUT 12⤵PID:1824
-
C:\Windows\system32\setx.exesetx POWERSHELL_TELEMETRY_OPTOUT 13⤵PID:828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\Tracing\WPPMedia" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\WPPMedia" /f2⤵PID:2988
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f3⤵PID:300
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f3⤵PID:3036
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f3⤵PID:564
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\Tracing\WPPMedia" /f3⤵PID:2472
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\WPPMedia" /f3⤵PID:2592
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f2⤵PID:1480
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f3⤵PID:2820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f2⤵PID:2932
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f3⤵
- Modifies registry key
PID:1152
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f2⤵PID:1268
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f3⤵PID:3048
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f3⤵PID:1468
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f3⤵PID:1240
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f3⤵PID:2080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f2⤵PID:1648
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f3⤵PID:2272
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f3⤵PID:352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f2⤵PID:548
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f3⤵PID:2160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f2⤵PID:884
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f3⤵PID:2412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f2⤵PID:2144
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f3⤵PID:2076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f2⤵PID:2164
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f3⤵PID:872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f2⤵PID:2924
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f3⤵PID:2060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /t REG_DWORD /d 0 /f2⤵PID:2540
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /t REG_DWORD /d 0 /f3⤵PID:2612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f2⤵PID:2696
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d 1 /f3⤵PID:2380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v "HubsSidebarEnabled" /t REG_DWORD /d 0 /f2⤵PID:2920
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v "HubsSidebarEnabled" /t REG_DWORD /d 0 /f3⤵PID:2800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f2⤵PID:2808
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f3⤵PID:2372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f2⤵PID:2992
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d 1 /f3⤵PID:3068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f2⤵PID:2908
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f3⤵PID:864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f2⤵PID:1388
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsAI" /v "DisableAIDataAnalysis" /t REG_DWORD /d 1 /f3⤵PID:1988
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -Like '*Microsoft.Copilot*'} | Remove-AppxPackage -AllUsers -ErrorAction Continue2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f2⤵PID:1908
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵PID:1508
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f3⤵PID:2936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f && REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f && REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f2⤵PID:2644
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f3⤵PID:2000
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f3⤵PID:2188
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f3⤵PID:1344
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:1644
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:2968
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:680
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:2208
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:752
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f3⤵PID:900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f2⤵PID:812
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f3⤵PID:2024
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f2⤵PID:264
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f3⤵PID:1516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" / v "{2cc5ca98-6485-489a-920e-b3e88a6ccce3}" /t REG_DWORD /d 1 /f2⤵PID:1476
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" / v "{2cc5ca98-6485-489a-920e-b3e88a6ccce3}" /t REG_DWORD /d 1 /f3⤵PID:1856
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ram = (Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value $ram -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f2⤵PID:2784
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f3⤵PID:1692
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f3⤵PID:3008
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage *XboxGamingOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxGameOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:856
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /q "%temp%\NVIDIA Corporation\NV_Cache\*" && del /q "%programdata%\NVIDIA Corporation\NV_Cache\*"2⤵PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-EventLog -LogName * | % { Clear-EventLog -LogName $_.Log }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del /s /f /q "%userprofile%\Recent\*.*"2⤵PID:1568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command erase /f /s /q "%systemdrive%\Windows\SoftwareDistribution\*.*"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Windows\SoftwareDistribution"2⤵PID:1288
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Microsoft\Windows\WebCache /F /Q /S2⤵PID:604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\logs /F /Q /S2⤵PID:828
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\webcache /F /Q /S2⤵PID:1548
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %appdata%\Microsoft\Teams\Cache /F /Q /S2⤵PID:3040
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Yarn\Cache /F /Q /S2⤵PID:376
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem.Out /F /Q /S2⤵PID:2472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem /F /Q /S2⤵PID:2244
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSRemoteControl /F /Q /S2⤵PID:2988
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackVSRTCLogs /F /Q /S2⤵PID:2820
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackPerfWatsonData /F /Q /S2⤵PID:1888
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFaultInfo /F /Q /S2⤵PID:1092
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %Temp%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:1152
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %ProgramData%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:3056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\Microsoft\VSApplicationInsights /F /Q /S2⤵PID:1468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %AppData%stelemetry2⤵PID:1240
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del /S /F /Q %windir%\Prefetch2⤵PID:776
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C %WinDir%\SysNative\ie4uinit.exe -show2⤵PID:2044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C %WinDir%\System32\ie4uinit.exe -show2⤵PID:2372
-
C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -show3⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies Internet Explorer settings
- Modifies registry class
PID:316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\IconCache.db /F /Q /S2⤵PID:2636
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\Explorer\iconcache_*.db" /F /Q /S2⤵PID:2840
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q2⤵PID:2780
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q2⤵PID:556
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\.jrs" /F /Q2⤵PID:584
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.log" /F /Q2⤵PID:2708
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.chk" /F /Q2⤵PID:1684
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\DISM" /F /Q2⤵PID:2588
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs" /F /Q2⤵PID:1364
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\ScreenOn\*.etl" /F /Q2⤵PID:1984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\*.etl" /F /Q2⤵PID:2956
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\ScreenOn\*.etl" /F /Q2⤵PID:2644
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\*.etl" /F /Q2⤵PID:2072
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\LogFiles\HTTPERR\*.*" /F /Q2⤵PID:1380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\WindowsBackup\*.etl" /F /Q2⤵PID:3024
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q2⤵PID:1536
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q2⤵PID:2928
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\PerfLogs\System\Diagnostics\*.*" /F /Q2⤵PID:2224
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\debug\WIA\*.log" /F /Q2⤵PID:2280
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.app.log" /F /Q2⤵PID:744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.offline.log" /F /Q2⤵PID:2468
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FontCache3.0.0.02⤵PID:1608
-
C:\Windows\system32\net.exenet stop FontCache3.0.0.03⤵PID:2792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FontCache3.0.0.04⤵PID:2080
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop FontCache2⤵PID:2328
-
C:\Windows\system32\net.exenet stop FontCache3⤵PID:2800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop FontCache4⤵PID:1780
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\LocalService\AppData\Local\FontCache\*.dat" /F /Q /S2⤵PID:880
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\FNTCACHE.DAT" /F /Q /S2⤵PID:2300
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\FNTCACHE.DAT" /F /Q /S2⤵PID:3056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start FontCache2⤵PID:2540
-
C:\Windows\system32\net.exenet start FontCache3⤵PID:3012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FontCache4⤵PID:2244
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start FontCache3.0.0.02⤵PID:2144
-
C:\Windows\system32\net.exenet start FontCache3.0.0.03⤵PID:1920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start FontCache3.0.0.04⤵PID:928
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagwrn.xml" /F /Q2⤵PID:3044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagerr.xml" /F /Q2⤵PID:2612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\repair\setup.log" /F /Q2⤵PID:2996
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\DDACLSys.log" /F /Q2⤵PID:2472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\cbs.log" /F /Q2⤵PID:1604
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\WebCache\*.log" /F /Q2⤵PID:352
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\*.log" /F /Q2⤵PID:2060
