Analysis
-
max time kernel
221s -
max time network
223s -
platform
windows11-21h2_x64 -
resource
win11-20250313-es -
resource tags
arch:x64arch:x86image:win11-20250313-eslocale:es-esos:windows11-21h2-x64systemwindows -
submitted
30/03/2025, 20:11
Static task
static1
Behavioral task
behavioral1
Sample
Terabyte.Tweaker.bat
Resource
win11-20250313-es
Errors
General
-
Target
Terabyte.Tweaker.bat
-
Size
55KB
-
MD5
1fdf3a31b6d0c672ac2b7a51e1549c38
-
SHA1
11d9d427605aafd3f8d409f9930d7bf4215189c7
-
SHA256
1a1ae207c19b5b14be702e3ff4a4b1f13d229c6823cbcf43eff9a0f600a6e48b
-
SHA512
2d7c71f5e66a6f5f7eff9ef65352ccb9482a8d811609ad1d058b5328994e911f60974d52e97d82b2685873e32ff1b7747961df9206f5c4b9ff667551d092624a
-
SSDEEP
768:nzIrYWk6E0pri91EBw0wW2WoG4ouKSoMgX0714lGAyWkctQVTJMkmS+WyuAm2Wyk:z+ioBtYBN
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3092 bcdedit.exe 4472 bcdedit.exe -
Blocklisted process makes network request 9 IoCs
flow pid Process 3 3812 powershell.exe 10 1752 powershell.exe 11 1752 powershell.exe 13 1644 powershell.exe 15 4740 powershell.exe 16 3124 powershell.exe 17 3124 powershell.exe 20 1132 powershell.exe 21 4632 powershell.exe -
pid Process 4496 powershell.exe 4496 powershell.exe 1752 powershell.exe 1644 powershell.exe 4740 powershell.exe 3124 powershell.exe 1132 powershell.exe 4632 powershell.exe 3812 powershell.exe 4632 powershell.exe 4708 powershell.exe 3240 powershell.exe 3976 powershell.exe 2888 powershell.exe 536 powershell.exe 2188 powershell.exe 3460 powershell.exe 4120 powershell.exe 1924 powershell.exe 4040 powershell.exe 1736 powershell.exe 5116 powershell.exe 4168 powershell.exe 1808 powershell.exe 1744 powershell.exe 2808 powershell.exe 1424 powershell.exe 2896 powershell.exe 4536 powershell.exe 4496 powershell.exe 4820 powershell.exe 2576 powershell.exe 1412 powershell.exe 4652 powershell.exe 4740 powershell.exe 4180 powershell.exe 3148 powershell.exe 2856 powershell.exe 3232 powershell.exe 800 powershell.exe 3716 powershell.exe 2152 powershell.exe 4332 powershell.exe 2904 powershell.exe 3884 powershell.exe 5092 powershell.exe -
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions\IoPriority = "3" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions\PagePriority = "5" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions\CpuPriorityClass = "3" reg.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServiceDll = "%SystemRoot%\\System32\\dnsrslvr.dll" reg.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ImagePath = "System32\\drivers\\tcpip.sys" reg.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 1 IoCs
pid Process 3260 dismhost.exe -
Loads dropped DLL 23 IoCs
pid Process 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe 3260 dismhost.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDriveSetup.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ThanksForUsing = "C:\\TT\\thanksforusing.bat" reg.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\OneDrive\desktop.ini OneDriveSetup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 21 raw.githubusercontent.com 2 raw.githubusercontent.com 3 raw.githubusercontent.com 11 raw.githubusercontent.com 17 raw.githubusercontent.com 18 raw.githubusercontent.com 20 raw.githubusercontent.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 3360 powercfg.exe 4624 powercfg.exe 3280 powercfg.exe 2448 powercfg.exe 1684 powercfg.exe 1984 powercfg.exe 5088 powercfg.exe 1440 powercfg.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2044 powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2428 sc.exe 2480 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDriveSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDriveSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDriveSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FileSyncConfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 47 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4536 PING.EXE 2040 PING.EXE 1676 PING.EXE 2104 PING.EXE 1844 PING.EXE 1044 PING.EXE 1644 PING.EXE 1028 PING.EXE 2496 PING.EXE 3460 PING.EXE 4740 PING.EXE 4668 PING.EXE 664 PING.EXE 1976 PING.EXE 3632 PING.EXE 1532 PING.EXE 4988 PING.EXE 4624 PING.EXE 644 PING.EXE 3844 PING.EXE 1020 PING.EXE 1380 PING.EXE 1808 PING.EXE 932 PING.EXE 4084 PING.EXE 2808 PING.EXE 5092 PING.EXE 1884 PING.EXE 1160 PING.EXE 2544 PING.EXE 1244 PING.EXE 4232 PING.EXE 3240 PING.EXE 2808 PING.EXE 2524 PING.EXE 1852 PING.EXE 2888 PING.EXE 3392 PING.EXE 3756 PING.EXE 1500 PING.EXE 2032 PING.EXE 5004 PING.EXE 3532 PING.EXE 4576 PING.EXE 3392 PING.EXE 1844 PING.EXE 5012 PING.EXE -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 3700 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c9263343ee389390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c9263340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003c926334000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3c926334000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c92633400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
pid Process 4988 ipconfig.exe 1320 ipconfig.exe 4948 ipconfig.exe 4500 ipconfig.exe -
Kills process with taskkill 1 IoCs
pid Process 1044 taskkill.exe -
