67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c

Resubmissions

27/03/2025, 09:39

250327-lm3m5sslv4 10

27/03/2025, 07:44

250327-jkzscsyxgx 10

27/03/2025, 04:15

250327-evp9fsyrx2 10

Analysis

max time kernel
230s
max time network
251s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V7.0.bat
Size

201KB
MD5

c8e2a0c12285b709fc839a4c7cbd6e1a
SHA1

cae0726adbd932745e4e4db37c82c5839f632efa
SHA256

67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c
SHA512

a99ca57c12ab00bd160747812ef71518cff0db5b8962b6b21694f0e9d7682830642290c8cbef7a83368ea7b302730e3d0930761edae15fca51247ee8f14bdc18
SSDEEP

1536:8PSPKdigMQgPTjIV4QJ8STaggyjH/nvfHH4pXfCWOBEzCLiD15ToSmcj/DB:MfjvvfeTTmcTDB

Score

10^/10

adware defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4424	bcdedit.exe
1696	Process not Found
2200	Process not Found
868	Process not Found

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1676	powershell.exe
5068	powershell.exe
4708	Process not Found
2064	Process not Found
1740	Process not Found
4744	Process not Found
2236	Process not Found
780	Process not Found
4044	powershell.exe
3616	Process not Found
1552	Process not Found
1464	Process not Found
3404	Process not Found
1640	Process not Found
3580	Process not Found
5036	Process not Found
1192	Process not Found
3816	Process not Found
4336	Process not Found
436	Process not Found
420	Process not Found
1740	Process not Found
4252	Process not Found
4792	Process not Found
4404	Process not Found
1788	Process not Found
5116	Process not Found
480	Process not Found
4164	Process not Found
1124	Process not Found
2428	Process not Found
1856	Process not Found
3700	Process not Found
4180	Process not Found
1764	Process not Found
1964	Process not Found
1864	Process not Found
1092	Process not Found
2984	Process not Found
2948	Process not Found
664	Process not Found
3856	Process not Found
4604	Process not Found
396	Process not Found
3624	Process not Found
4224	Process not Found
4468	Process not Found
3680	Process not Found
3628	powershell.exe
4272	Process not Found
3592	Process not Found
1372	Process not Found
1456	Process not Found
3440	Process not Found
1372	Process not Found
4012	Process not Found
572	powershell.exe
3660	Process not Found
3344	Process not Found
4316	Process not Found
4568	Process not Found
2212	Process not Found
4992	Process not Found
4416	Process not Found

Downloads MZ/PE file 1 IoCs

flow	pid	Process
24	3440	curl.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\PerfOptions	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIADAP.exe\PerfOptions	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\IoPriority = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sihost.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions\IoPriority = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlc.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions\IoPriority = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIADAP.exe	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\PerfOptions\CpuPriorityClass = "1"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlc.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlc.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininit.exe	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininit.exe\PerfOptions\CpuPriorityClass = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sihost.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininit.exe\PerfOptions	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartMenu.exe\PerfOptions\CpuPriorityClass = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIADAP.exe\PerfOptions\CpuPriorityClass = "1"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartMenu.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\PagePriority = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartMenu.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fontdrvhost.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe

Possible privilege escalation attempt 21 IoCs

exploit

pid	Process
2024	icacls.exe
4564	icacls.exe
1512	takeown.exe
1992	icacls.exe
3724	icacls.exe
4472	icacls.exe
3820	takeown.exe
4600	takeown.exe
3716	takeown.exe
4524	icacls.exe
3932	takeown.exe
1316	takeown.exe
4448	takeown.exe
4048	icacls.exe
3716	icacls.exe
4208	takeown.exe
4556	icacls.exe
2120	icacls.exe
1772	icacls.exe
244	takeown.exe
3976	takeown.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
3148	OOSU10.exe
3556	NSudoLG.exe
2152	NSudoLG.exe
4944	NSudoLG.exe
3376	OpenShellSetup_4_4_191.exe
4104	StartMenu.exe

Loads dropped DLL 6 IoCs

pid	Process
2280	MsiExec.exe
4836	MsiExec.exe
3868	MsiExec.exe
2340	MsiExec.exe
4104	StartMenu.exe
4232	explorer.exe

Modifies file permissions 1 TTPs 21 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2120	icacls.exe
4048	icacls.exe
244	takeown.exe
4556	icacls.exe
3820	takeown.exe
3724	icacls.exe
3716	takeown.exe
4524	icacls.exe
4448	takeown.exe
3716	icacls.exe
4208	takeown.exe
4600	takeown.exe
1512	takeown.exe
1316	takeown.exe
1772	icacls.exe
1992	icacls.exe
3932	takeown.exe
4472	icacls.exe
3976	takeown.exe
2024	icacls.exe
4564	icacls.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun"	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}	MsiExec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
8	raw.githubusercontent.com
26	raw.githubusercontent.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1456	powercfg.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\system32\StartMenuHelper64.dll	msiexec.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1736937623-2710279395-1526620350-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1736937623-2710279395-1526620350-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File created	C:\Windows\SysWOW64\StartMenuHelper32.dll	msiexec.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{06fb1219-100c-494c-b01f-f5c2b2b11d55}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{06fb1219-100c-494c-b01f-f5c2b2b11d55}\snapshot.etl	svchost.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files\Open-Shell\ClassicExplorer32.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Basic.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorer64.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Menu Settings.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Menu Settings.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Screen.lnk~RFe59e100.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuDLL.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe
File created	C:\Program Files\Open-Shell\PolicyDefinitions.zip	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Smoked Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\Start Screen.lnk	msiexec.exe
File created	C:\Program Files\Open-Shell\ClassicExplorerSettings.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metallic.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuHelperL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Update.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe59e0f0.TMP	msiexec.exe
File created	C:\Program Files\Open-Shell\ExplorerL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Full Glass.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShell.chm	msiexec.exe
File created	C:\Program Files\Open-Shell\OpenShellReadme.rtf	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenuL10N.ini	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Classic Skin.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Metro.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Midnight.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows 8.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Windows Aero.skin7	msiexec.exe
File created	C:\Program Files\Open-Shell\StartMenu.exe	msiexec.exe
File created	C:\Program Files\Open-Shell\DesktopToasts.dll	msiexec.exe
File created	C:\Program Files\Open-Shell\Skins\Immersive.skin7	msiexec.exe
File opened for modification	C:\Program Files\Open-Shell\~tart Screen.tmp	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e59ddf4.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2371766236F43CEC.TMP	msiexec.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DF79A2D32AB7F04449.TMP	msiexec.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF660FD7B08564DFE8.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0FA138A9015A83FA.TMP	msiexec.exe
File created	C:\Windows\Installer\e59ddf2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e59ddf2.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDECD.tmp	msiexec.exe
File created	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe	msiexec.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
4448	powershell.exe
1988	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4056	sc.exe
2368	sc.exe
796	sc.exe
4220	sc.exe
4188	sc.exe
4044	sc.exe
1664	sc.exe
4520	sc.exe
3600	sc.exe
1764	sc.exe
2076	sc.exe
112	sc.exe
1616	sc.exe
436	sc.exe
1308	sc.exe
2148	sc.exe
1328	sc.exe
4924	sc.exe
3144	sc.exe
4688	sc.exe
4276	sc.exe
3904	sc.exe
728	sc.exe
1468	sc.exe
4680	sc.exe
1616	sc.exe
2316	sc.exe
2172	sc.exe
1460	sc.exe
3780	sc.exe
576	sc.exe
1032	sc.exe
2404	sc.exe
1924	sc.exe
4364	sc.exe
2428	sc.exe
4056	sc.exe
4644	sc.exe
1108	sc.exe
1656	sc.exe
2656	sc.exe
720	sc.exe
4852	sc.exe
2764	sc.exe
2724	sc.exe
4044	sc.exe
2080	sc.exe
2536	sc.exe
2388	sc.exe
2328	sc.exe
1656	sc.exe
2536	sc.exe
3348	sc.exe
3948	sc.exe
2012	sc.exe
1512	sc.exe
1040	sc.exe
2376	sc.exe
1056	sc.exe
2632	sc.exe
1872	sc.exe
4920	sc.exe
4516	sc.exe
4724	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OpenShellSetup_4_4_191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3732	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c9263343ee389390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c9263340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003c926334000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3c926334000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c92633400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 64 IoCs