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.log" /F /Q2⤵PID:2044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DPX\*.log" /F /Q2⤵PID:1124
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.lo_" /F /Q2⤵PID:2808
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q2⤵PID:1140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\APPLOG\*.*" /F /Q2⤵PID:2252
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log.txt" /F /Q2⤵PID:2908
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DISM\*.log" /F /Q2⤵PID:2672
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\setuplog.txt" /F /Q2⤵PID:1504
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\OEWABLog.txt" /F /Q2⤵PID:1912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q2⤵PID:2768
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.bak" /F /Q2⤵PID:2624
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.log" /F /Q2⤵PID:980
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.bak" /F /Q2⤵PID:2008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\*.log" /F /Q2⤵PID:3064
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.log" /F /Q2⤵PID:2936
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.old" /F /Q2⤵PID:1552
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log" /F /Q2⤵PID:1516
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SchedLgU.txt" /F /Q2⤵PID:1700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Directx.log" /F /Q2⤵PID:680
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\*.log" /F /Q2⤵PID:1984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start cleanmgr.exe /sagerun:52⤵PID:572
-
C:\Windows\system32\cleanmgr.execleanmgr.exe /sagerun:53⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\E5FBF486-9620-44E5-8AEE-3594B80AC6A0\dismhost.exeC:\Users\Admin\AppData\Local\Temp\E5FBF486-9620-44E5-8AEE-3594B80AC6A0\dismhost.exe {BE4DB221-12A8-4F0C-8D88-393944855B7D}4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1348
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:900
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f3⤵PID:2452
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f3⤵PID:1368
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2828
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2956
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1532
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2224
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:984
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2424
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3032
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2792
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2328
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2104
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:1760
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2300
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2400
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1468
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:888
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1728
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3012
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2212
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:1268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:2016
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:2572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1592
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵PID:2736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f2⤵PID:1248
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵PID:2160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:2772
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵PID:2348
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f2⤵PID:1548
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f3⤵PID:1300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:1040
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:3052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)2⤵PID:2928
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f2⤵PID:2372
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2204
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f2⤵PID:2924
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f3⤵PID:352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:2936
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f3⤵PID:2724
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f2⤵PID:2680
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f3⤵PID:1996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f2⤵PID:2652
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f3⤵PID:1140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:2024
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵PID:2472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f2⤵PID:2288
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f3⤵PID:2060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f2⤵PID:2996
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f3⤵PID:1524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:2908
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f3⤵PID:820
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:2712
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:1128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:2660
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:2184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2588
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1552
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:1432
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2196
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:2436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1364
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2944
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:2028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2452
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1712
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:3032
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f2⤵PID:1608
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:576
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:2492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2012
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:2440
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1812
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:976
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1476
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2512
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:888
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1480
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1728
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2528
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2212
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:2016
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -hibernate off2⤵
- Power Settings
PID:316 -
C:\Windows\system32\powercfg.exepowercfg -hibernate off3⤵
- Power Settings
PID:1508
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f2⤵PID:1912
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f3⤵PID:1124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f2⤵PID:3068
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f3⤵PID:2640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" /f2⤵PID:2968
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f3⤵PID:2848
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f3⤵PID:1888
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:2288
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:2768
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f3⤵PID:2708
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:2992
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f3⤵PID:1688
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f3⤵PID:2996
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f3⤵PID:1964
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f3⤵PID:820
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f3⤵PID:2376
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f3⤵PID:1504
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f3⤵PID:2780
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f3⤵PID:1128
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f3⤵PID:2624
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f3⤵PID:2336
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f3⤵PID:2564
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f2⤵PID:2184
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f3⤵PID:2644
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f3⤵PID:1716
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f3⤵PID:980
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f3⤵PID:2308
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f3⤵PID:2200
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED2⤵PID:1516
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED3⤵PID:2188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop wsearch /y2⤵PID:2828
-
C:\Windows\system32\net.exenet stop wsearch /y3⤵PID:2824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wsearch /y4⤵PID:572
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C esentutl /d %programdata%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb2⤵PID:2840
-
C:\Windows\system32\esentutl.exeesentutl /d C:\ProgramData\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb3⤵PID:1492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start wsearch2⤵PID:1108
-
C:\Windows\system32\net.exenet start wsearch3⤵PID:2468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start wsearch4⤵PID:692