Modifies data under HKEY_USERS 22 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Mouse reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "16" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "33" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "16" reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0" reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings reg.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TYPELIB OneDriveSetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} OneDriveSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To reg.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\odopen\shell OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9} OneDriveSetup.exe Key created \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\PROGRAMMABLE OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER\CLSID OneDriveSetup.exe Set value (int) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} FileSyncConfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2} OneDriveSetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77708248-f839-436b-8919-527c410f48b9} reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" FileSyncConfig.exe Key created \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder FileSyncConfig.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\ODOPEN\SHELL\OPEN\COMMAND OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\PROXYSTUBCLSID32 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY\CURVER OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\CLSID OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB} OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TYPELIB OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0 OneDriveSetup.exe Key deleted \REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0 OneDriveSetup.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 3148 reg.exe 4652 reg.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 47 IoCs
pid Process 3240 PING.EXE 1380 PING.EXE 3844 PING.EXE 1852 PING.EXE 5012 PING.EXE 4740 PING.EXE 4576 PING.EXE 1644 PING.EXE 1028 PING.EXE 5092 PING.EXE 1884 PING.EXE 4668 PING.EXE 2040 PING.EXE 1976 PING.EXE 1844 PING.EXE 2808 PING.EXE 3756 PING.EXE 1244 PING.EXE 1844 PING.EXE 4232 PING.EXE 644 PING.EXE 3632 PING.EXE 2032 PING.EXE 4624 PING.EXE 1808 PING.EXE 2888 PING.EXE 2544 PING.EXE 1500 PING.EXE 1044 PING.EXE 1020 PING.EXE 5004 PING.EXE 2808 PING.EXE 2524 PING.EXE 3392 PING.EXE 4988 PING.EXE 1160 PING.EXE 3460 PING.EXE 932 PING.EXE 4084 PING.EXE 4536 PING.EXE 664 PING.EXE 1676 PING.EXE 2496 PING.EXE 2104 PING.EXE 1532 PING.EXE 3392 PING.EXE 3532 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1412 powershell.exe 1412 powershell.exe 3044 powershell.exe 3044 powershell.exe 2044 powershell.exe 2044 powershell.exe 3812 powershell.exe 3812 powershell.exe 2188 powershell.exe 2188 powershell.exe 2188 powershell.exe 4496 powershell.exe 4496 powershell.exe 3460 powershell.exe 3460 powershell.exe 4168 powershell.exe 4168 powershell.exe 2856 powershell.exe 2856 powershell.exe 1808 powershell.exe 1808 powershell.exe 3232 powershell.exe 3232 powershell.exe 4120 powershell.exe 4120 powershell.exe 4496 powershell.exe 4496 powershell.exe 3200 OneDriveSetup.exe 3200 OneDriveSetup.exe 1924 powershell.exe 1924 powershell.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 3064 OneDriveSetup.exe 1744 powershell.exe 1744 powershell.exe 1744 powershell.exe 5092 powershell.exe 5092 powershell.exe 4820 powershell.exe 4820 powershell.exe 4820 powershell.exe 4040 powershell.exe 4040 powershell.exe 4040 powershell.exe 800 powershell.exe 800 powershell.exe 800 powershell.exe 4632 powershell.exe 4632 powershell.exe 4632 powershell.exe 1736 powershell.exe 1736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1412 powershell.exe Token: SeBackupPrivilege 840 vssvc.exe Token: SeRestorePrivilege 840 vssvc.exe Token: SeAuditPrivilege 840 vssvc.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeBackupPrivilege 2468 srtasks.exe Token: SeRestorePrivilege 2468 srtasks.exe Token: SeSecurityPrivilege 2468 srtasks.exe Token: SeTakeOwnershipPrivilege 2468 srtasks.exe Token: SeBackupPrivilege 2468 srtasks.exe Token: SeRestorePrivilege 2468 srtasks.exe Token: SeSecurityPrivilege 2468 srtasks.exe Token: SeTakeOwnershipPrivilege 2468 srtasks.exe Token: SeBackupPrivilege 5060 Dism.exe Token: SeRestorePrivilege 5060 Dism.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeIncreaseQuotaPrivilege 2044 powershell.exe Token: SeSecurityPrivilege 2044 powershell.exe Token: SeTakeOwnershipPrivilege 2044 powershell.exe Token: SeLoadDriverPrivilege 2044 powershell.exe Token: SeSystemProfilePrivilege 2044 powershell.exe Token: SeSystemtimePrivilege 2044 powershell.exe Token: SeProfSingleProcessPrivilege 2044 powershell.exe Token: SeIncBasePriorityPrivilege 2044 powershell.exe Token: SeCreatePagefilePrivilege 2044 powershell.exe Token: SeBackupPrivilege 2044 powershell.exe Token: SeRestorePrivilege 2044 powershell.exe Token: SeShutdownPrivilege 2044 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeSystemEnvironmentPrivilege 2044 powershell.exe Token: SeRemoteShutdownPrivilege 2044 powershell.exe Token: SeUndockPrivilege 2044 powershell.exe Token: SeManageVolumePrivilege 2044 powershell.exe Token: 33 2044 powershell.exe Token: 34 2044 powershell.exe Token: 35 2044 powershell.exe Token: 36 2044 powershell.exe Token: SeIncreaseQuotaPrivilege 2044 powershell.exe Token: SeSecurityPrivilege 2044 powershell.exe Token: SeTakeOwnershipPrivilege 2044 powershell.exe Token: SeLoadDriverPrivilege 2044 powershell.exe Token: SeSystemProfilePrivilege 2044 powershell.exe Token: SeSystemtimePrivilege 2044 powershell.exe Token: SeProfSingleProcessPrivilege 2044 powershell.exe Token: SeIncBasePriorityPrivilege 2044 powershell.exe Token: SeCreatePagefilePrivilege 2044 powershell.exe Token: SeBackupPrivilege 2044 powershell.exe Token: SeRestorePrivilege 2044 powershell.exe Token: SeShutdownPrivilege 2044 powershell.exe Token: SeDebugPrivilege 2044 powershell.exe Token: SeSystemEnvironmentPrivilege 2044 powershell.exe Token: SeRemoteShutdownPrivilege 2044 powershell.exe Token: SeUndockPrivilege 2044 powershell.exe Token: SeManageVolumePrivilege 2044 powershell.exe Token: 33 2044 powershell.exe Token: 34 2044 powershell.exe Token: 35 2044 powershell.exe Token: 36 2044 powershell.exe Token: SeDebugPrivilege 3812 powershell.