defense_evasion

pid	Process
3476	timeout.exe
1444	timeout.exe
2068	timeout.exe
4908	timeout.exe
1000	timeout.exe
2916	Process not Found
3724	timeout.exe
3208	timeout.exe
4228	timeout.exe
576	timeout.exe
2468	timeout.exe
3716	timeout.exe
2468	timeout.exe
1008	timeout.exe
4540	timeout.exe
480	timeout.exe
4260	timeout.exe
4116	timeout.exe
2892	timeout.exe
624	timeout.exe
236	timeout.exe
112	timeout.exe
2972	timeout.exe
3552	timeout.exe
3376	Process not Found
4828	Process not Found
3520	timeout.exe
1328	timeout.exe
2636	timeout.exe
420	timeout.exe
2224	Process not Found
4920	timeout.exe
2908	timeout.exe
456	timeout.exe
4284	timeout.exe
2920	timeout.exe
1852	timeout.exe
3344	timeout.exe
2556	Process not Found
3932	timeout.exe
1192	timeout.exe
2696	Process not Found
4628	timeout.exe
4984	timeout.exe
1616	timeout.exe
3892	timeout.exe
2596	timeout.exe
768	Process not Found
2652	timeout.exe
1056	timeout.exe
3656	timeout.exe
2340	Process not Found
3676	timeout.exe
2120	timeout.exe
4080	timeout.exe
1676	timeout.exe
4724	timeout.exe
3536	timeout.exe
3792	timeout.exe
4396	timeout.exe
2352	timeout.exe
800	timeout.exe
724	Process not Found
400	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 18 IoCs

defense_evasion

pid	Process
3052	taskkill.exe
3220	taskkill.exe
4404	taskkill.exe
1364	Process not Found
5028	taskkill.exe
4224	taskkill.exe
4584	taskkill.exe
4504	Process not Found
4176	Process not Found
3260	taskkill.exe
2572	taskkill.exe
4180	Process not Found
792	taskkill.exe
5064	taskkill.exe
4564	taskkill.exe
2828	taskkill.exe
3360	taskkill.exe
3176	taskkill.exe

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	OOSU10.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	MsiExec.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "1000"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400500010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand\ = "ExplorerBand Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ = "IShareOverlay"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ = "Open-Shell Modern Settings Context Menu"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1736937623-2710279395-1526620350-1000\{102379DC-CBBF-4452-AA55-A41988C8F593}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13612"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13645"	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt\CurVer	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}\ = "StartMenuEmulation"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.ImmersiveApplication\ShellEx\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\PersistedTitleBarData\Microsoft.MicrosoftStickyNotes_8wekyb3d = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\StartMenuExt	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\CLSID\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\ = "ClassicExplorer 1.0 Type Library"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ab14324-c087-42c1-b905-a0bfdb4e9532}\ShellEx\MayChangeDefaultMenu	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder\Attributes = "2684354560"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\ProductName = "Open-Shell"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellFolder	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D3214FBB-3CA1-406A-B3E8-3EB7C393A15E}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.ImmersiveApplication\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\ = "ExplorerBHO Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\Programmable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CLSID\ = "{594D4122-1F87-41E2-96C7-825FB4796516}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ = "Classic Explorer Bar"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\CLSID\ = "{449D0D6E-2412-4E61-B68F-1CB625CD9E52}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\Programmable	MsiExec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1104	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2316	powershell.exe
2316	powershell.exe
4252	powershell.exe
4252	powershell.exe
1884	powershell.exe
1884	powershell.exe
4448	powershell.exe
4448	powershell.exe
1936	powershell.exe
1936	powershell.exe
556	powershell.exe
556	powershell.exe
4044	powershell.exe
4044	powershell.exe
1676	powershell.exe
1676	powershell.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
1988	powershell.exe
1988	powershell.exe
5068	powershell.exe
5068	powershell.exe
4056	powershell.exe
4056	powershell.exe
3888	svchost.exe
3888	svchost.exe
3888	svchost.exe
3888	svchost.exe
3556	NSudoLG.exe
3556	NSudoLG.exe
2152	NSudoLG.exe
2152	NSudoLG.exe
4944	NSudoLG.exe
4944	NSudoLG.exe
572	powershell.exe
572	powershell.exe
4232	explorer.exe
4232	explorer.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe
3816	powershell.exe
3816	powershell.exe
3628	powershell.exe
3628	powershell.exe
3036	msiexec.exe
3036	msiexec.exe
3616	Process not Found
3616	Process not Found
3816	Process not Found
3816	Process not Found
4012	Process not Found
4012	Process not Found
3660	Process not Found
3660	Process not Found
3660	Process not Found
4272	Process not Found
4272	Process not Found
4272	Process not Found
4792	Process not Found
4792	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4232	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeBackupPrivilege	784	TiWorker.exe
Token: SeRestorePrivilege	784	TiWorker.exe
Token: SeSecurityPrivilege	784	TiWorker.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeBackupPrivilege	2336	vssvc.exe
Token: SeRestorePrivilege	2336	vssvc.exe
Token: SeAuditPrivilege	2336	vssvc.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeBackupPrivilege	1988	srtasks.exe
Token: SeRestorePrivilege	1988	srtasks.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
3544	msiexec.exe
3544	msiexec.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
224	Taskmgr.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4232	explorer.exe
1880	SearchHost.exe
4388	StartMenuExperienceHost.exe
4232	explorer.exe
4104	StartMenu.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe
4232	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1860	3140	cmd.exe	82
PID 3140 wrote to memory of 1860	3140	cmd.exe	82
PID 3140 wrote to memory of 3732	3140	cmd.exe	83
PID 3140 wrote to memory of 3732	3140	cmd.exe	83
PID 3732 wrote to memory of 4996	3732	cmd.exe	84
PID 3732 wrote to memory of 4996	3732	cmd.exe	84
PID 3732 wrote to memory of 4128	3732	cmd.exe	85
PID 3732 wrote to memory of 4128	3732	cmd.exe	85
PID 3140 wrote to memory of 2956	3140	cmd.exe	86
PID 3140 wrote to memory of 2956	3140	cmd.exe	86
PID 3140 wrote to memory of 2144	3140	cmd.exe	87
PID 3140 wrote to memory of 2144	3140	cmd.exe	87
PID 3140 wrote to memory of 3556	3140	cmd.exe	88
PID 3140 wrote to memory of 3556	3140	cmd.exe	88
PID 3140 wrote to memory of 572	3140	cmd.exe	89
PID 3140 wrote to memory of 572	3140	cmd.exe	89
PID 3140 wrote to memory of 576	3140	cmd.exe	90
PID 3140 wrote to memory of 576	3140	cmd.exe	90
PID 3140 wrote to memory of 3600	3140	cmd.exe	91
PID 3140 wrote to memory of 3600	3140	cmd.exe	91
PID 3600 wrote to memory of 3028	3600	net.exe	92
PID 3600 wrote to memory of 3028	3600	net.exe	92
PID 3140 wrote to memory of 3148	3140	cmd.exe	96
PID 3140 wrote to memory of 3148	3140	cmd.exe	96
PID 3140 wrote to memory of 4628	3140	cmd.exe	97
PID 3140 wrote to memory of 4628	3140	cmd.exe	97
PID 3140 wrote to memory of 3752	3140	cmd.exe	98
PID 3140 wrote to memory of 3752	3140	cmd.exe	98
PID 3140 wrote to memory of 4680	3140	cmd.exe	99
PID 3140 wrote to memory of 4680	3140	cmd.exe	99
PID 3140 wrote to memory of 5024	3140	cmd.exe	100
PID 3140 wrote to memory of 5024	3140	cmd.exe	100
PID 3140 wrote to memory of 3288	3140	cmd.exe	101
PID 3140 wrote to memory of 3288	3140	cmd.exe	101
PID 3140 wrote to memory of 3032	3140	cmd.exe	102
PID 3140 wrote to memory of 3032	3140	cmd.exe	102
PID 3140 wrote to memory of 3724	3140	cmd.exe	103
PID 3140 wrote to memory of 3724	3140	cmd.exe	103
PID 3140 wrote to memory of 4408	3140	cmd.exe	104
PID 3140 wrote to memory of 4408	3140	cmd.exe	104
PID 3140 wrote to memory of 4516	3140	cmd.exe	105
PID 3140 wrote to memory of 4516	3140	cmd.exe	105
PID 3140 wrote to memory of 2316	3140	cmd.exe	106
PID 3140 wrote to memory of 2316	3140	cmd.exe	106
PID 3140 wrote to memory of 4252	3140	cmd.exe	107
PID 3140 wrote to memory of 4252	3140	cmd.exe	107
PID 3140 wrote to memory of 2696	3140	cmd.exe	110
PID 3140 wrote to memory of 2696	3140	cmd.exe	110
PID 3140 wrote to memory of 2264	3140	cmd.exe	111
PID 3140 wrote to memory of 2264	3140	cmd.exe	111
PID 3140 wrote to memory of 1028	3140	cmd.exe	112
PID 3140 wrote to memory of 1028	3140	cmd.exe	112
PID 3140 wrote to memory of 4920	3140	cmd.exe	113
PID 3140 wrote to memory of 4920	3140	cmd.exe	113
PID 3140 wrote to memory of 1884	3140	cmd.exe	114
PID 3140 wrote to memory of 1884	3140	cmd.exe	114
PID 3140 wrote to memory of 3476	3140	cmd.exe	120
PID 3140 wrote to memory of 3476	3140	cmd.exe	120
PID 3140 wrote to memory of 2120	3140	cmd.exe	121
PID 3140 wrote to memory of 2120	3140	cmd.exe	121
PID 3140 wrote to memory of 3208	3140	cmd.exe	122
PID 3140 wrote to memory of 3208	3140	cmd.exe	122
PID 3140 wrote to memory of 4936	3140	cmd.exe	123
PID 3140 wrote to memory of 4936	3140	cmd.exe	123