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-Volume | Optimize-Volume -defrag -ReTrim2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $RemoveAppPkgs = (Get-AppxPackage -AllUsers).Name; $whitelistapps = @('Microsoft.MicrosoftOfficeHub','Microsoft.Office.OneNote','Microsoft.WindowsAlarms','Microsoft.WindowsCalculator','Microsoft.WindowsCamera','microsoft.windowscommunicationsapps','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.0','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.0','Microsoft.WindowsAppRuntime.1.3','Microsoft.NET.Native.Framework.1.7','MicrosoftWindows.Client.Core','Microsoft.LockApp','Microsoft.ECApp','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.Search','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.SecHealthUI','Microsoft.SecHealthUI','Microsoft.WindowsAppRuntime.CBS','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.120.00.UWPDesktop','Microsoft.VCLibs.110.00.UWPDesktop','Microsoft.DirectXRuntime','Microsoft.XboxGameOverlay','Microsoft.XboxGamingOverlay','Microsoft.GamingApp','Microsoft.GamingServices','Microsoft.XboxIdentityProvider','Microsoft.Xbox.TCUI','Microsoft.AccountsControl','Microsoft.WindowsStore','Microsoft.StorePurchaseApp','Microsoft.VP9VideoExtensions','Microsoft.RawImageExtension','Microsoft.HEIFImageExtension','Microsoft.HEIFImageExtension','Microsoft.WebMediaExtensions','RealtekSemiconductorCorp.RealtekAudioControl','Microsoft.MicrosoftEdge','Microsoft.MicrosoftEdge.Stable','MicrosoftWindows.Client.FileExp','NVIDIACorp.NVIDIAControlPanel','AppUp.IntelGraphicsExperience','Microsoft.Paint','Microsoft.Messaging','Microsoft.AsyncTextService','Microsoft.CredDialogHost','Microsoft.Win32WebViewHost','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.SecondaryTileExperience','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','Windows.MiracastView','Windows.ContactSupport','Windows.PrintDialog','c5e2524a-ea46-4f67-841f-6a9465d9d515','windows.immersivecontrolpanel','WinRAR.ShellExtension','Microsoft.WindowsNotepad','MicrosoftWindows.Client.WebExperience','Microsoft.ZuneMusic','Microsoft.ZuneVideo','Microsoft.OutlookForWindows','MicrosoftWindows.Ai.Copilot.Provider','Microsoft.WindowsTerminal','Microsoft.Windows.Terminal','WindowsTerminal','Microsoft.Winget.Source','Microsoft.DesktopAppInstaller','Microsoft.Services.Store.Engagement','Microsoft.HEVCVideoExtension','Microsoft.WebpImageExtension','MicrosoftWindows.CrossDevice','NotepadPlusPlus','MicrosoftCorporationII.WinAppRuntime.Main.1.5','Microsoft.WindowsAppRuntime.1.5','MicrosoftCorporationII.WinAppRuntime.Singleton','Microsoft.WindowsSoundRecorder','MicrosoftCorporationII.WinAppRuntime.Main.1.4','MicrosoftWindows.Client.LKG','MicrosoftWindows.Client.CBS','Microsoft.VCLibs.140.00','Microsoft.Windows.CloudExperienceHost','SpotifyAB.SpotifyMusic','Microsoft.SkypeApp','5319275A.WhatsAppDesktop','FACEBOOK.317180B0BB486','TelegramMessengerLLP.TelegramDesktop','4DF9E0F8.Netflix','Discord','Paint','mspaint','Microsoft.Windows.Paint','Microsoft.MicrosoftEdge.Stable','1527c705-839a-4832-9118-54d4Bd6a0c89','c5e2524a-ea46-4f67-841f-6a9465d9d515','E2A4F912-2574-4A75-9BB0-0D023378592B','F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE','Microsoft.AAD.BrokerPlugin','Microsoft.AccountsControl','Microsoft.AsyncTextService','Microsoft.BioEnrollment','Microsoft.CredDialogHost','Microsoft.ECApp','Microsoft.LockApp','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.UI.Xaml.CBS','Microsoft.Win32WebViewHost','Microsoft.Windows.Apprep.ChxApp','Microsoft.Windows.AssignedAccessLockApp','Microsoft.Windows.CapturePicker','Microsoft.Windows.CloudExperienceHost','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.NarratorQuickStart','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.ParentalControls','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.PrintQueueActionCenter','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.Client.AIX','MicrosoftWindows.Client.FileExp','MicrosoftWindows.Client.OOBE','MicrosoftWindows.LKG.Search','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','windows.immersivecontrolpanel','Windows.PrintDialog','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.SecHealthUI','Microsoft.Services.Store.Engagement','Microsoft.UI.Xaml.2.8','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.140.00','Microsoft.VCLibs.140.00','Microsoft.WindowsAppRuntime.1.3','Microsoft.WindowsCamera','Microsoft.XboxIdentityProvider','Microsoft.ZuneMusic','RealtekSemiconductorCorp.RealtekAudioControl','DolbyLaboratories.DolbyAudioPremium','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.0','AppUp.IntelGraphicsExperience','Microsoft.NET.Native.Runtime.2.0','Microsoft.Windows.AugLoop.CBS','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.WindowsAppRuntime.CBS.1.6','Microsoft.WindowsAppRuntime.CBS','MicrosoftWindows.Client.CBS','MicrosoftWindows.Client.Core','MicrosoftWindows.Client.Photon','MicrosoftWindows.LKG.AccountsService','MicrosoftWindows.LKG.DesktopSpotlight','MicrosoftWindows.LKG.IrisService','MicrosoftWindows.LKG.RulesEngine','MicrosoftWindows.LKG.SpeechRuntime','MicrosoftWindows.LKG.TwinSxS','Microsoft.VCLibs.140.00','Microsoft.Copilot','Microsoft.OneDriveSync','Microsoft.OutlookForWindows','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.WindowsAppRuntime.1.5','Microsoft.WindowsAppRuntime.1.5','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.Windows.DevHome','Microsoft.UI.Xaml.2.8','Microsoft.Paint','MicrosoftWindows.Client.WebExperience','Microsoft.WindowsStore','Microsoft.WindowsNotepad','Microsoft.WidgetsPlatformRuntime','Microsoft.Xbox.TCUI','Microsoft.WebpImageExtension','Microsoft.WebMediaExtensions','Microsoft.RawImageExtension','Microsoft.HEVCVideoExtension','Microsoft.HEIFImageExtension','Microsoft.WindowsTerminal','Microsoft.DesktopAppInstaller','Microsoft.StartExperiencesApp','Microsoft.StorePurchaseApp','Microsoft.GamingApp','Microsoft.VP9VideoExtensions','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.7','Microsoft.XboxGamingOverlay','Microsoft.WindowsCalculator','Microsoft.WindowsSoundRecorder','Microsoft.WindowsAlarms','Microsoft.MicrosoftOfficeHub','Microsoft.WindowsAppRuntime.1.6','Microsoft.WindowsAppRuntime.1.6','MicrosoftWindows.CrossDevice'); ForEach($TargetApp in $RemoveAppPkgs){ If( $whitelistapps -notcontains $TargetApp) { Get-AppxPackage -Name $TargetApp -AllUsers | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue; Get-AppXProvisionedPackage -Online | Where-Object DisplayName -EQ $TargetApp | Remove-AppxProvisionedPackage -Online }}2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MTPW" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CiscoMeetingDaemon" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Smart Cleaning" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Monitor" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Spotify Web Helper" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Gaijin.Net Updater" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "com.squirrel.Teams.Teams" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "BitTorrent Bleep" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "adobeAAMUpdater-1.0" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "AdobeAAMUpdater" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "iTunesHelper" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdatePPShortCut" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Opera Browser Assistant" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Steam" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EADM" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EpicGamesLauncher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GogGalaxy" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype for Desktop" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Wargaming.net Game Center" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ut" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Lync" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Google Chrome" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Microsoft Edge" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_E9C49D8E9BDC4095F482C844743B9E82" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_D3AB3F7FBB44621987441AECEC1156AD" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Edge Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_31CF12C7FD715D87B15C2DF57BBF8D3E" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Discord" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Ubisoft Game Launcher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "com.blitz.app" /f2⤵PID:1784
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f3⤵PID:812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f2⤵PID:1808
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f3⤵PID:2920
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f2⤵PID:884
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f3⤵PID:2272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵PID:2700
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:2168
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f2⤵PID:684
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f3⤵PID:2288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f2⤵PID:2768
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f3⤵PID:1688
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f2⤵PID:2996
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f3⤵
- Modifies visibility of file extensions in Explorer
PID:2376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f2⤵PID:2648
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f3⤵PID:2712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:680
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f3⤵PID:2024
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f3⤵PID:628
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2084
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2312
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:3056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1276
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2836
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:692
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2468
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2500
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2372
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1372
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:2704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:1568
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:2924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2256
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2380
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2784
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2120
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1824
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:2700
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:2640
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2848
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵PID:2768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f2⤵PID:2708
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵PID:2996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:1964
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵PID:2648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f2⤵PID:2304
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f3⤵PID:1840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2968
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:2000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)2⤵PID:2200
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f2⤵PID:1532
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f2⤵PID:572
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f3⤵PID:2196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1076
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f3⤵PID:2072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f2⤵PID:2840
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f3⤵PID:1504
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f2⤵PID:1816
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f3⤵PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:960