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 3460 powershell.exe Token: SeDebugPrivilege 4168 powershell.exe Token: SeDebugPrivilege 2856 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2888 powershell.exe 2888 powershell.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2888 powershell.exe 2888 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3536 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4484 wrote to memory of 1092 4484 cmd.exe 81 PID 4484 wrote to memory of 1092 4484 cmd.exe 81 PID 4484 wrote to memory of 3532 4484 cmd.exe 82 PID 4484 wrote to memory of 3532 4484 cmd.exe 82 PID 4484 wrote to memory of 4792 4484 cmd.exe 84 PID 4484 wrote to memory of 4792 4484 cmd.exe 84 PID 4484 wrote to memory of 3496 4484 cmd.exe 85 PID 4484 wrote to memory of 3496 4484 cmd.exe 85 PID 4484 wrote to memory of 1044 4484 cmd.exe 86 PID 4484 wrote to memory of 1044 4484 cmd.exe 86 PID 4484 wrote to memory of 1444 4484 cmd.exe 87 PID 4484 wrote to memory of 1444 4484 cmd.exe 87 PID 4484 wrote to memory of 1412 4484 cmd.exe 88 PID 4484 wrote to memory of 1412 4484 cmd.exe 88 PID 4484 wrote to memory of 3044 4484 cmd.exe 93 PID 4484 wrote to memory of 3044 4484 cmd.exe 93 PID 4484 wrote to memory of 2500 4484 cmd.exe 97 PID 4484 wrote to memory of 2500 4484 cmd.exe 97 PID 4484 wrote to memory of 3240 4484 cmd.exe 98 PID 4484 wrote to memory of 3240 4484 cmd.exe 98 PID 4484 wrote to memory of 1604 4484 cmd.exe 99 PID 4484 wrote to memory of 1604 4484 cmd.exe 99 PID 4484 wrote to memory of 2892 4484 cmd.exe 100 PID 4484 wrote to memory of 2892 4484 cmd.exe 100 PID 4484 wrote to memory of 5060 4484 cmd.exe 101 PID 4484 wrote to memory of 5060 4484 cmd.exe 101 PID 5060 wrote to memory of 3260 5060 Dism.exe 102 PID 5060 wrote to memory of 3260 5060 Dism.exe 102 PID 4484 wrote to memory of 1380 4484 cmd.exe 103 PID 4484 wrote to memory of 1380 4484 cmd.exe 103 PID 4484 wrote to memory of 1084 4484 cmd.exe 104 PID 4484 wrote to memory of 1084 4484 cmd.exe 104 PID 4484 wrote to memory of 4576 4484 cmd.exe 105 PID 4484 wrote to memory of 4576 4484 cmd.exe 105 PID 4484 wrote to memory of 2336 4484 cmd.exe 106 PID 4484 wrote to memory of 2336 4484 cmd.exe 106 PID 4484 wrote to memory of 1808 4484 cmd.exe 107 PID 4484 wrote to memory of 1808 4484 cmd.exe 107 PID 4484 wrote to memory of 1880 4484 cmd.exe 108 PID 4484 wrote to memory of 1880 4484 cmd.exe 108 PID 4484 wrote to memory of 932 4484 cmd.exe 109 PID 4484 wrote to memory of 932 4484 cmd.exe 109 PID 4484 wrote to memory of 1912 4484 cmd.exe 110 PID 4484 wrote to memory of 1912 4484 cmd.exe 110 PID 4484 wrote to memory of 4540 4484 cmd.exe 111 PID 4484 wrote to memory of 4540 4484 cmd.exe 111 PID 4484 wrote to memory of 2876 4484 cmd.exe 112 PID 4484 wrote to memory of 2876 4484 cmd.exe 112 PID 4484 wrote to memory of 1888 4484 cmd.exe 113 PID 4484 wrote to memory of 1888 4484 cmd.exe 113 PID 4484 wrote to memory of 1904 4484 cmd.exe 114 PID 4484 wrote to memory of 1904 4484 cmd.exe 114 PID 4484 wrote to memory of 5096 4484 cmd.exe 115 PID 4484 wrote to memory of 5096 4484 cmd.exe 115 PID 4484 wrote to memory of 3828 4484 cmd.exe 116 PID 4484 wrote to memory of 3828 4484 cmd.exe 116 PID 4484 wrote to memory of 420 4484 cmd.exe 117 PID 4484 wrote to memory of 420 4484 cmd.exe 117 PID 4484 wrote to memory of 2584 4484 cmd.exe 118 PID 4484 wrote to memory of 2584 4484 cmd.exe 118 PID 4484 wrote to memory of 3344 4484 cmd.exe 119 PID 4484 wrote to memory of 3344 4484 cmd.exe 119 PID 4484 wrote to memory of 4760 4484 cmd.exe 120 PID 4484 wrote to memory of 4760 4484 cmd.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Terabyte.Tweaker.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"2⤵PID:1092
-
-
C:\Windows\system32\PING.EXEping -n 2 -w 700 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3532
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:4792
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:3496
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Checkpoint-Computer -Description 'Terabyte Restore Point'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:2500
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3240
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:1604
-
-
C:\Windows\System32\sfc.exesfc /scannow2⤵PID:2892
-
-
C:\Windows\System32\Dism.exeDISM /Online /Cleanup-Image /RestoreHealth2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\EB6701F7-2A8F-4F77-A9B3-3FCE51A5FA14\dismhost.exeC:\Users\Admin\AppData\Local\Temp\EB6701F7-2A8F-4F77-A9B3-3FCE51A5FA14\dismhost.exe {B778A3E7-F4FF-445E-887B-65104915DA8F}3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:3260
-
-
-
C:\Windows\System32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1380
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:1084
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4576
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:2336
-
-
C:\Windows\System32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1808
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:1880
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:932
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:1912
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f2⤵PID:4540