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	OOSU10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
    3⤵
    PID:4996
- - C:\Windows\system32\findstr.exe
    findstr "REG_SZ"
    3⤵
    PID:4128
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Control\Session Manager\kernel" /v "GlobalTimerResolutionRequests" /t REG_DWORD /d "1" /f
  2⤵
  PID:2956
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:2144
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:3556
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:572
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=auto
  2⤵
  PID:576
- C:\Windows\system32\net.exe
  net start TrustedInstaller
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start TrustedInstaller
    3⤵
    PID:3028
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Oneclick/raw/refs/heads/main/Downloads/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
  2⤵
  PID:3148
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4628
- C:\Windows\system32\tar.exe
  tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
  2⤵
  PID:3752
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  - Launches sc.exe
  PID:4680
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:5024
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:3288
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3032
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3724
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4408
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:1028
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Checkpoint-Computer -Description 'OneClick V7.0 Restore Point'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3476
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2120
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3208
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4936
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:3996
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:624
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:1108
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:4148
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:4000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1092
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:3588
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5044
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:3432
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:4516
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4984
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:3700
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3536
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2856
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3520
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:3896
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3792
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:4756
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2652
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:2440
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:2656
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:1376
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:2280
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:4724
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1616
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:2536
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:3948
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:1664
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:3600
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:660
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:244
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:5020
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:236
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:4824
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1328
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1104
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4396
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:2212
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:3712
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:3488
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2908
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4548
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:2460
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  PID:1456
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:4932
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:4212
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:3032
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:456
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:3288
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3932
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:4448
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1192
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:1716
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:576
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4616
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2352
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:2632
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2764
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:3908
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  PID:2696
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  PID:4952
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  PID:1376
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:2280
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  PID:4700
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  PID:5068
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:4852
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  - Launches sc.exe
  PID:3348
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  PID:3556
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  PID:2852
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  PID:4248
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:4364
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  PID:4856
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  - Launches sc.exe
  PID:1460
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:1588
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  PID:2884
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:1512
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  - Launches sc.exe
  PID:3948
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:3248
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  PID:1664
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:3604
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  PID:4620
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:5028
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:5020
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  PID:236
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  PID:624
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:2596
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:1108
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  - Launches sc.exe
  PID:3780
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:4944
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:3712
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:3488
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:224
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:2292
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:5044
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:2564
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:3888
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:2888
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:4652
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:456
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  PID:3752
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:3724
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:2924
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  PID:3432
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:2912
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:1120
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  PID:4684
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  PID:1636
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  PID:2004
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:3108
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:4284
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:876
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  - Launches sc.exe
  PID:4220
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:1496
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  - Launches sc.exe
  PID:1872
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:436
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  PID:1988
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  - Launches sc.exe
  PID:576
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  PID:816
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  - Launches sc.exe
  PID:1656
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  - Launches sc.exe
  PID:4920
- C:\Windows\system32\sc.exe
  sc config MSDTC start=disabled
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:2784
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  PID:2824
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:2696
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  PID:4952
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  PID:2084
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:1376
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:2280
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  - Launches sc.exe
  PID:4276
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:4700
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:4880
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:2152
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  PID:3984
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:1464
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  - Launches sc.exe
  PID:2388
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:3968
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  PID:4248
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:4364
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  - Launches sc.exe
  PID:1616
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:4672
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  - Launches sc.exe
  PID:3904
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:3360
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:2916
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:1576
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:2120
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:560
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:420
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:4620
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:1640
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  PID:4224
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:1672
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:4824
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:1328
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:1108
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:5116
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  PID:2236
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:2908
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:4080
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:2292
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  PID:4244
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  - Launches sc.exe
  PID:4188
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:4932
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:2564
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:2348
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  - Launches sc.exe
  PID:1032
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  PID:456
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  PID:1392
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:1468
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  PID:2228
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  PID:3432
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  - Launches sc.exe
  PID:4516
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:1120
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:3964
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:132
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:3676
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:4644
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  PID:4676
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  PID:3700
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:2828
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  - Launches sc.exe
  PID:4044
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  - Launches sc.exe
  PID:4520
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  - Launches sc.exe
  PID:436
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:1988
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  PID:576
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  PID:816
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:2352
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:2264
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  PID:2320
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  PID:2632
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  PID:2764
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:2428
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  PID:896
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:2080
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:1832
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  PID:4276
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:3844
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:4376
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1308
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  PID:2224
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  PID:1460
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  PID:2536
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:3360
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  PID:5064
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:3208
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  PID:2120
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:3604
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:244
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  PID:4032
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:1640
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  PID:4224
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:1672
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  PID:624
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:1328
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  - Launches sc.exe
  PID:1108
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:4540
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  PID:3712
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:3488
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:2272
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:1592
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:4508
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:5004
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  - Launches sc.exe
  PID:4924
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:2436
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  - Launches sc.exe
  PID:728
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:1032
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  PID:3288
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:3932
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  - Launches sc.exe
  PID:1468
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:404
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  PID:2924
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  PID:4820
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  PID:4684
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:3964
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  PID:132
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:3676
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  PID:4644
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:3172
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  - Launches sc.exe
  PID:2724
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:3700
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:2828
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  - Launches sc.exe
  PID:4044
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  PID:1228
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  PID:4812
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  PID:1016
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  PID:1220
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:5056
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:1940
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  PID:2376
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:2784
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  PID:2764
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  PID:3648
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:2368
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:4952
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config smphost start=disabled
  2⤵
  - Launches sc.exe
  PID:2080
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:1832
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:4276
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:4880
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  PID:2152
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  - Launches sc.exe
  PID:2148
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:3348
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  PID:3556
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  PID:2852
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  - Launches sc.exe
  PID:4056
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:2224
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  - Launches sc.exe
  PID:1616
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  - Launches sc.exe
  PID:2536
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:2916
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  PID:1664
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  - Launches sc.exe
  PID:3600
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:560
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:4936
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  - Launches sc.exe
  PID:1764
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:4224
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:2596
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:624
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  - Launches sc.exe
  PID:1328
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  PID:1108
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:4904
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4540
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2636
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:2908
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:4080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2460
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:4188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:4932
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:5004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:4924
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:2436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:2132
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:924
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:1600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:3716
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:3372
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:240
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:864
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1040
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4892
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2316
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2724
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4732
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:4388
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:4476
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2352
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2376
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:2084
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:1376
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:1924
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:4632
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:4276
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:4312
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:1464
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:3348
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:3556
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:1444
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:4364
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:1624
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:3480
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:1616
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:2536
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:4584
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:660
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1504
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:420
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:1764
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- - C:\Windows\system32\Taskmgr.exe
    "C:\Windows\system32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:224
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  PID:4244
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2024
- C:\Windows\system32\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:2828
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
  2⤵
  PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
  2⤵
  PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4056
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2120
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3600
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3892
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4936
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4224
- C:\Oneclick Tools\OOshutup10\OOSU10.exe
  "C:\Oneclick Tools\OOshutup10\OOSU10.exe" "C:\Oneclick Tools\OOshutup10\QuakedOOshutup10.cfg" /quiet
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Modifies Control Panel
  - System policy modification
  PID:3148
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4284
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:876
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2468
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2316
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:800
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:400
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1772
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5044
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4680
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3288
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4460
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4756
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:2172
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:4476
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:3760
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:1880
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:4952
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  - Launches sc.exe
  PID:1656
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:1480
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:1988
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:3984
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:1308
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:1632
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  PID:1832
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:4276
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:1464
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:4376
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  PID:4248
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:2080
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  - Launches sc.exe
  PID:1512
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:3248
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:968
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:4176
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  PID:1588
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:1624
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  - Launches sc.exe
  PID:4056
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  PID:660
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:4864
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:560
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  - Launches sc.exe
  PID:796
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:4936
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:112
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:3388
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:3428
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:5116
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:2236
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:1104
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  PID:5000
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  PID:2212
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:3964
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  PID:4944
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:236
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:1672
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:2956
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:1384
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:3676
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  - Launches sc.exe
  PID:1040
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:876
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:3172
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:3368
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  - Launches sc.exe
  PID:2316
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:2996
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:4244
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  PID:2024
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:1592
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:4508
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:5004
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:3932
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:4732
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:2828
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:1584
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  PID:4872
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2404
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  - Launches sc.exe