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵PID:1628
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f2⤵PID:2904
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f3⤵PID:1272
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f2⤵PID:2432
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f3⤵PID:2104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:2440
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f3⤵PID:2792
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:1476
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:2864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:2664
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:3028
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1092
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:1468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:1108
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:2944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:2728
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:2900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:352
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:2772
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1972
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:2924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1568
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:1184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f2⤵PID:2716
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:2844
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:2752
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2936
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:2680
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2144
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:3068
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2160
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:2060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2640
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1524
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2848
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2708
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1128
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2624
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:2692
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2660
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -hibernate off2⤵
- Power Settings
PID:576 -
C:\Windows\system32\powercfg.exepowercfg -hibernate off3⤵
- Power Settings
PID:2192
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f2⤵PID:976
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f3⤵PID:2988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f2⤵PID:2084
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f3⤵PID:2512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" /f2⤵PID:3056
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f3⤵PID:2244
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f3⤵PID:300
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:1048
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:1468
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f3⤵PID:984
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:1268
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f3⤵PID:1700
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f3⤵PID:900
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f3⤵PID:2468
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f3⤵PID:1108
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f3⤵PID:2148
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f3⤵PID:2672
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f3⤵PID:2900
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f3⤵PID:2124
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f3⤵PID:1980
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f3⤵PID:2872
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f3⤵PID:2704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f2⤵PID:556
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f3⤵PID:1796
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f3⤵PID:2924
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f3⤵PID:2348
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f3⤵PID:2928
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f3⤵PID:1484
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED2⤵PID:2612
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED3⤵PID:1684
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop wsearch /y2⤵PID:2844
-
C:\Windows\system32\net.exenet stop wsearch /y3⤵PID:1808
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wsearch /y4⤵PID:316
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C esentutl /d %programdata%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb2⤵PID:1688
-
C:\Windows\system32\esentutl.exeesentutl /d C:\ProgramData\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb3⤵PID:2640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start wsearch2⤵PID:2460
-
C:\Windows\system32\net.exenet start wsearch3⤵PID:2516
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start wsearch4⤵PID:1964
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-Volume | Optimize-Volume -defrag -ReTrim2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $RemoveAppPkgs = (Get-AppxPackage -AllUsers).Name; $whitelistapps = @('Microsoft.MicrosoftOfficeHub','Microsoft.Office.OneNote','Microsoft.WindowsAlarms','Microsoft.WindowsCalculator','Microsoft.WindowsCamera','microsoft.windowscommunicationsapps','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.0','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.0','Microsoft.WindowsAppRuntime.1.3','Microsoft.NET.Native.Framework.1.7','MicrosoftWindows.Client.Core','Microsoft.LockApp','Microsoft.ECApp','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.Search','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.SecHealthUI','Microsoft.SecHealthUI','Microsoft.WindowsAppRuntime.CBS','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.120.00.UWPDesktop','Microsoft.VCLibs.110.00.UWPDesktop','Microsoft.DirectXRuntime','Microsoft.XboxGameOverlay','Microsoft.XboxGamingOverlay','Microsoft.GamingApp','Microsoft.GamingServices','Microsoft.XboxIdentityProvider','Microsoft.Xbox.TCUI','Microsoft.AccountsControl','Microsoft.WindowsStore','Microsoft.StorePurchaseApp','Microsoft.VP9VideoExtensions','Microsoft.RawImageExtension','Microsoft.HEIFImageExtension','Microsoft.HEIFImageExtension','Microsoft.WebMediaExtensions','RealtekSemiconductorCorp.RealtekAudioControl','Microsoft.MicrosoftEdge','Microsoft.MicrosoftEdge.Stable','MicrosoftWindows.Client.FileExp','NVIDIACorp.NVIDIAControlPanel','AppUp.IntelGraphicsExperience','Microsoft.Paint','Microsoft.Messaging','Microsoft.AsyncTextService','Microsoft.CredDialogHost','Microsoft.Win32WebViewHost','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.SecondaryTileExperience','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','Windows.MiracastView','Windows.ContactSupport','Windows.PrintDialog','c5e2524a-ea46-4f67-841f-6a9465d9d515','windows.immersivecontrolpanel','WinRAR.ShellExtension','Microsoft.WindowsNotepad','MicrosoftWindows.Client.WebExperience','Microsoft.ZuneMusic','Microsoft.ZuneVideo','Microsoft.OutlookForWindows','MicrosoftWindows.Ai.Copilot.Provider','Microsoft.WindowsTerminal','Microsoft.Windows.Terminal','WindowsTerminal','Microsoft.Winget.Source','Microsoft.DesktopAppInstaller','Microsoft.Services.Store.Engagement','Microsoft.HEVCVideoExtension','Microsoft.WebpImageExtension','MicrosoftWindows.CrossDevice','NotepadPlusPlus','MicrosoftCorporationII.WinAppRuntime.Main.1.5','Microsoft.WindowsAppRuntime.1.5','MicrosoftCorporationII.WinAppRuntime.Singleton','Microsoft.WindowsSoundRecorder','MicrosoftCorporationII.WinAppRuntime.Main.1.4','MicrosoftWindows.Client.LKG','MicrosoftWindows.Client.CBS','Microsoft.VCLibs.140.00','Microsoft.Windows.CloudExperienceHost','SpotifyAB.SpotifyMusic','Microsoft.SkypeApp','5319275A.WhatsAppDesktop','FACEBOOK.317180B0BB486','TelegramMessengerLLP.TelegramDesktop','4DF9E0F8.Netflix','Discord','Paint','mspaint','Microsoft.Windows.Paint','Microsoft.MicrosoftEdge.Stable','1527c705-839a-4832-9118-54d4Bd6a0c89','c5e2524a-ea46-4f67-841f-6a9465d9d515','E2A4F912-2574-4A75-9BB0-0D023378592B','F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE','Microsoft.AAD.BrokerPlugin','Microsoft.AccountsControl','Microsoft.AsyncTextService','Microsoft.BioEnrollment','Microsoft.CredDialogHost','Microsoft.ECApp','Microsoft.LockApp','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.UI.Xaml.CBS','Microsoft.Win32WebViewHost','Microsoft.Windows.Apprep.ChxApp','Microsoft.Windows.AssignedAccessLockApp','Microsoft.Windows.CapturePicker','Microsoft.Windows.CloudExperienceHost','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.NarratorQuickStart','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.ParentalControls','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.PrintQueueActionCenter','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.Client.AIX','MicrosoftWindows.Client.FileExp','MicrosoftWindows.Client.OOBE','MicrosoftWindows.LKG.Search','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','windows.immersivecontrolpanel','Windows.PrintDialog','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.SecHealthUI','Microsoft.Services.Store.Engagement','Microsoft.UI.Xaml.2.8','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.140.00','Microsoft.VCLibs.140.00','Microsoft.WindowsAppRuntime.1.3','Microsoft.WindowsCamera','Microsoft.XboxIdentityProvider','Microsoft.ZuneMusic','RealtekSemiconductorCorp.RealtekAudioControl','DolbyLaboratories.DolbyAudioPremium','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.0','AppUp.IntelGraphicsExperience','Microsoft.NET.Native.Runtime.2.0','Microsoft.Windows.AugLoop.CBS','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.WindowsAppRuntime.CBS.1.6','Microsoft.WindowsAppRuntime.CBS','MicrosoftWindows.Client.CBS','MicrosoftWindows.Client.Core','MicrosoftWindows.Client.Photon','MicrosoftWindows.LKG.AccountsService','MicrosoftWindows.LKG.DesktopSpotlight','MicrosoftWindows.LKG.IrisService','MicrosoftWindows.LKG.RulesEngine','MicrosoftWindows.LKG.SpeechRuntime','MicrosoftWindows.LKG.TwinSxS','Microsoft.VCLibs.140.00','Microsoft.Copilot','Microsoft.OneDriveSync','Microsoft.OutlookForWindows','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.WindowsAppRuntime.1.5','Microsoft.WindowsAppRuntime.1.5','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.Windows.DevHome','Microsoft.UI.Xaml.2.8','Microsoft.Paint','MicrosoftWindows.Client.WebExperience','Microsoft.WindowsStore','Microsoft.WindowsNotepad','Microsoft.WidgetsPlatformRuntime','Microsoft.Xbox.TCUI','Microsoft.WebpImageExtension','Microsoft.WebMediaExtensions','Microsoft.RawImageExtension','Microsoft.HEVCVideoExtension','Microsoft.HEIFImageExtension','Microsoft.WindowsTerminal','Microsoft.DesktopAppInstaller','Microsoft.StartExperiencesApp','Microsoft.StorePurchaseApp','Microsoft.GamingApp','Microsoft.VP9VideoExtensions','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.7','Microsoft.XboxGamingOverlay','Microsoft.WindowsCalculator','Microsoft.WindowsSoundRecorder','Microsoft.WindowsAlarms','Microsoft.MicrosoftOfficeHub','Microsoft.WindowsAppRuntime.1.6','Microsoft.WindowsAppRuntime.1.6','MicrosoftWindows.CrossDevice'); ForEach($TargetApp