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f2⤵PID:2876
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f2⤵PID:1888
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f2⤵PID:1904
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f2⤵PID:5096
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f2⤵PID:3828
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f2⤵PID:420
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:2584
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f2⤵PID:3344
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d "2" /f2⤵PID:4760
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "00000000" /f2⤵PID:3972
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f2⤵PID:4568
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "UseActionCenterExperience" /t REG_DWORD /d "00000000" /f2⤵PID:4792
-
-
C:\Windows\System32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d 1 /f2⤵PID:4536
-
-
C:\Windows\System32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d 0 /f2⤵PID:4332
-
-
C:\Windows\System32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "CacheHashTableBucketSize" /t REG_DWORD /d "1" /f2⤵PID:1132
-
-
C:\Windows\System32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "CacheHashTableSize" /t REG_DWORD /d "180" /f2⤵PID:344
-
-
C:\Windows\System32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "MaxCacheEntryTtlLimit" /t REG_DWORD /d "fa00" /f2⤵PID:820
-
-
C:\Windows\System32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "MaxSOACacheEntryTtlLimit" /t REG_DWORD /d "12d" /f2⤵PID:3536
-
-
C:\Windows\System32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f2⤵PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell Invoke-WebRequest "https://raw.githubusercontent.com/Teramanbr/TerabyteTweaker/main/src/Regedit.reg" -OutFile "C:\Users\Admin\AppData\Local\Temp\Regedit.reg"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
C:\Windows\System32\reg.exereg import C:\Users\Admin\AppData\Local\Temp\Regedit.reg2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Server Software Component: Terminal Services DLL
- Sets service image path in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3232
-
-
C:\Windows\System32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3392
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:744
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1644
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:4660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "ps onedrive | Stop-Process -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "start-process "$env:windir\SysWOW64\OneDriveSetup.exe" "/uninstall""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3200 -
C:\Windows\SysWOW64\OneDriveSetup.exe"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-1736937623-2710279395-1526620350-10004⤵
- System Location Discovery: System Language Discovery
PID:5056
-
-
C:\Windows\SysWOW64\OneDriveSetup.exeC:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe4⤵
- Modifies system executable filetype association
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3064 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1980
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.Getstarted | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.ZuneVideo | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.ZuneMusic | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.GetHelp | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.Messaging | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.WindowsFeedbackHub | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.People | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.3DBuilder | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.Print3D | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage EclipseManager | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage ActiproSoftwareLLC | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage AdobeSystemsIncorporated.AdobePhotoshopExpress | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage 'D5EA27B7.Duolingo-LearnLanguagesforFree' | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage PandoraMediaInc | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage CandyCrush | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage *Wunderlist* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage *Flipboard* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage *Twitter* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage *Facebook* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage *Sway* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage *disney* | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:5116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BingTravel | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BingHealthAndFitness | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BingFoodAndDrink | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2904
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:2808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.MicrosoftSolitaireCollection | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:3884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage Microsoft.BioEnrollment | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage ContentDeliveryManager | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -command "Get-AppxPackage 'Microsoft.Advertising.Xaml' | Remove-AppxPackage"2⤵
- Command and Scripting Interpreter: PowerShell
PID:4652
-
-