  PID:2656
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:4624
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:1880
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:576
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:2376
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  - Launches sc.exe
  PID:2368
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:2156
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:3940
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:4856
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  - Launches sc.exe
  PID:1924
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:1852
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:2152
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:2280
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:3904
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:3948
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:2916
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:968
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:4364
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:1616
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:5064
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:3476
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:4056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:660
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:3460
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:2204
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:4308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:5020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:1640
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:4904
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:5116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:2236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:4396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:3588
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:2636
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:4944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:3148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:1620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:4776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:1384
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:4892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:3864
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:720
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:3592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:2316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:4244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:2564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:5044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:4212
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:3724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:4448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:4404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:4732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:2828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:2172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:3000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:3760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:3636
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:2784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:2084
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:1244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:1480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:2260
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:2168
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:4852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:3844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:3348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:1308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:1632
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:1832
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:4276
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:2388
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:1376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:4724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:2104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:1008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:3208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:2224
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:1444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:2520
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:1624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:1664
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:2120
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:3600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:3892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:4424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:112
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:3388
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:3164
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:5040
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:4232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:3728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:2196
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:3964
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:5024
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:2272
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:4804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:3180
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:4916
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3676
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:1040
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:2468
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:3864
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  - Launches sc.exe
  PID:720
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:700
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:1012
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:1592
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:4508
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:5044
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  PID:3932
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  PID:2896
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:4732
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2172
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3000
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:3760
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3636
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2084
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1244
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1480
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:2260
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:2168
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:4852
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:3844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:3348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:1308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:1632
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:1832
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:1464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:1568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:2280
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:1724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:2104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:1008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:3208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:2224
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1444
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  PID:4584
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:4864
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2120
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:3600
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:3892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:4424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:420
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:112
- C:\Windows\system32\sc.exe
  sc config BTAGService start= disabled
  2⤵
  PID:4824
- C:\Windows\system32\sc.exe
  sc config bthserv start= disabled
  2⤵
  PID:1104
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2596
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:3108
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:3468
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:4148
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:232
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:3148
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:4916
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:3464
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:4892
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:2468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:3864
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:2996
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:2316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:4244
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4080
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2984
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2972
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1768
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2920
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4728
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3716
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  - Launches sc.exe
  PID:3144
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:4756
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:1584
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:3656
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:2404
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:3760
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:4388
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:1656
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  - Launches sc.exe
  PID:2376
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:2368
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:1988
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:4880
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  - Launches sc.exe
  PID:4852
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:3556
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:4856
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  PID:1924
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:3968
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:2152
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:1832
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  - Launches sc.exe
  PID:2076
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:1884
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  - Launches sc.exe
  PID:2536
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:1512
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  PID:968
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:3176
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:4672
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:3260
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  - Launches sc.exe
  PID:1056
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:4052
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:2572
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:1444
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  - Launches sc.exe
  PID:1664
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:3052
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:2800
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:4620
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:3460
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:796
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:4316
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:3036
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:1948
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  - Launches sc.exe
  PID:112
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:3428
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  PID:2236
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:4396
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=disabled
  2⤵
  PID:2196
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2068
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:2956
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:4804
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:4428
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  - Launches sc.exe
  PID:2328
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:1384
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  - Launches sc.exe
  PID:4644
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  PID:876
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:4140
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2468
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  PID:3864
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  PID:3592
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  PID:2024
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  PID:2292
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  PID:3028
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:4932
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:2976
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:2440
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2972
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:1768
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:4212
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:3432
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  - Launches sc.exe
  PID:4688
- C:\Windows\system32\sc.exe
  sc config "Intel(R) Platform License Manager Service" start=disabled
  2⤵
  PID:3716
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:4460
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:4476
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:2828
- C:\Windows\system32\sc.exe
  sc config esifsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2172
- C:\Windows\system32\sc.exe
  sc config LMS start=disabled
  2⤵
  PID:1660
- C:\Windows\system32\sc.exe
  sc config ibtsiva start=disabled
  2⤵
  - Launches sc.exe
  PID:2632
- C:\Windows\system32\sc.exe
  sc config IntelAudioService start=disabled
  2⤵
  PID:4624
- C:\Windows\system32\sc.exe
  sc config "Intel(R) Capability Licensing Service TCP IP Interface" start=disabled
  2⤵
  PID:1880
- C:\Windows\system32\sc.exe
  sc config cphs start=disabled
  2⤵
  PID:4388
- C:\Windows\system32\sc.exe
  sc config DSAService start=disabled
  2⤵
  PID:1656
- C:\Windows\system32\sc.exe
  sc config DSAUpdateService start=disabled
  2⤵
  PID:4616
- C:\Windows\system32\sc.exe
  sc config igfxCUIService2.0.0.0 start=disabled
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc config RstMwService start=disabled
  2⤵
  PID:2260
- C:\Windows\system32\sc.exe
  sc config "Intel(R) SUR QC SAM" start=disabled
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config SystemUsageReportSvc_QUEENCREEK start=disabled
  2⤵
  PID:572
- C:\Windows\system32\sc.exe
  sc config iaStorAfsService start=disabled
  2⤵
  PID:4852
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3556
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:3560
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Sound\Sound.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Windows\system32\sc.exe
  sc config HPAppHelperCap start=disabled
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config HPDiagsCap start=disabled
  2⤵
  PID:2280
- C:\Windows\system32\sc.exe
  sc config HpTouchpointAnalyticsService start=disabled
  2⤵
  - Launches sc.exe
  PID:4724
- C:\Windows\system32\sc.exe
  sc config HPNetworkCap start=disabled
  2⤵
  PID:2884
- C:\Windows\system32\sc.exe
  sc config HPOmenCap start=disabled
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc config HPSysInfoCap start=disabled
  2⤵
  PID:2780
- C:\Windows\system32\taskkill.exe
  taskkill /f /im spd.exe
  2⤵
  - Kills process with taskkill
  PID:3360
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyTuneEngineService.exe
  2⤵
  - Kills process with taskkill
  PID:3176
- C:\Windows\system32\taskkill.exe
  taskkill /f /im GraphicsCardEngine.exe
  2⤵
  - Kills process with taskkill
  PID:3260
- C:\Windows\system32\net.exe
  net stop "cFosSpeedS"
  2⤵
  PID:1056
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "cFosSpeedS"
    3⤵
    PID:3820
- C:\Windows\system32\net.exe
  net stop "GigabyteUpdateService"
  2⤵
  PID:5032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "GigabyteUpdateService"
    3⤵
    PID:4584
- C:\Windows\system32\sc.exe
  sc config cFosSpeedS start=disabled
  2⤵
  PID:4056
- C:\Windows\system32\sc.exe
  sc config GigabyteUpdateService start=disabled
  2⤵
  PID:1664
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CCleaner64.exe
  2⤵
  - Kills process with taskkill
  PID:3052
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CCleanerPerformanceOptimizerService.exe
  2⤵
  - Kills process with taskkill
  PID:5028
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CCleanerBrowser.exe
  2⤵
  - Kills process with taskkill
  PID:4224
- C:\Windows\system32\net.exe
  net stop "ccleaner"
  2⤵
  PID:1108
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ccleaner"
    3⤵
    PID:4204
- C:\Windows\system32\net.exe
  net stop "ccleanerm"
  2⤵
  PID:3712
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ccleanerm"
    3⤵
    PID:3164
- C:\Windows\system32\net.exe
  net stop "CCleanerPerformanceOptimizerService"
  2⤵
  PID:4824
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "CCleanerPerformanceOptimizerService"
    3⤵
    PID:1104
- C:\Windows\system32\sc.exe
  sc config ccleaner start=disabled
  2⤵
  PID:3780
- C:\Windows\system32\sc.exe
  sc config ccleanerm start=disabled
  2⤵
  PID:3108
- C:\Windows\system32\sc.exe
  sc config CCleanerPerformanceOptimizerService start=disabled
  2⤵
  PID:236
- C:\Windows\system32\sc.exe
  sc config logi_lamparray_service start=disabled
  2⤵
  PID:3588
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1676
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:3148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:1620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:4984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:3464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:1868
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:876
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:3912
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:400
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:2024
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:2292
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:4080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:2980
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:5004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:5044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:1768
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:4212
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:1796
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:3144
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:1016
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:4732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:1584
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:2172
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:1660
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:2632
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:2784
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:2084
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:816
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:4920
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:2368
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:2168
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:4312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:572
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4724
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1512
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1992
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1008
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  PID:792
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:3220
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:2572
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1056
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "OneDrive.exe"
  2⤵
  - Kills process with taskkill
  PID:5064
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "explorer.exe"
  2⤵
  - Kills process with taskkill
  PID:4584
- C:\Windows\system32\reg.exe
  reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:796
- C:\Windows\system32\reg.exe
  reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"
  2⤵
  PID:872
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
  2⤵
  PID:2424
- C:\Windows\system32\reg.exe
  reg unload "hku\Default"
  2⤵
  PID:112
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "OneDrive*" /f
  2⤵
  PID:1640
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4232
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2596
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1316
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3724
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3716
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4524
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:480
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WidgetService.exe
  2⤵
  - Kills process with taskkill
  PID:4404
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Widgets.exe
  2⤵
  - Kills process with taskkill
  PID:4564
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:3816
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4908
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\smartscreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4448
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1772
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3932
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4048
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3656
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:244
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4472
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4260
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host '(Not recommended) Can only get search back by system restoring.' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4116
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3976
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3716
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4208
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4556
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3820
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2024
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\taskhostw.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4600
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\taskhostw.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4564
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1852
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Needed if you''d like to Search things!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4508
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/Open-Shell/Open-Shell-Menu/releases/download/v4.4.191/OpenShellSetup_4_4_191.exe" -o "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"
  2⤵
  - Downloads MZ/PE file
  PID:3440
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Oneclick/raw/refs/heads/main/Downloads/OpenShellTheme.xml" -o "C:\Oneclick Tools\Open Shell\OpenShellTheme.xml"
  2⤵
  PID:3428
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3344
- C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe
  "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3376
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:3544
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Do not skip if you want to Search things' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list
  2⤵
  PID:1616
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic startup get caption /format:list
    3⤵
    PID:4600
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "OneDriveSetup"
  2⤵
  PID:1936
- C:\Windows\system32\reg.exe
  reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "OneDriveSetup"
  2⤵
  PID:3836
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "OneDriveSetup"
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "OneDriveSetup"
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "8vks-4"
  2⤵
  PID:480
- C:\Windows\system32\reg.exe
  reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "8vks-4"
  2⤵
  PID:4224
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Open-Shell Start Menu"
  2⤵
  PID:3440
- C:\Windows\system32\reg.exe
  reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Open-Shell Start Menu"
  2⤵
  PID:3672
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Local\Roblox\Versions\RobloxPlayerBeta.exe" 2>nul
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Local\Discord\Discord.exe" 2>nul
  2⤵
  PID:1140
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Program Files\VideoLAN\VLC\vlc.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlc.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3580
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Program Files\Google\Chrome\Application\chrome.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:4948
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3728
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Program Files\Open-Shell\StartMenu.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:1948
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartMenu.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2424
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Windows\System32\dwm.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:4548
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4648
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Windows\explorer.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:5036
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:128
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:868
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:700
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5068
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2204
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:8
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fontdrvhost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3880
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4760
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3644
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2960
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3700
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:724
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3640
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sihost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1264
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3540