in $RemoveAppPkgs){ If( $whitelistapps -notcontains $TargetApp) { Get-AppxPackage -Name $TargetApp -AllUsers | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue; Get-AppXProvisionedPackage -Online | Where-Object DisplayName -EQ $TargetApp | Remove-AppxProvisionedPackage -Online }}2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MTPW" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CiscoMeetingDaemon" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Smart Cleaning" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Monitor" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Spotify Web Helper" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Gaijin.Net Updater" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "com.squirrel.Teams.Teams" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "BitTorrent Bleep" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "adobeAAMUpdater-1.0" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "AdobeAAMUpdater" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "iTunesHelper" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdatePPShortCut" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Opera Browser Assistant" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Steam" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EADM" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EpicGamesLauncher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GogGalaxy" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype for Desktop" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Wargaming.net Game Center" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ut" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Lync" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Google Chrome" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Microsoft Edge" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_E9C49D8E9BDC4095F482C844743B9E82" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_D3AB3F7FBB44621987441AECEC1156AD" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Edge Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_31CF12C7FD715D87B15C2DF57BBF8D3E" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Discord" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Ubisoft Game Launcher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "com.blitz.app" /f2⤵PID:2348
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f3⤵PID:1312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f2⤵PID:1572
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f3⤵PID:156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f2⤵PID:2612
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f3⤵PID:776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵PID:812
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:1248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f2⤵PID:888
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f3⤵PID:2752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f2⤵PID:2316
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f3⤵PID:1912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f2⤵PID:1140
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f3⤵
- Modifies visibility of file extensions in Explorer
PID:2144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f2⤵PID:1424
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f3⤵PID:2652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:2168
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f3⤵PID:1728
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f3⤵PID:1780
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1356
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1716
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3048
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:376
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:3040
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2864
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2516
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2496
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1268
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1700
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1092
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2944
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1696
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:768
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:2772
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:1972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2976
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2500
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1484
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1684
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2636
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:1248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1644
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:2752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:2736
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵PID:1912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f2⤵PID:1124
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵PID:2144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:2700
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵PID:2652
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f2⤵PID:1424
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f3⤵PID:2932
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2572
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)2⤵PID:2548
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f2⤵PID:2256
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f2⤵PID:2432
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f3⤵PID:316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:2160
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f3⤵PID:2156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f2⤵PID:2568
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f3⤵PID:584
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f2⤵PID:2896
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f3⤵PID:1612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:2692
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵PID:1376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f2⤵PID:1748
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f3⤵PID:1364
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f2⤵PID:2072
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f3⤵PID:1640
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:2436
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:2336
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:2904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:1516
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:1356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2440
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:2104
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2988
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:3048
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:620
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:376
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:2516
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:2996
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:2992
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:1560
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:2412
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:2468
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:1048
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:2872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f2⤵PID:900
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:1972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:3056
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:2924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3060
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:444
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:156
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:2928
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:776
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:288
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1248
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2380
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1308
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:884
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:2144
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2472
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C powercfg -hibernate off2⤵
- Power Settings
PID:1376 -
C:\Windows\system32\powercfg.exepowercfg -hibernate off3⤵
- Power Settings
PID:2780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f2⤵PID:1364
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /d "0" /t REG_DWORD /f3⤵PID:2632
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f2⤵PID:1640
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v UxOption /t REG_DWORD /d 1 /f3⤵PID:1292
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f && reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\SuggestedApps" /f2⤵PID:2308
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d 1 /f3⤵PID:880
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d 0 /f3⤵PID:1708
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:856
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:2336
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d 0 /f3⤵PID:564
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d 0 /f3⤵PID:744
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "FeatureManagementEnabled" /t REG_DWORD /d 0 /f3⤵PID:980
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d 0 /f3⤵PID:1516
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RemediationRequired" /t REG_DWORD /d 0 /f3⤵PID:3036
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d 0 /f3⤵PID:1716
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f3⤵PID:2592
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f3⤵PID:2440
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f3⤵PID:976
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f3⤵PID:2400
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f3⤵PID:2192
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\PushToInstall" /v "DisablePushToInstall" /t REG_DWORD /d "1" /f3⤵PID:2988
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Subscriptions" /f3⤵PID:2848
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f2⤵PID:376
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d 0 /f3⤵PID:2512