C:\Windows\System32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3844
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:3972
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1020
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:2532
-
-
C:\Windows\System32\powercfg.exepowercfg -restoredefaultschemes2⤵
- Power Settings
PID:1440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest "https://github.com/Teramanbr/TerabyteTweaker/blob/main/src/PowerPlan.pow?raw=true" -OutFile "C:\TT\PowerPlan.pow"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:1752
-
-
C:\Windows\System32\powercfg.exepowercfg /d 44444444-4444-4444-4444-4444444444492⤵
- Power Settings
PID:3360
-
-
C:\Windows\System32\powercfg.exepowercfg -import "C:\TT\PowerPlan.pow" 44444444-4444-4444-4444-4444444444492⤵
- Power Settings
PID:4624
-
-
C:\Windows\System32\powercfg.exepowercfg -SETACTIVE "44444444-4444-4444-4444-444444444449"2⤵
- Power Settings
PID:3280
-
-
C:\Windows\System32\powercfg.exepowercfg /changename 44444444-4444-4444-4444-444444444449 "HoneCtrl's Power Plan" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag. (Added by Terabyte Tweaker)"2⤵
- Power Settings
PID:2448
-
-
C:\Windows\System32\powercfg.exepowercfg /d 381b4222-f694-41f0-9685-ff5bb260df2e2⤵
- Power Settings
PID:1684
-
-
C:\Windows\System32\powercfg.exepowercfg /d 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c2⤵
- Power Settings
PID:1984
-
-
C:\Windows\System32\powercfg.exepowercfg /d a1841308-3541-4fab-bc81-f71556f20b4a2⤵
- Power Settings
PID:5088
-
-
C:\Windows\System32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1852
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:1336
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4084
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:3396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest "https://cdn.discordapp.com/attachments/798314687321735199/923239120367673434/CLOCKRES.exe" -OutFile "C:\TT\CLOCKRES.exe"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:1644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c CLOCKRES.exe | find "Current"2⤵PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest "https://cdn.discordapp.com/attachments/798314687321735199/923239064738627594/SetTimerResolutionService.exe" -OutFile "C:\TT\SetTimerResolutionService.exe"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4740
-
-
C:\Windows\system32\sc.exesc config "STR" start= auto2⤵
- Launches sc.exe
PID:2428
-
-
C:\Windows\system32\net.exeNET START STR2⤵PID:5072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 START STR3⤵PID:2560
-
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick yes2⤵
- Modifies boot configuration data using bcdedit
PID:3092
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick yes2⤵
- Modifies boot configuration data using bcdedit
PID:4472
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /quiet /s /i SetTimerResolutionService.exe2⤵
- System Location Discovery: System Language Discovery
PID:4888
-
-
C:\Windows\system32\sc.exesc config "STR" start= auto2⤵
- Launches sc.exe
PID:2480
-
-
C:\Windows\system32\net.exeNET START STR2⤵PID:1780
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 START STR3⤵PID:1692
-
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5004
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2732
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1844
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:1244
-
-
C:\Windows\system32\reg.exeReg query "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode"2⤵PID:2848
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t Reg_DWORD /d "2" /f2⤵PID:2468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s | findstr "HKEY"2⤵PID:2884
-
C:\Windows\system32\reg.exeReg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s3⤵PID:4652
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:1412
-
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t Reg_DWORD /d "1" /f2⤵PID:3844
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t Reg_DWORD /d "1" /f2⤵PID:3972
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵PID:2188
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵PID:2636
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:4396
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f2⤵PID:1020
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f2⤵PID:2532
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f2⤵PID:3384
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f2⤵PID:5108
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t Reg_DWORD /d "4" /f2⤵PID:1440
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t Reg_DWORD /d "4" /f2⤵PID:1648
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnablePreemption" /t Reg_DWORD /d "0" /f2⤵PID:1784
-
-
C:\Windows\system32\reg.exeReg delete "HKCU\Software\Hone" /v "AllGPUTweaks" /f2⤵PID:1932
-
-
C:\Windows\system32\reg.exereg query "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode"2⤵PID:2520
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t Reg_DWORD /d "2" /f2⤵PID:1132
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s | findstr "HKEY"2⤵PID:420
-
C:\Windows\system32\reg.exeReg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s3⤵PID:3344
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:3360
-
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t Reg_DWORD /d "1" /f2⤵PID:4496
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t Reg_DWORD /d "1" /f2⤵PID:4332
-
-
C:\Windows\system32\reg.exereg delete "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /f2⤵PID:1684
-
-