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:2908

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3036
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
  2⤵
  PID:3788
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2280
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:4836
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3868
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"
  2⤵
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Modifies registry class
  PID:2340
- C:\Program Files\Open-Shell\StartMenu.exe
  "C:\Program Files\Open-Shell\StartMenu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4104

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59ddf3.rbs

Filesize
20KB

MD5
cacaa462b9320dcfe31d7ffe9cf9c379

SHA1
d6b35fd62328ed1b4f4dc48ec628f9321ff50c57

SHA256
e0513156c1c1d5611c998f54729d21e59910cf4dbbe07a351d93018074f5377d

SHA512
9e89c9f08830cb9eb616c61ff27813f8abb7b3854b9bf6a81a06a8e1a6e521ef7371b7b9a1193f787862216de615aae0eb1f62cd5f3f38eaf2d72d9269101c78

Download Submit
C:\Oneclick Tools.zip

Filesize
1.7MB

MD5
517b76cba1c1b12ec146a60a2745b28e

SHA1
0a867eac3a9fe1cba33542fd1184fc08ac8ca609

SHA256
c0f0d33d18d79c58d0956a5057ec26407d50bebb8960514ceb88d7fb7fb2502b

SHA512
be3215579c6330225640bbae1fa1569f836ba04aad9f4e85b7449de01b076940a9a45abd14b2783a143b51d393f52784894a7fae4a9d527431f804e15635bcb6

Download Submit
C:\Oneclick Tools\NSudo\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Oneclick Tools\OOshutup10\OOSU10.exe

Filesize
1.9MB

MD5
4803e06db91fdb8b6d1b65c0010d2f87

SHA1
f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c

SHA256
beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b

SHA512
f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

Download Submit
C:\Oneclick Tools\OOshutup10\QuakedOOshutup10.cfg

Filesize
2KB

MD5
109f47ced5da3f92362c49069fc4624e

SHA1
79b611073aa0006f1bb4058a6ecb6f3cc97391d6

SHA256
2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b

SHA512
55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

Download Submit
C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe

Filesize
7.9MB

MD5
e0484fd1e79a0227a5923cdc95b511ba

SHA1
bea0cb5c42adbde14e8cf50b64982e1877c7855d

SHA256
9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c

SHA512
80f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer32.dll

Filesize
863KB

MD5
a805193aed76942c667a798f9dd721fc

SHA1
3d2f702b16cb22d5918f6d51585a871fb3b3f900

SHA256
97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89

SHA512
0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

Download Submit
C:\Program Files\Open-Shell\ClassicExplorer64.dll

Filesize
964KB

MD5
950ff69adc1b8eec1bd8d502615b0ba6

SHA1
edb3916b7ada6aa0e765c6f70c39e182b8d45dfd

SHA256
9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e

SHA512
f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

Download Submit
C:\Program Files\Open-Shell\ClassicExplorerSettings.exe

Filesize
179KB

MD5
c3c68d52fc3318e324021dab87e60779

SHA1
6855eabb6c38ff953c8c678473c6dd4ab9315f30

SHA256
fed5e80a82f9a4a687fccdc0c610902e4b5b75faf5a9588a22918711f103689a

SHA512
e506e39e036263db610f8fa33f35f9d708d4d52c16f801e58348ea8cc095ee8a0056f80b9d9c0bf8fde3ff76e61c2933504727e9dce1fafda91fde71c196635d

Download Submit
C:\Program Files\Open-Shell\ExplorerL10N.ini

Filesize
98KB

MD5
6ed13b9c1719b252e735ba7e33280e67

SHA1
f3753deab4d99dbee4821a8a70fe6e978e1a45f6

SHA256
b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab

SHA512
f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk

Filesize
1KB

MD5
5c4221b0b6f262d5edcf92ce39c8689f

SHA1
9891924ee77785527d2f06bee7b919246c822816

SHA256
60794ec8d59deb3ff29fa1c59d67c2d765ed188b9a3871d28bf1edc3010a0d67

SHA512
8b66f9d54c83f2781fd4157d823111dc208488fbbea647eb92e3eeb0da5c4e09327c17aecdd732814ced4d875dd8f1b10a4a10fd63021d0ce293097a776ce127

Download Submit
C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe59e0f0.TMP

Filesize
1KB

MD5
947560ab74e5d3774fb699a051d2a86b

SHA1
4504844d6d8efd954e392bde33a418f0103f1d3c

SHA256
4d2b4d0eb7d61f133557486f758fb42349424232793fd196a78912d0d4127287

SHA512
e81103defb60d6b402538e189660de9e48341d3bc5380d232a34adaceab743d452d56dcbdca5ff2490d3cff9f49738dae6dadfb40a29d1bbedff44629c1cda11

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
1KB

MD5
fca3dd9231ab467ce0fe76121b770fa3

SHA1
96c8fc5150c766323a9f45d86457e990090f743c

SHA256
1ac65db0b453dd2b4dbfd2e528469521d66df977117765f5235b6cef4dcba5e2

SHA512
181563c987b19030c21550fda79862e37ae99ee7f9b7a57e4173c7d440e81ce64ae0bc3eedbd73fe1a4d1ec68f33617dc4b2254e22ad9bc259ae5bf324e1eae5

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
24ff8acff337ce3e851ae360e1d256ea

SHA1
3d7c4c7efd47f34c44631ce3e544fd035009ca9c

SHA256
355e630ceb76af65139bf756beaeafa3d09ac786cfc307c0f194b56ba3558da4

SHA512
97910924bc08fb2c70c9ac856cbdc78a964bc31c36af7f3cbb70727f8117e1fea117b1f863b6d4ad3777238c09383298c189ed160eb5118ca058f1c54879cf80

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk

Filesize
2KB

MD5
591c52d2070492e5f14a4c6b57576009

SHA1
647a1a9c4ad2a6e3ed7b280a2909c1e21d6d5c4b

SHA256
64ec6686ec2bac48b6323b8ac8d3275ab900456ae7cbb64daf6593207216bf4d

SHA512
50ce86df88c5b556a43f01ca71480475c0a2fbfc7694409857e81d481e3f38b2bd145bce2e1d387be5fb2f2bf48b99d540cca855238d8b08a6eb79584e3c88ef

Download Submit
C:\Program Files\Open-Shell\Start Screen.lnk~RFe59e100.TMP

Filesize
1KB

MD5
e2aa25949da701c1f18b4601713ed508

SHA1
02ef6163c1aa0f5e925ce468f6a25ab92b541fae

SHA256
50892fd1e1ffd6663b6a9690d2f8d29479a751b9b320afea83da4cdf5fcc029a

SHA512
ad447c9376e2f4013d236162ae92adf9683a837c64cc9e7761ffeec675f467b6a040962ab58e25513555aa39861ed4e946b5b425f5cb06d1009e7140be7ad4f3