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d 0 /f3⤵PID:1648
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenEnabled" /t REG_DWORD /d 0 /f3⤵PID:2864
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d 0 /f3⤵PID:2516
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f3⤵PID:1964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED2⤵PID:1108
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /RL LIMITED3⤵PID:2496
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net stop wsearch /y2⤵PID:3028
-
C:\Windows\system32\net.exenet stop wsearch /y3⤵PID:2528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop wsearch /y4⤵PID:300
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C esentutl /d %programdata%\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb2⤵PID:156
-
C:\Windows\system32\esentutl.exeesentutl /d C:\ProgramData\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb3⤵PID:2816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C net start wsearch2⤵PID:776
-
C:\Windows\system32\net.exenet start wsearch3⤵PID:556
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start wsearch4⤵PID:1248
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-Volume | Optimize-Volume -defrag -ReTrim2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $RemoveAppPkgs = (Get-AppxPackage -AllUsers).Name; $whitelistapps = @('Microsoft.MicrosoftOfficeHub','Microsoft.Office.OneNote','Microsoft.WindowsAlarms','Microsoft.WindowsCalculator','Microsoft.WindowsCamera','microsoft.windowscommunicationsapps','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.0','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.0','Microsoft.WindowsAppRuntime.1.3','Microsoft.NET.Native.Framework.1.7','MicrosoftWindows.Client.Core','Microsoft.LockApp','Microsoft.ECApp','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.Search','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.SecHealthUI','Microsoft.SecHealthUI','Microsoft.WindowsAppRuntime.CBS','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.120.00.UWPDesktop','Microsoft.VCLibs.110.00.UWPDesktop','Microsoft.DirectXRuntime','Microsoft.XboxGameOverlay','Microsoft.XboxGamingOverlay','Microsoft.GamingApp','Microsoft.GamingServices','Microsoft.XboxIdentityProvider','Microsoft.Xbox.TCUI','Microsoft.AccountsControl','Microsoft.WindowsStore','Microsoft.StorePurchaseApp','Microsoft.VP9VideoExtensions','Microsoft.RawImageExtension','Microsoft.HEIFImageExtension','Microsoft.HEIFImageExtension','Microsoft.WebMediaExtensions','RealtekSemiconductorCorp.RealtekAudioControl','Microsoft.MicrosoftEdge','Microsoft.MicrosoftEdge.Stable','MicrosoftWindows.Client.FileExp','NVIDIACorp.NVIDIAControlPanel','AppUp.IntelGraphicsExperience','Microsoft.Paint','Microsoft.Messaging','Microsoft.AsyncTextService','Microsoft.CredDialogHost','Microsoft.Win32WebViewHost','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.SecondaryTileExperience','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','Windows.MiracastView','Windows.ContactSupport','Windows.PrintDialog','c5e2524a-ea46-4f67-841f-6a9465d9d515','windows.immersivecontrolpanel','WinRAR.ShellExtension','Microsoft.WindowsNotepad','MicrosoftWindows.Client.WebExperience','Microsoft.ZuneMusic','Microsoft.ZuneVideo','Microsoft.OutlookForWindows','MicrosoftWindows.Ai.Copilot.Provider','Microsoft.WindowsTerminal','Microsoft.Windows.Terminal','WindowsTerminal','Microsoft.Winget.Source','Microsoft.DesktopAppInstaller','Microsoft.Services.Store.Engagement','Microsoft.HEVCVideoExtension','Microsoft.WebpImageExtension','MicrosoftWindows.CrossDevice','NotepadPlusPlus','MicrosoftCorporationII.WinAppRuntime.Main.1.5','Microsoft.WindowsAppRuntime.1.5','MicrosoftCorporationII.WinAppRuntime.Singleton','Microsoft.WindowsSoundRecorder','MicrosoftCorporationII.WinAppRuntime.Main.1.4','MicrosoftWindows.Client.LKG','MicrosoftWindows.Client.CBS','Microsoft.VCLibs.140.00','Microsoft.Windows.CloudExperienceHost','SpotifyAB.SpotifyMusic','Microsoft.SkypeApp','5319275A.WhatsAppDesktop','FACEBOOK.317180B0BB486','TelegramMessengerLLP.TelegramDesktop','4DF9E0F8.Netflix','Discord','Paint','mspaint','Microsoft.Windows.Paint','Microsoft.MicrosoftEdge.Stable','1527c705-839a-4832-9118-54d4Bd6a0c89','c5e2524a-ea46-4f67-841f-6a9465d9d515','E2A4F912-2574-4A75-9BB0-0D023378592B','F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE','Microsoft.AAD.BrokerPlugin','Microsoft.AccountsControl','Microsoft.AsyncTextService','Microsoft.BioEnrollment','Microsoft.CredDialogHost','Microsoft.ECApp','Microsoft.LockApp','Microsoft.MicrosoftEdgeDevToolsClient','Microsoft.UI.Xaml.CBS','Microsoft.Win32WebViewHost','Microsoft.Windows.Apprep.ChxApp','Microsoft.Windows.AssignedAccessLockApp','Microsoft.Windows.CapturePicker','Microsoft.Windows.CloudExperienceHost','Microsoft.Windows.ContentDeliveryManager','Microsoft.Windows.NarratorQuickStart','Microsoft.Windows.OOBENetworkCaptivePortal','Microsoft.Windows.OOBENetworkConnectionFlow','Microsoft.Windows.ParentalControls','Microsoft.Windows.PeopleExperienceHost','Microsoft.Windows.PinningConfirmationDialog','Microsoft.Windows.PrintQueueActionCenter','Microsoft.Windows.SecureAssessmentBrowser','Microsoft.Windows.XGpuEjectDialog','Microsoft.XboxGameCallableUI','MicrosoftWindows.Client.AIX','MicrosoftWindows.Client.FileExp','MicrosoftWindows.Client.OOBE','MicrosoftWindows.LKG.Search','MicrosoftWindows.UndockedDevKit','NcsiUwpApp','Windows.CBSPreview','windows.immersivecontrolpanel','Windows.PrintDialog','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Framework.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.NET.Native.Runtime.2.2','Microsoft.SecHealthUI','Microsoft.Services.Store.Engagement','Microsoft.UI.Xaml.2.8','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.VCLibs.140.00','Microsoft.VCLibs.140.00','Microsoft.WindowsAppRuntime.1.3','Microsoft.WindowsCamera','Microsoft.XboxIdentityProvider','Microsoft.ZuneMusic','RealtekSemiconductorCorp.RealtekAudioControl','DolbyLaboratories.DolbyAudioPremium','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Framework.2.0','Microsoft.NET.Native.Runtime.2.0','AppUp.IntelGraphicsExperience','Microsoft.NET.Native.Runtime.2.0','Microsoft.Windows.AugLoop.CBS','Microsoft.Windows.ShellExperienceHost','Microsoft.Windows.StartMenuExperienceHost','Microsoft.WindowsAppRuntime.CBS.1.6','Microsoft.WindowsAppRuntime.CBS','MicrosoftWindows.Client.CBS','MicrosoftWindows.Client.Core','MicrosoftWindows.Client.Photon','MicrosoftWindows.LKG.AccountsService','MicrosoftWindows.LKG.DesktopSpotlight','MicrosoftWindows.LKG.IrisService','MicrosoftWindows.LKG.RulesEngine','MicrosoftWindows.LKG.SpeechRuntime','MicrosoftWindows.LKG.TwinSxS','Microsoft.VCLibs.140.00','Microsoft.Copilot','Microsoft.OneDriveSync','Microsoft.OutlookForWindows','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.WindowsAppRuntime.1.5','Microsoft.WindowsAppRuntime.1.5','Microsoft.VCLibs.140.00.UWPDesktop','Microsoft.Windows.DevHome','Microsoft.UI.Xaml.2.8','Microsoft.Paint','MicrosoftWindows.Client.WebExperience','Microsoft.WindowsStore','Microsoft.WindowsNotepad','Microsoft.WidgetsPlatformRuntime','Microsoft.Xbox.TCUI','Microsoft.WebpImageExtension','Microsoft.WebMediaExtensions','Microsoft.RawImageExtension','Microsoft.HEVCVideoExtension','Microsoft.HEIFImageExtension','Microsoft.WindowsTerminal','Microsoft.DesktopAppInstaller','Microsoft.StartExperiencesApp','Microsoft.StorePurchaseApp','Microsoft.GamingApp','Microsoft.VP9VideoExtensions','Microsoft.UI.Xaml.2.7','Microsoft.UI.Xaml.2.7','Microsoft.XboxGamingOverlay','Microsoft.WindowsCalculator','Microsoft.WindowsSoundRecorder','Microsoft.WindowsAlarms','Microsoft.MicrosoftOfficeHub','Microsoft.WindowsAppRuntime.1.6','Microsoft.WindowsAppRuntime.1.6','MicrosoftWindows.CrossDevice'); ForEach($TargetApp in $RemoveAppPkgs){ If( $whitelistapps -notcontains $TargetApp) { Get-AppxPackage -Name $TargetApp -AllUsers | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue; Get-AppXProvisionedPackage -Online | Where-Object DisplayName -EQ $TargetApp | Remove-AppxProvisionedPackage -Online }}2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MTPW" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "TeamsMachineInstaller" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CiscoMeetingDaemon" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Reader Speed Launcher" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Smart Cleaning" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CCleaner Monitor" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Spotify Web Helper" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Gaijin.Net Updater" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "com.squirrel.Teams.Teams" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Google Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "BitTorrent Bleep" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "adobeAAMUpdater-1.0" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "AdobeAAMUpdater" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "iTunesHelper" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdatePPShortCut" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Wondershare Helper Compact" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cisco AnyConnect Secure Mobility Agent for Windows" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Opera Browser Assistant" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Steam" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EADM" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EpicGamesLauncher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GogGalaxy" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Skype for Desktop" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Wargaming.net Game Center" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ut" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Lync" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Google Chrome" /f && reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "Microsoft Edge" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_E9C49D8E9BDC4095F482C844743B9E82" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_D3AB3F7FBB44621987441AECEC1156AD" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft Edge Update" /f && reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "MicrosoftEdgeAutoLaunch_31CF12C7FD715D87B15C2DF57BBF8D3E" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Discord" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Ubisoft Game Launcher" /f && reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "com.blitz.app" /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" /v "SunJavaUpdateSched" /f3⤵PID:2072
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f2⤵PID:1292
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f3⤵PID:2436
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f2⤵PID:2904
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f3⤵PID:1536
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f2⤵PID:1356