C:\Windows\system32\reg.exereg delete "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /f2⤵PID:1984
-
-
C:\Windows\system32\reg.exereg delete "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /f2⤵PID:5088
-
-
C:\Windows\system32\reg.exereg delete "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /f2⤵PID:4040
-
-
C:\Windows\system32\reg.exereg delete "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /f2⤵PID:3716
-
-
C:\Windows\system32\reg.exereg delete "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /f2⤵PID:3208
-
-
C:\Windows\system32\reg.exereg delete "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /f2⤵PID:3464
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t Reg_DWORD /d "2" /f2⤵PID:2904
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t Reg_DWORD /d "2" /f2⤵PID:644
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnablePreemption" /t Reg_DWORD /d "1" /f2⤵PID:1460
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5012
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4932
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2808
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest "https://github.com/Teramanbr/TerabyteTweaker/blob/main/src/CPUTweaks.ps1?raw=true" -OutFile "C:\TT\CPUTweaks.ps1"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:3124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\TT\CPUTweaks.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
PID:1424 -
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" query HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}3⤵
- Modifies registry key
PID:3148
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" export HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} C:\TT\TTRevert\ognic.reg /y3⤵PID:2888
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v MIMOPowerSaveMode /t REG_SZ /d 3 /f3⤵PID:3996
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v PowerSavingMode /t REG_SZ /d 0 /f3⤵PID:932
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableGreenEthernet /t REG_SZ /d 0 /f3⤵PID:3372
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *EEE /t REG_SZ /d 0 /f3⤵PID:2828
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *IPSecOffloadV1IPv4 /t REG_SZ /d 0 /f3⤵PID:2576
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *IPSecOffloadV2IPv4 /t REG_SZ /d 0 /f3⤵PID:536
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *IPSecOffloadV2 /t REG_SZ /d 0 /f3⤵PID:2336
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RscIPv4 /t REG_SZ /d 0 /f3⤵PID:4828
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RscIPv6 /t REG_SZ /d 0 /f3⤵PID:2884
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *PMNSOffload /t REG_SZ /d 0 /f3⤵PID:920
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *PMARPOffload /t REG_SZ /d 0 /f3⤵PID:2188
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *JumboPacket /t REG_SZ /d 0 /f3⤵PID:3976
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableConnectedPowerGating /t REG_DWORD /d 0 /f3⤵PID:1020
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableDynamicPowerGating /t REG_SZ /d 0 /f3⤵PID:3452
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableSavePowerNow /t REG_SZ /d 0 /f3⤵PID:5108
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *FlowControl /t REG_SZ /d 0 /f3⤵PID:2892
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *NicAutoPowerSaver /t REG_SZ /d 0 /f3⤵PID:1784
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v ULPMode /t REG_SZ /d 0 /f3⤵PID:3904
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnablePME /t REG_SZ /d 0 /f3⤵PID:1732
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v AlternateSemaphoreDelay /t REG_SZ /d 0 /f3⤵PID:820
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v AutoPowerSaveModeEnabled /t REG_SZ /d 0 /f3⤵PID:4532
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *NumRssQueues /t REG_SZ /d 2 /f3⤵PID:1752
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" query HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}3⤵
- Modifies registry key
PID:4652
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RssBaseProcNumber /f3⤵PID:2856
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RssMaxProcNumber /f3⤵PID:1984
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_USBController get PNPDeviceID3⤵PID:3220
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v DevicePolicy /t REG_DWORD /d 4 /f3⤵PID:3464
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v AssignmentSetOverride /t REG_BINARY /d 08 /f3⤵PID:404
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get PNPDeviceID3⤵PID:4792
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v DevicePolicy /t REG_DWORD /d 4 /f3⤵PID:1724
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v AssignmentSetOverride /t REG_BINARY /d 02 /f3⤵PID:3308
-
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" path Win32_NetworkAdapter get PNPDeviceID3⤵PID:4748
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v DevicePolicy /t REG_DWORD /d 4 /f3⤵PID:4760
-
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v AssignmentSetOverride /t REG_BINARY /d 0 /f3⤵PID:2368
-
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1028
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:2100
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5092
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem get totalphysicalmemory /value2⤵PID:4924
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory /value3⤵PID:540
-
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagingFiles" /t REG_MULTI_SZ /D "c:\pagefile.sys 6141 6141" /f2⤵PID:3908