Download Submit
C:\Program Files\Open-Shell\StartMenu.exe

Filesize
259KB

MD5
9aca92d31344210995d18ac75f7df752

SHA1
fec9f414f3c399f8384ad6a32d0b60adde85d8d9

SHA256
df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf

SHA512
ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

Download Submit
C:\Program Files\Open-Shell\StartMenuDLL.dll

Filesize
2.7MB

MD5
e29ab21b4d9266502677b9837ad23346

SHA1
939e7bb40623f04dd3d75f4685a543437512771a

SHA256
808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185

SHA512
7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

Download Submit
C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

Filesize
11KB

MD5
29221f620ea6b5893add15dd6c307684

SHA1
97c31bb9585a0896e1fcea8efa3f05ff16823da2

SHA256
53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84

SHA512
b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

Download Submit
C:\Program Files\Open-Shell\StartMenuL10N.ini

Filesize
286KB

MD5
673bb428b6d3fab8cba07890cad09d0e

SHA1
45039820289bdb485bb761e9b267f6de9e18a26c

SHA256
ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33

SHA512
2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

Download Submit
C:\Program Files\Open-Shell\Update.exe

Filesize
500KB

MD5
6165bb2e4d2215f5ec4d074b6c06b72b

SHA1
03e13ac321eadfae93a9e72f80f30bbba811b5d8

SHA256
078ab5206082b7b498e3a921913cc54e8022c79c314d37baee5290f1b451e202

SHA512
60ad9ba86160d92f46e2b6b04a65484a55c61eadf5d02b084ac5a3fe2fd8f8f2f867baeeb854b3cd3403bea83ce29e17b02057696122caff0b021f2b0f144997

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk

Filesize
1KB

MD5
e927de0ce774261e16f09af98326b622

SHA1
840568470bc9c72f705b4d93bd8f368f57b4a8ea

SHA256
082680caa16c6bb544fa8054b5008bd2a49148b9a25d301adc7cb7281e8cf492

SHA512
d5bb28f286063ce7a117e51d8762171202a06c34ace845c2d9a41335a9c59b346038b7379af0e29fcb5385e644f4be69e9313e20aa6a8adabdb9903c283292ef

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe59e0d1.TMP

Filesize
1KB

MD5
6d6a2de32f3b4d595fee5d4746e24765

SHA1
133dd058ad66b4b59c1987f1b4a1870fe19d4323

SHA256
19a63254c663bb77da0063e243df55fb86157fc78594abe92b372e9c93c2f216

SHA512
80e219c4a53d3da5d0de6848b9c3014666da900f2ed2ed2c1a706af97d3e6b5ed44d5701e4a14913fa729f716d229ec0dd9ef825b81b06b9df56aa3168df119c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Help.lnk

Filesize
1KB

MD5
f51cc2e77c33b54580fb920622bacf9e

SHA1
1590de73b67062e4d1cd088dca164d0f29756007

SHA256
a289c6369d9409076bb88adbd0abcca72e9e17e05da4519333e46f5a2c35708c

SHA512
4b6fa171c44bb177461c3498701cdb70c04bdda0c4bb0e3e593b69fdacf628cb652745dbb2b5d37b97d2824e465b59f640e679eaf05866b741f689e41cb4cbf6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

Filesize
1KB

MD5
941a06c724f087b4e4ae071864d9da82

SHA1
6bc8ca0e0339af95267293ca6e882e8206ec6d3c

SHA256
1316a11fa612cc6beb893394926d8efe99accf454e492e9d98e5851a6f495832

SHA512
6856d5492e3dbdcc72ec4ec1ae5ac3189889f95ee9cfbcb0717c624105b8d821313ffd1f8ca79fdb75a7fa1ff620e1779f38abeaaef823af8586a50cfa2c2ffd

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe59e0e0.TMP

Filesize
1KB

MD5
6deca72f14da3282fe80ed214035d2e9

SHA1
c333b166a728852482bac112bc99a6c8c8133f88

SHA256
254183f30c3efdf5402646a04b1fe4fa2e1c6541fa46380d4493bbdfa42007fa

SHA512
8f2c11ab4bfb7581e7e842f2962fdf2e9692ba6a269dfb6c5f3b8e06e6e173e73b6cf90d5323cb4aa5c775a2abd4653214bc3e8732796d0a3741331ef1ecc951

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Readme.lnk

Filesize
1KB

MD5
7e2ad921d9016289a96a53b75c0b5507

SHA1
8aac4653156f08c84d372410cba345a1dbf6ff6b

SHA256
a18e7a8f02d411c6b013a10a8db044281b13d960815e98327d657f9d8bb1a932

SHA512
65a9f27567133ab9e877459bb419276d1e9a13097e299fa47eee3041a9daa73969e2928d4d9e5e5514ebfd0f427e87b56dcd2da5ff587d7fb2977b1e098ab8a3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
f7d0ed8f625a1879c724ec3196609872

SHA1
433045e15d1a10eefd5a417ce77d98b423e93200

SHA256
07dd68802a25450a863f6c7c46f9985574eaaa6a30c55a77bfaf89f0bba3e63b

SHA512
075c4bed93789612cf12cda27b44593926394bfbfec5b45aa25e2a8968aae1ee183ff55d932f8b047bdd258bcc2f638301daba10a46f166139bfe05c9e6800ae

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

Filesize
1KB

MD5
4e5f5108f58a8e903302fe3d4a4afbf2

SHA1
c063fe76ee0192d4668d30e75183ec23bdf97f56

SHA256
b17639ec999c306bcc4dad17f75c869abd856bd74322d96965e505cf46ed9e75

SHA512
3797d7957b591d8f6e2aefb756248a5453c8e13aae55320eb188913dacac436c73413a3853466d8f0332bfccb55d46fe006e1f0e6b9a73832bf2aaa2423ceda6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe59e092.TMP

Filesize
1KB

MD5
1d6331053d1cdd01b127a807ec41fbdc

SHA1
98b03568426c7be91b62bc3443448b4190e91567

SHA256
170037d58ff077893589f143ef3fa6b5d6698d07675ecf5b83dbdc73043d8ead

SHA512
db499ceda7faf511bce200004b5af25cebac4ca1880456698f5b287ee21ffdf3b2cda508636f2572304125716de5c6b610879a6f4ea7383e461a77d2d16eb74a

Download Submit
C:\ProgramData\OpenShellSetup64_4_4_191.msi

Filesize
5.3MB

MD5
cc25bc2f1b5dec7e9e7ab3289ed92cc7

SHA1
449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2

SHA256
25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313

SHA512
e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d0a3aced4b267e373c90b61888b5c4e0

SHA1
31cc397554a0f13bf4f8229f69d631e7567c0512

SHA256
0a5933c24625dc4ebed39d480380eb8e44a0ec81f39d7fed760f2096ca4f61e1

SHA512
d5c9c62572cc9abdf04fb078595610bd26b7ef8f94e9d31489f1e33f5f5240a172a04826f609e40d5939aec50f1da174767a8e2a50a2fafa83ae46668481b04b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
158a72355ea99a8bc04d0b6a380cc97c

SHA1
750fff9e378ca754a4534371e54624f7e90b796f

SHA256
c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c

SHA512
0f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
238f0a5701700be966cc85a76ecbfc19

SHA1
c69446816c9c6c0657e8705ca08459440b6e1d53

SHA256
cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b

SHA512
791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf21418563eb780832481f30823f8f6a

SHA1
908f9dc92c77f8d84b93be2af27c7e42ce07bac9

SHA256
edd6aecd33d05270876077950a8fe151b5fcfa125652e146fe0ab40e280d14fb

SHA512
f93c082135dafd1bd8cd18418043edae2237adbaf4217567e40129142fb6df8bb67267d44ac329c40eae8362b8e00919e846f8d37bb99349bf13a177d04eb99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70c91e55fe182a7b11ff383b0dbdd172

SHA1
b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6

SHA256
20a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f

SHA512
0f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93c75f221969a8d844beee70fb78d313

SHA1
6f4cf36d84d6046fb3a4ae145f247720b2798f37

SHA256
8df726ab101633eee0ab1fbcbd31120e799875c6854ad07d5f5f20412f6c936d

SHA512
e25104da22c40d7416413cfd3bf3ed9b8d23ff3d35fd8a40ddf67f24dce4076025ccccb92c12a539c768030d5f948ccc0756703b7a9acc5e28bc530b0ea10bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6bfc02ee40e30ee8b3668a1a8cd74542

SHA1
d05325b60c6e4c1bd331e89319efe02f2271b268

SHA256
3798b25b810408a6e503f3bfc54da533f57bffd83250d3b24b2730e34f66348f

SHA512
6c871a3e8017f37a65b002f88318b787d0d24d1cfb107bc66b22032857a960b6805975436b00bfcdf7874d74c8a774eb1376aaa895e38778af1f12a162cabc0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12ff85d31d9e76455b77e6658cb06bf0