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:2196
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f2⤵PID:2104
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f3⤵PID:576
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f2⤵PID:3048
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f3⤵PID:2664
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f2⤵PID:2024
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f3⤵
- Modifies visibility of file extensions in Explorer
PID:1492
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f2⤵PID:1812
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f3⤵PID:2864
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵PID:2516
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f3⤵PID:1476
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f3⤵PID:2368
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2784
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2256
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1872
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:300
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2528
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2816
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:800
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1912
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:812
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:2144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2316
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1780
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2936
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:2324
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:3044
-
C:\Windows\system32\reg.exereg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:1740
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1744
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1668
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2160
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:1604
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:684
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2768
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender DisableAntiSpyware settings
PID:752
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:2472
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1688
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵PID:2488
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f2⤵PID:2700
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f3⤵PID:1076
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f2⤵PID:2632
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f3⤵PID:1816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f2⤵PID:1292
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates" /v "ForceUpdateFromMU" /t REG_DWORD /d "1" /f3⤵PID:2884
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f2⤵PID:2904
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵PID:1356
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)2⤵PID:652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f2⤵PID:2104
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f3⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1760
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f2⤵PID:2792
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f3⤵PID:2308
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:2024
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f3⤵PID:1648
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f2⤵PID:2512
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f3⤵PID:2460
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f2⤵PID:2076
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f3⤵PID:2872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f2⤵PID:2012
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f3⤵PID:1108
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f2⤵PID:1092
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f3⤵PID:1908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f2⤵PID:984
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f3⤵PID:2124
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f2⤵PID:1972
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f3⤵PID:1712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:3012
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:2924
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f2⤵PID:3056
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f3⤵PID:1368
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:1276
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f2⤵PID:2900
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:2728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable2⤵PID:2628
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:2908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable2⤵PID:1312
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:2572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable2⤵PID:1924
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:3060
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable2⤵PID:1260
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable2⤵PID:2744
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:444
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f2⤵PID:2280
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:800
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f2⤵PID:2272
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:812
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f2⤵PID:3032
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:2316
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1372
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:2936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f2⤵PID:1120
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:3044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:308
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1572
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:748
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1728
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1604
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies Security services
PID:1784
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2916
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:2668
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-Type –AssemblyName System.Speech; (New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak('Everything has been done. Reboot is recommended.');2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:752
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2680
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2940
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003E8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-33606343-16574787499753275491895431221150362152212016239001445442535671619862"1⤵PID:1092
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-161672260440114241448697740-50800903-696109317-117604240018444196221312953779"1⤵PID:1548
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14452525411707739676-1248069831-539255364-374945345-746655841946203352496578857"1⤵PID:2372
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "14885031851117959986673163554-1485636742552509948-348461025-16357125991757287769"1⤵PID:2780
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "242170742-1016024445-16656062651960623335-62192812411163940321236656956565094839"1⤵PID:2840
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-594991085-1262394452-20381278801829001322-74328554-175106799310114981221619190495"1⤵PID:2080
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13449306342406677828800284671604941087-20133686931586516124382509485-646558998"1⤵PID:1920
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2088564432-593342215-117395344811924802221316889072573202791581520409-1432208420"1⤵PID:1380
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1856749349-150360431-3015913441726834216-784575795-1674825705-680623011-73582905"1⤵PID:1700
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "191413517-15507142712093527470116218631120338212051539400233223021131-681499516"1⤵PID:2328
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "823538525-359398056-1800956328-752589612531723066-30272455-9482621081519568965"1⤵PID:308
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-429690661-110268484811961037311743008444-652890579-1495146797-2014444969-721992621"1⤵PID:604
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-492467930846078094-1574488978-13746668551349480913-197721655212217356641400411721"1⤵PID:2400
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1229803517-20939131281437020320-4972159801542803769-1784328575-1852983463-845679195"1⤵PID:3056
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:2664
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Modifies data under HKEY_USERS
PID:2452 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:660
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵
- Modifies data under HKEY_USERS
PID:2676
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1070608082-1791478455295324646-41365058-5775718391689074650-759833237788724367"1⤵PID:812
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-11899270331034922621336833963-645002340-1194493049-511762199-1972626188487227799"1⤵PID:2920
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-106929274-18734849801371860527-1436410824-5963455301260343723-12144262201118359733"1⤵PID:2272
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20874152178230131431601085913-299957430-11427883514784569301744635065-1728955751"1⤵PID:3052
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1009239634467654830-4906701451615097867157119449-442428074-15412044051888852491"1⤵PID:3056
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-668633543-574307207-3520684722059681463-1056380071-2591676861230871488-536964425"1⤵PID:1480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-158568954220153648991035680095-17832759521166832807356455267-351084897-1223094259"1⤵PID:692
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-971977201-389036578-1845105683-18840061401521175313-45082689-3996778441787504025"1⤵PID:2148
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-171174380-767624034-1923982098182571768791180215-1820772942139472700-1088834179"1⤵PID:2372
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1642992931724541005-1143643933611670412-1667771524-1332013909369785087-1322598339"1⤵PID:2168
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-851006397-473192584-403188820-19156770463197548221813009140-200045751-2013502826"1⤵PID:2288
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1009333233-1974912206-2599954646821610641270035085125768122-18529947321580341043"1⤵PID:2024
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:2724
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1928297706-1821072020-991978948109542731720849303744375144121423657593305636334"1⤵PID:352