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SystemPages" /t REG_DWORD /D "0" /f2⤵PID:3844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /format:value2⤵PID:4972
-
C:\Windows\System32\Wbem\WMIC.exewmic os get TotalVisibleMemorySize /format:value3⤵PID:4036
-
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f2⤵PID:2584
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\FTH" /v "Enabled" /t Reg_DWORD /d "0" /f2⤵PID:872
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d "0" /f2⤵PID:1972
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t Reg_DWORD /d "1" /f2⤵PID:4176
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t Reg_DWORD /d "2" /f2⤵PID:1504
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t Reg_DWORD /d "0" /f2⤵PID:4628
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t Reg_DWORD /d "1" /f2⤵PID:4796
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePageCombining" /t REG_DWORD /d "1" /f2⤵PID:4332
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t Reg_DWORD /d "1" /f2⤵PID:3228
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "HeapDeCommitFreeBlockThreshold" /t REG_DWORD /d "262144" /f2⤵PID:4040
-
-
C:\Windows\system32\reg.exeReg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d "1" /f2⤵PID:3208
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f2⤵PID:3716
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "0" /f2⤵PID:1460
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t Reg_DWORD /d "0" /f2⤵PID:2232
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t Reg_DWORD /d "0" /f2⤵PID:5012
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f2⤵PID:4116
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabledDefault" /t REG_DWORD /d "0" /f2⤵PID:1912
-
-
C:\Windows\system32\reg.exeReg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f2⤵PID:1644
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t Reg_SZ /d "1000" /f2⤵PID:4520
-
-
C:\Windows\system32\reg.exeReg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t Reg_SZ /d "1000" /f2⤵PID:3192
-
-
C:\Windows\system32\reg.exeReg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t Reg_SZ /d "1000" /f2⤵PID:4748
-
-
C:\Windows\system32\fsutil.exefsutil behavior set memoryusage 22⤵PID:1752
-
-
C:\Windows\system32\fsutil.exefsutil behavior set mftzone 22⤵PID:3220
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:1020
-
-
C:\Windows\system32\fsutil.exefsutil behavior set encryptpagingfile 02⤵PID:1784
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disable8dot3 12⤵PID:3996
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disablecompression 12⤵PID:2576
-
-
C:\Windows\system32\fsutil.exefsutil behavior set disabledeletenotify 02⤵PID:2884
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:564
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4740
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:2684
-
-
C:\Windows\system32\ipconfig.exeipconfig /release2⤵
- Gathers network information
PID:1320
-
-
C:\Windows\system32\ipconfig.exeipconfig /renew2⤵
- Gathers network information
PID:4948
-
-
C:\Windows\system32\ARP.EXEarp -d *2⤵PID:228
-
-
C:\Windows\system32\nbtstat.exenbtstat -R2⤵PID:3304
-
-
C:\Windows\system32\nbtstat.exenbtstat -RR2⤵PID:3952
-
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns2⤵
- Gathers network information
PID:4500
-
-
C:\Windows\system32\ipconfig.exeipconfig /registerdns2⤵
- Gathers network information
PID:4988
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global autotuninglevel=normal2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3808
-
-
C:\Windows\system32\netsh.exenetsh interface 6to4 set state disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4624
-
-
C:\Windows\system32\netsh.exenetsh int isatap set state disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:644
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global timestamps=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
- System Time Discovery
PID:3700
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:764
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global chimney=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1532
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2100
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rsc=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:848
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global nonsackrttresiliency=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:908
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1844
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security profiles=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2096
-
-
C:\Windows\system32\netsh.exenetsh int ip set global icmpredirects=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2636
-
-
C:\Windows\system32\netsh.exenetsh int tcp set security mpp=disabled profiles=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3880
-
-
C:\Windows\system32\netsh.exenetsh int ip set global multicastforwarding=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3712
-
-
C:\Windows\system32\netsh.exenetsh int tcp set supplemental internet congestionprovider=ctcp2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2840
-
-
C:\Windows\system32\netsh.exenetsh interface teredo set state disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4040
-
-
C:\Windows\system32\netsh.exenetsh winsock reset2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3688
-
-
C:\Windows\system32\netsh.exenetsh int isatap set state disable2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1880
-
-