SHA1
45788e71d4a7fe9fd70b2c0e9494174b01f385eb

SHA256
1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056

SHA512
fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d7a7bbe26f2b784baebdfff40cc94ecb

SHA1
c9e48521872adaad9db69c04f6f56a73beda5ed9

SHA256
5550b75714f45cc040a38d7e125fae661a6e60559cd20b703f460802afb6937b

SHA512
e4795ec6c844cd6b5147b81b7707d798068fb6e9814ba86c27a16dd35f54c203503e265ac79588b96aabe357cd42f1e4f5aeda2641039e09bd7018888b8bf8c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b0b6a6e8b83603c1d25dec35fe7e17c

SHA1
0e55d91c83ab18badd765671d900295222f27c52

SHA256
b048356ee41f264c874f17b7e7a51c773e7fc81831cb63851e34c324db44a337

SHA512
e2696d4e691668d2b7b5cc9ed3abefe1877014d9f3439e9e2596db2ac0969beb44ef303dd4957df48329f00fc558c285b4bfe99221d36906db2b0fd181f9f8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e47fb5a65908840c41d5279286b05a8

SHA1
57074acc4bd1fde2da7fb5348df1b22d5204c738

SHA256
5b0ac430b9f85133ad37dc8204f73a27a0814b05746834b03cc9ae724d56bc60

SHA512
c9a520df4dc20ce6a2b8ee6d60254efd567550df647911b5e0b0b7324ce08ef1e8d50736cf6bfc16f231bf8b4c473caf886c9663199aab9f251e5f666b9a8dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
501e42c2869a2f2b062120d72eef2a9a

SHA1
683f699e01378cac6ffa865c1d0c5e01dafdacad

SHA256
4b5644b0d1c80c9d851eef19baa45ec51ef95ac51c5694c440029a589a0ef712

SHA512
1cfe6e7fe265a80f2322a78fab2be9588ec2ce99029246c54c5ab03293a26f413d11b156ef9c87eab4e81737f541f7282abea8b18c09f3bab33c078f2cad15b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b890f4e526a60c26f9f5023795687f

SHA1
9c8507990eb042d85a14541bbc78dbabe238add8

SHA256
0bbe3a2b3f73c865a2801d6fdc40ab27df9cbf7fe5373b57128a001394c8efde

SHA512
c1881f8fd8ee8984198a59c5ae0a66e97f094ec1b30a752587087e9a44c32bf69af2df81305208aa79ed38a0dbd7475b9ee5c9210e23ffbe0c22246f8f5b5102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca5753ce43ee421b2d8caabb53cffed8

SHA1
d4b1bb65623667e896b9871510575363148a8705

SHA256
1042d19791144ebba4e6c34555ae8530ff9c79623f39a7c17f76af4f44efac92

SHA512
6e43174ef816fca94f5f0bf864dc7f170544c40e1b6f9b746af9487059fae35eb26b02f8a96036dbdff85c6ce36d3c97015da6ede710e338093b7dc180c7ad43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b28d02cafa263358ee77c8f507a3add5

SHA1
f682ff967f7bb9a7d10557be77d804ced2e77988

SHA256
19b299a5eb63026c642db09caf2d268997309a5bcfbfd952a202a0aca7411775

SHA512
32daca621e92c74e358edeb20a6753df326814325107020ecfd6d6d2e97a72ef2d38fcb0b3df56335b554f81dc89d8db5c9e7bb7b8d96d03c40115ffe4964718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8641e32b7763f0c9071e6ef8004eb3b8

SHA1
52de7b8a3aa9c3e66e95616f9e8272c129a258e3

SHA256
e09bcce71c9a2145beafa87b3038a35e10871f81f6766d3136500861c5ad7546

SHA512
8f33e762f511431d7a96a712cc7aeeb1b43cafb3d68b708fd45d577e166e147c5b57326e39c4b559f5f78fb4af93201135dfe08f5208c7ac57b4afa7a711d2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
972e511d1698fa725226e9fc29bcea11

SHA1
951dec4d33016e57ffe99b91e2c2ed064453902d

SHA256
b71968ced4770497661f7ed0e84ad06575c6e27d4a7b70bbc59ceeb4fb43e324

SHA512
8584b13a28d87fecb2208d05fea9be914896dcf4a7bca94b02e2f6ad4242e90f0927eb6574ae5fb76df7f6861c76c390ea5086a9a1e7869ecced2afeac7ffee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f39ca5ecd13d5d8be3716920586ece8b

SHA1
c48fe5cf59928b5ca9e66133093a03cb2567f8b9

SHA256
697f0095326fd9ebd5d443e3bd0b33d70089d4baf4f9072ee83de2f1ec8f836a

SHA512
6274de43d4d884eda17d54ab1077aaf41b8e9546802a8cee95efdfb16d0a3058fb62e514cc80eef0081265092f90de3a5361ee1712ee4a44d14a979c689ff8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edf2381ae9b0aff17872a592d40bbc37

SHA1
59412c721420ffda225cbe956f72c5d55c2b2c02

SHA256
15e015c467a9d74584e0d4ac90be2ac82886346e64d1cb577d8b2aed1e0e0806

SHA512
4fadd295c2a63b57a0eed487dffe6760d8a24c76630cb8c5dd0cdc54cda8b433c4e05470cb20c61c1813ef56a7d89b85607ebf575beb0230fae5d93f6d8d35e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
78a5453269f39b7450fb0007591c0235

SHA1
6b6ff7811180861ac31eaaf97c46ea6a0e5fdb51

SHA256
cc07bd8b1ff3773e32bd3830c2447a7573007241fe230d9046f7d23539f8f9da

SHA512
4310a960021785d68d951ec7c37decdd078de96a57a8afdf6dd5c75f535b2bad8bdc08b6f5788bfa2bc0ec1f57f9d336e92cf49a518f661beacfa0f349735d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c5815e3270a269cd05a94fc2e7625cf2

SHA1
5fcc787ccc1f55932fd2b53d0c2ee243455e9ef7

SHA256
02ced2a77efc98a64c227eef09f9c3ab230d317a47ec27389f0c772bd5d39d78

SHA512
734e11e0dadecd6262c3e64d340f72b436bc02d8c7e565d4d8c629d3c91e1de0c29f7fbc23aec3b2ec8c475496502e7da871841a893951daa6c069eb82877abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e074bfafe1291ae2d0cb4a7efe328fd

SHA1
951456d9f369b4ffb9984e4b55caafda0234fd45

SHA256
f9eb79b7bbc4db4ba1fcc159f43625c13aa07a6366d1db750b77755793aa059b

SHA512
48067514909f4b49717a02eb51ac71f1182364a944a456c7a3ab3bc83687046a4ee73165e5cee30cd1b4c1ed0560ad43f6d4e2da63ab332456a766dfc1e8708a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d74cc8194b0d2c2f5b034845ee5de78

SHA1
89a26cc0d08ae183501df63077bf019f726407d6

SHA256
bc24a1c08d05c420afe740f1dba007d3957788254a429326e376295f8255d5c1

SHA512
cccc39ed6ad56903076d9181fe2d6a70ca71fb865068bc79503b4dafc85adccf56fd042383481145b18deec493e52c62723adcc34dc7faf8b173402df63b084d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3a924916719c590c164e2306f5b3ad4

SHA1
6b99d5b4cadd988deb3f825c38d3b2ca62beed11

SHA256
a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1

SHA512
29ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df33adf7320d9fe9053f984d34b2d5d8

SHA1
d9de6d5d8fbd33f53a5df208ba29a87a3c5f9941

SHA256
55ab4d5b0653cd14d3f0fee4bf27e8c3e3bc3193cfee8643a36b841d2d9ff371

SHA512
592af8b4cd4dbd0778ac49a200a3da1d5016813b2212dc9f670109c09220c2545ca8240f8d7b28c8bf9b310d5261ccb5a2f152ec56798253714491fe0bc8e4f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
27KB

MD5
f6bbfb9c1421c0b9b0862230ec5b1c6c

SHA1
b3fa112917ce86fcdc4aef6b8addf9348927acf5

SHA256
1434b140acf7c6e317d36c427e64099b07f1fd0c92940db43bc7ee031f05b2e4

SHA512
282c6d2412fb790dc461a17845b51a8d173f327cf02a23561307a2dd6009da694fad92467bc57c80d96e612c09b4acc3623ecea6a5db91ef7cbe39807b5d6fda

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
24KB

MD5
453c4c4c28cb4518b79b9242a49e12b0

SHA1
481c2abc276ab3192429f933e700acc1c8d07f50

SHA256
e33d6efb268e934387ec751386b845b5bab26b033256587932b410d3ec0fdca2

SHA512
5028344088482b1299a2e1801a6d75a163ededbb924c0a85c69dcd5260bd0b152649d934fe9e24f07910038b79e4afa1686b9dbe3d41555d7238298cb21087c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
32KB