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-79845987-9932613951454417800210502204-762312212760191408-13137970271456491782"1⤵PID:1524
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵PID:2908
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:928
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵
- Modifies data under HKEY_USERS
PID:960
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "878045291-1027844578-19413402501818904422111685450-936388355455286302056155081"1⤵PID:2168
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-738306258-1711544222-1324381258-19401187591582981053-10795927532046933838-454230230"1⤵PID:2800
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12441575531307150674-9564801481111082676154513133611459394-7086729261635660500"1⤵PID:1984
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1038513950-13331217951322184421-2019675657-87277585615328631261336129524753313"1⤵PID:1700
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "783782080-3259347436570272971380935289-486422288-19718314421840300301-503407204"1⤵PID:812
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "857547201803956725-1640510074-18379009641932198942-1069415397-1320819549-1902198876"1⤵PID:888
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
- System Location Discovery: System Language Discovery
PID:1872
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-508843538-19075548092039729530-2072970627-77091741516209074911378901573734172045"1⤵PID:1560
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1152733895-1452682313-129222291516243744032796743071399586187815398732-1196373947"1⤵PID:2468
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵PID:1996
-
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Suspicious use of SetWindowsHookEx
PID:2028
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 508 512 520 65536 5162⤵PID:2520
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Power Settings
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
3Disable or Modify Tools
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
7Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5e0707a7fc169d2dafee527a575942dd4
SHA19934b6f171208092a010f8b5437a9023a50a489e
SHA2561dad898b201bbca3ba2484872447d1e184522c88178e4da6d9a374920980fb20
SHA5127c863def97ce71dd123070a2d0b63e9787c0e5671f552eced86fac5fdbb082adbf895d94e88b731e48f9ff2de8d7f03a7ade02113e84577eb50c1a638508b23a
-
Filesize
1024KB
MD5dd9d78065a4fa16abad3834e643cb20e
SHA17d11ff716b2697e905b3ff3fbee89be53c7a61ed
SHA256a998b2a71ff8163345825ca11a8cd2088c9995150671429cc8d92e435dbe639f
SHA512a10281ecded428937c4a814bc6105ed47a55b2e3b234ce87785a6c5dfd6f4a85bf42a038cf6c7aa490873bfea3fcb8858865cdd14a0d7e3f50fab813e0bb1e5e
-
Filesize
1024KB
MD57ef69db05695d5f542dc7f8d0bc25de7
SHA1dbafe5c959fc89829ce0bddaf0ea89a07e1cfb29
SHA2568766c6ac0df2f0745031e51554642bc4b8e7cdcc2988ab2043f63e95ca09ccab
SHA512503ef1323307c857d024b0e1554396cb8432fef663c0206dddd020df1d5ea21c9113603ba549f05691d5540acd8c53145f7ade0881c4cf21153c05155c73b659
-
Filesize
152B
MD5e0ed86ec0aba24708f52da3f9c3810d6
SHA131943a4a1366816b36d5df783b67b7440c3d3d93
SHA256fe333508ffb159273d97cce5e2608dd187d2d2eed6843cb418d6cf7352fe9526
SHA5129c71bbeed7483c2bf42d7d450f8696f19f0f37997b48eb41128458a673d7a0ee4c5afb723b0aa54359b0fca07fa86cb0fe4c034d64a6dd88427e6bd6373f7cd8
-
Filesize
109KB
MD55488e381238ff19687fdd7ab2f44cfcc
SHA1b90fa27ef6a7fc6d543ba33d5c934180e17297d3
SHA256abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0
SHA512933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412
-
Filesize
94KB
MD59a821d8d62f4c60232b856e98cba7e4f
SHA14ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5
SHA256a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525
SHA5121b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3
-
Filesize
211KB
MD545ff4fa5ca5432bfccded4433fe2a85b
SHA1858c42499dd9d2198a6489dd310dc5cbff1e8d6e
SHA2568a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd
SHA512abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589
-
Filesize
124KB
MD5e7caed467f80b29f4e63ba493614dbb1
SHA165a159bcdb68c7514e4f5b65413678c673d2d0c9
SHA2562c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c
SHA51234952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e
-
Filesize
265KB
MD5fe447d1cd38cecac2331fa932078d9a0
SHA1ebd99d5eb3403f547821ce51c193afc86ecf4bcf
SHA25605fe0897be3f79773c06b7ba4c152eec810fd895bf566d837829ec04c4f4338d
SHA512801e47c6c62a2d17ed7dd430a489507faf6074471f191f66862fd732924ad9a4bd1efe603354ed06d16c4d5c31a044126c4cc2dbbd8ffece2ed7632358ee7779
-
Filesize
32KB
MD5724ee7133b1822f7ff80891d773fde51
SHA1d10dff002b02c78e624bf83ae8a6f25d73761827
SHA256d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367
SHA5121dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b
-
Filesize
12KB
MD59085b83968e705a3be5cd7588545a955
SHA1f0a477b353ca3e20fa65dd86cb260777ff27e1dd
SHA256fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd
SHA512b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c
-
Filesize
6KB
MD5f18044dec5b59c82c7f71ecffe2e89ab
SHA1731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6
SHA256a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e
SHA51253c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714
-
Filesize
15KB
MD5ee8c06cd11b34a37579d118ac5d6fa1d
SHA1c62f7fb0c6f42321b33ea675c0dfd304b2eb4a15
SHA2566991fb4bfd6800385a32ac759dd21016421cb13dca81f04ddcaf6bf12a928ccc
SHA512091cfa7d9b80e92df13ba829372dfb211214f4221e52fbf3f558ebb7f18736ad9ad867ea0d0ddf8938def1b4db64a12d0df37c2eaf41727b997f4905dd41fed1
-
Filesize
2KB
MD5cab37f952682118bac4a3f824c80b6ac
SHA16e35b4289927e26e3c50c16cbf87eb3ac6f3b793
SHA25614bec7c4bb6cf1ee9049ef8820ec88bf78f2af75615f7a3fb265ef4b45c30e4d
SHA512de9089adaa85f37201526b8619f697be98a7d05353b21b6d835f4d56803732380316359ba8b3c8ca7c14a9bf7cf31a7eff3c866a8f303ef737eb63573e01aa19
-
Filesize
26KB
MD50bffb5e4345198dbf18aa0bc8f0d6da1
SHA1e2789081b7cf150b63bad62bac03b252283e9fe5
SHA256b7bcc0e99719f24c30e12269e33a8bf09978c55593900d51d5f8588e51730739
SHA512590e8016075871846efff8b539e4779a1a628de318c161292c7231ca964a310e0722e44816041786c8620bff5c29ff34c5f35733ee4eac74f3abfae6d3af854a
-
Filesize
5KB
MD5f909216cf932aeb4f2f9f02e8c56a815
SHA1c5cafe5f8dad60d3a1d7c75aa2cf575e35a634f2
SHA256f5c89ba078697cdb705383684af49e07cdd094db962f0649cad23008ae9d6ce2
SHA5125dca19d54f738486085f11b5a2522073894a97d67e67be0eadbe9dc8944e632ae39b24499d7ff16e88d18166031697a238ead877f12cbb7447acca49c32a184a
-
Filesize
15KB
MD517fac8ab2dfbaba2b049ec43204c1c2f
SHA1d484ea7c6f749debf92b132765d2fd56f228db73
SHA256f4d277aaa8d0bed0afcd1b703ee4c28c86313075e291b6addbdfd6202eb3777e
SHA512ff7969adbc53fd2f5dccd3842b46a2517904d524020e69bb21271cd8ddc0cfddfd3f791741589b17b740d5d013cf14ed28b5af50d37d960c955adfd6b99e50cc
-
Filesize
2KB
MD5f0588e200554aed003667c04819cce32
SHA1dacbdc53bd297cd818ea954f5a47de6e84212108
SHA25640fe7b6631d11b5519f051ff0a0ade1cb0de524fb4904114067e71b729c38eba
SHA51299d9372a452a1b908f55d204a2b85addaa11fe49bb0b9c0d36a131c1cad254e9fb8a3b952572111d68a78fdbf41782dbe78d8cb20165676aada496113e4899eb
-
Filesize
2KB
MD59bc5d6eb3e2d31bbdbffe127a1b3cdbf
SHA1b253025c442aefe338b4c7ebea2f7d808abc9618
SHA25655e9ae098def76e7388d7d069746dbd136ae243357ece23b77f2365f0b2ff76f
SHA512f9968554737d181d4b7d0366f40f0c9a2039b59796986964413fa08f031f5529411b2741eb8ea3d8c312112b2038e6a58d891d090a42672c3d1c782b859f2e08
-
Filesize
265KB
MD57b38d7916a7cd058c16a0a6ca5077901
SHA1f79d955a6eac2f0368c79f7ba8061e9c58ba99b2
SHA2563f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce
SHA5122d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710
-
Filesize
506B
MD56a465b0f359f7d73b35db2d2e6b88e1b
SHA1188e33c4cb5dabba23510b9dea7dd8aeaffde40e
SHA25610dbf6577f04e5d176a74973776a6b332bfcb9a3e50227fa2bc65a20eeafd799
SHA5125b759de98ffe1dde0d37202e4dc24a20b0da6f5238de64376afe8533b00b3ed5fdae01bfa0a4dc79cede97465e1929abd0070d05c24924d5493d8d5008541541
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b33f1411816684b3cf85c3272bdb5f3
SHA16a04ec80684f8ef25b336b08392f0715c1aa1884
SHA256b7b541e9b8063e6fbe74211ad2f80f8e0df6cd3edff9fca8213d382fb2788312
SHA5123c38e852b49b824025bd14a8a6bc9d33356add3eabf6476ceb7a2a5a93ae8f70f9bf1af679e74260945e7fe43c478880808082d0b0af193f0258551bac786469
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5303c6fcfc58922970e8dc658a83cf9e2
SHA1e0fe14acdb60f0dd53a21c48360c4aa587eb2afd
SHA2560adf2dffbacd26e1c6461dae0d4977f68277862072e6ab8806d63071733ecaca
SHA512453828cfb48e8cfe18affa42bd837f607948bf60d12a1e404d59a96da21c48ea80affefe5bdb1cf900e951f9e00d6b3402449483e7e04e52cf41ff3ac773638c
-
Filesize
6KB
MD57fc0afe1bd7bb8cf4cbdce04eededcbf
SHA1a1cd58623340eb49ba83d80cbc934592a569caba
SHA25630af6a731211c130d68223ca52c357eb2b6e7741cc6885ddb541830fe8c93743
SHA512ea1ca219f2fa14acd02345209fbce2383dc84b263e5cc03cd8ebf956c8f28b98279b7b6af3a0a14bb6a4cff5c8b95a07b50dbf3293e3a00ca173184b28298d6c
-
Filesize
17KB
MD5e1bcaa9c6b04f3c7f23e197da951f9b2
SHA1dcc1c6a7becd0f57844aa28f2fa46f848d200ba6
SHA25635bb5a3e4659aa93a52772acc6df23d19eb1aabdafbc6bb1e6304dc17c53a488
SHA512685a63caaa054408b326ebfda0c42d07d14541a66d097d68b3d2eec38513fa112f497ef803834596b8026406e50e697c5b3b607fddad25ba59d08219da7dc797
-
Filesize
744KB
MD5efcb002abc3529d71b61e6fb6434566c
SHA1a25aca0fc9a1139f44329b28dc13c526965d311f
SHA256b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd
SHA51210ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687
-
Filesize
179KB
MD56a4bd682396f29fd7df5ab389509b950
SHA146f502bec487bd6112f333d1ada1ec98a416d35f
SHA256328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb
SHA51235ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751
-
Filesize
283KB
MD5f2b0771a7cd27f20689e0ab787b7eb7c
SHA1eb56e313cd23cb77524ef0db1309aebb0b36f7ef
SHA2567c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f
SHA5125ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a
-
Filesize
182KB
MD58ca117cb9338c0351236939717cb7084
SHA1baa145810d50fdb204c8482fda5cacaaf58cdad0
SHA256f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54
SHA51235b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35
-
Filesize
425KB
MD5fc2db5842190c6e78a40cd7da483b27c
SHA1e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0
SHA256e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82
SHA512d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6
-
Filesize
52KB
MD5c9d74156913061be6c51d8fc3acf8e93
SHA14a4c6473a478256e4c78b423e918191118e01093
SHA256af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37
SHA512c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047
-
Filesize
306KB
MD5bbb9e4fa2561f6a6e5ccf25da069ac1b
SHA12d353ec70c7a13ac5749d2205ac732213505082a
SHA256b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1
SHA51201f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e
-
Filesize
104KB
MD562de64dc805fd98af3ada9d93209f6a9
SHA1392ba504973d626aaf5c5b41b184670c58ec65a7
SHA25683c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc
SHA5127db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28