MD5
0efb4ba823aed5f421f87ebc063063a5

SHA1
2d1f8205225d80706f1aa4f7a6247600282e2a22

SHA256
508a4e371b7b583dd7f1bf25cb2093768b86cfb83f94ecfc2a23ac16978ff13b

SHA512
cfae49ec6ec35e75fdaad60db6aba140a286bc71f585767563e04ee590ba30efddb464310ac613baff29c07d3811b5da7e4a68a874d2795325ad9306df5b961e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
29KB

MD5
1dc91cf34ccdc67c2179a2b20d115547

SHA1
9a900bbc3314976f7245bb611ec4a46e6a8a79ed

SHA256
d35ca8d975d455b456f6870599f89967f271d7e16ca9d40a50a50a403521443b

SHA512
31d98a7d3b25d1b1c258f2cc55541a18f66e6d4cbbfde6e0328f2f0ded4095c5976acb3cc0e7d171c0bb6056be814d19f98f85aae0325396090bdada5c6a6bfe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
28KB

MD5
2bf4252d883c3840d9e518bdeb63e31c

SHA1
ff87a1dcb6dd09d2dc14da32a8accd714352bff1

SHA256
7d0270c61a0cd6d19e24c4ee41f13da8a9e9026b99e762530b6d5ad1f4194d4f

SHA512
3885ee679a4566ad34b4405f79954c7f75a06b5e3b91d5ce6a1c1f5e6a0065bdcbfccefd6970473c4fe798c372798bb67dba56e1214631288fc26c1652f014b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
27KB

MD5
29926c3685d630daae61dd37a27a635b

SHA1
358e1f5cb426592a901535203e3a43d09c49755d

SHA256
89f4c90a65fea57975a8addfb951f1f9d49b3700733a45a6280b4dea04fb783b

SHA512
f894d2ba3c301a03c19c0c7a2dae852ec2c756f3fb9ab3efa7028c01074776e2f02e3f606639a37f8efab5386ec372bd8f2cb470656527011291e1d98a76c081

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
26KB

MD5
dfd9dc75fe7c7a3f9e8f95684a15acf4

SHA1
9af636d30de6e98ec1f5ef29fc213e03db076132

SHA256
52eec9b45ba26c3b7b828230e92aa9a368b1d34cda353231662fc5e0327f6c47

SHA512
2c898e7a385670dcaada47fa1aca056f35e91429a31c19a5befc0644cd14b5ff88cdc589db0d2b736672a2723a08f358cf3ae748abda1971a00b59c62a75178f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
25KB

MD5
0f73e1bf6ae468d2235763727f4b028f

SHA1
779d6ca48803abe691a8c3a5741c47567a09e755

SHA256
1eac439db3d9f600910839ac9c86d08850effdc1cba7ace338cd60cdca8243df

SHA512
60176eb30bbfe27d484c3400b23184374b90534a3e8d5e95d393aa97015c2ad871d3971db1c1568ba1dc0681f50da8c4a82d46010c7e8011b9c68e2ffbf51e16

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

Filesize
24KB

MD5
bb8c514d20da4099801776f4fea799a1

SHA1
b79d808597d00ff330764ef81a352fd0568a09c7

SHA256
293e3d312788e235040fb364305aed6e68b650d8d2999dad5655af883e35de67

SHA512
1498622ee943ba2033e33ca5e1871c10d78e5d7a4b60f88ae875cdb534c6fff8514fda6a0ad4800b1c0902059a68a5af5717a4f4a8c59c336bfbc0cbd4700d99

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\16XHZ3IB\microsoftwindows.client[1].xml

Filesize
1KB

MD5
1b023af1db9325902cddac882b708bdd

SHA1
59748112172d729fb5f92fe350ae976015ee47b2

SHA256
fbc888e7186a885704acf0467f75926f6741b51d2b1bd11399a328c983614b00

SHA512
0ef50aa19e47d9a80a6abddcf56947dbd3cba9f6e6d626f06d69f3fdd6cdca5da86d66e7e70d24d10209078317b30e965709527826a87b72bc4c03251ecee81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1frvanbn.gga.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\StartMenuHelper32.dll

Filesize
351KB

MD5
b7c7f2bf76b2220839af735e2b58fefc

SHA1
16631df5f62096b039fc1996066805721b622407

SHA256
a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875

SHA512
6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

Download Submit
C:\Windows\system32\StartMenuHelper64.dll

Filesize
426KB

MD5
22c9a786f3ff34275c80876b8ac5cc10

SHA1
beb6f4f28b98910b2031c37d7cec385543045614

SHA256
b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca

SHA512
92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
233bd38640cdac6912aeb999faab451e

SHA1
8836b9379784661d726e56321249e0da0103e017

SHA256
33a0131ca4ff28c53b9216ab347cb0df83ea87e2613106f4be7638a80dcd700e

SHA512
736cfa09adebaa88f4b85250398466daeba95a8b2748979f12ab2f47443ed2f81d1916d0db666087803a2fbd2031e6bceccc50057d65a6659d9c5dca25a69c6e

Download Submit
\??\Volume{3463923c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{761d17bb-7b86-4f02-bae4-65b7f27c9bdb}_OnDiskSnapshotProp

Filesize
6KB

MD5
aaf970168dda4f065e536295d3f92a58

SHA1
23ddbe1adae645b07faa6b891d828fbad23f235c

SHA256
f944fe3bc25da995274f8de525ebd48f04b0d4532842286b24d56d2160c66a73

SHA512
4a70bbc60b3773474996acbbd275e176e83a463383fcb5081109e50fb522af46f44ef9257f4ca9e140bb10934911554857655c4b2f6ee4a17fb5261a6039650a

Download Submit
memory/224-107-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-105-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-106-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-111-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-117-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-116-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-115-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-114-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-113-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/224-112-0x0000022A41400000-0x0000022A41401000-memory.dmp

Filesize
4KB

Download
memory/572-186-0x0000027B1B800000-0x0000027B1B81C000-memory.dmp

Filesize
112KB

Download
memory/572-188-0x0000027B1BBF0000-0x0000027B1BC16000-memory.dmp

Filesize
152KB

Download
memory/572-187-0x0000027B1B7F0000-0x0000027B1B7FA000-memory.dmp

Filesize
40KB

Download
memory/1880-244-0x000001DBCC5C0000-0x000001DBCC5E0000-memory.dmp

Filesize
128KB

Download
memory/1880-193-0x000001D3C9800000-0x000001D3C9900000-memory.dmp

Filesize
1024KB

Download
memory/1880-212-0x000001DBCC340000-0x000001DBCC360000-memory.dmp

Filesize
128KB

Download
memory/1880-192-0x000001D3C9800000-0x000001D3C9900000-memory.dmp

Filesize
1024KB

Download
memory/1880-191-0x000001D3C9800000-0x000001D3C9900000-memory.dmp

Filesize
1024KB

Download
memory/1880-243-0x000001DBCC5C0000-0x000001DBCC5E0000-memory.dmp

Filesize
128KB

Download
memory/1880-353-0x00007FF626EC0000-0x00007FF626EC7000-memory.dmp

Filesize
28KB

Download
memory/1880-221-0x000001DBCC340000-0x000001DBCC360000-memory.dmp

Filesize
128KB

Download
memory/2316-28-0x00000282F54E0000-0x00000282F5502000-memory.dmp

Filesize
136KB

Download
memory/3148-156-0x000001C6CE830000-0x000001C6CE84A000-memory.dmp

Filesize
104KB

Download
memory/3148-155-0x000001C6E8910000-0x000001C6E89B6000-memory.dmp

Filesize
664KB

Download
memory/3148-154-0x000001C6CE7E0000-0x000001C6CE80C000-memory.dmp

Filesize
176KB

Download
memory/3148-153-0x000001C6CE1E0000-0x000001C6CE3D0000-memory.dmp

Filesize
1.9MB

Download
memory/3148-157-0x000001C6E8BD0000-0x000001C6E8C8A000-memory.dmp

Filesize
744KB

Download
memory/3888-158-0x000001EFF4DA0000-0x000001EFF4DB0000-memory.dmp

Filesize
64KB

Download
memory/3888-164-0x000001EFF5220000-0x000001EFF5230000-memory.dmp

Filesize
64KB

Download
memory/3888-166-0x000001EFF56A0000-0x000001EFF56A1000-memory.dmp

Filesize
4KB

Download
memory/4388-354-0x00007FF738930000-0x00007FF738A26000-memory.dmp

Filesize
984KB

Download
memory/5068-138-0x0000026B329B0000-0x0000026B329D4000-memory.dmp

Filesize
144KB

Download
memory/5068-137-0x0000026B329B0000-0x0000026B329DA000-memory.dmp

Filesize
168KB

Download