C:\Windows\system32\netsh.exenetsh int ip set global taskoffload=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1092
-
-
C:\Windows\system32\netsh.exenetsh int ip set global neighborcachelimit=40962⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1984
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global dca=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:820
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global netdma=enabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell Disable-NetAdapterLso -Name "*"2⤵PID:1580
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4988
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4552
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4536
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3280
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 0 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4624
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1473 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2808
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 736 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:644
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1104 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1884
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1288 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3392
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1380 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4668
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1426 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1160
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1403 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2544
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1391 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3756
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1385 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2040
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1382 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:664
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1381 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2524
-
-
C:\Windows\system32\PING.EXEping -n 1 -l 1380 -f -4 google.com2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1676
-
-
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("8.8.8.8", "8.8.4.4")2⤵PID:3708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeContent" /t REG_SZ /d "8.8.4.4" /f2⤵PID:1252
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeContentV6" /t REG_SZ /d "2001:4860:4860::8844" /f2⤵PID:2852
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeHost" /t REG_SZ /d "dns.google" /f2⤵PID:712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeHostV6" /t REG_SZ /d "dns.google" /f2⤵PID:4180
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveWebProbeHost" /t REG_SZ /d "www.msftconnecttest.com" /f2⤵PID:2184
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f2⤵PID:244
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1976
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4036
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1500
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:1932
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4176
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5068
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3164
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spectrum" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3864
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4580
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3812
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3716
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2432
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1360
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserDataSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1324
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4932
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:5056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3588
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1880
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4792
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1136
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoogleChromeElevationService" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2368
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:404
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ibtsiva" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1752
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1984
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2828
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ssh-agent" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4828
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1020
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2188
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PcaSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1320
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3472
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wersvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2248
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1408
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdatem" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2560
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:4708
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2684
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1412
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:3836
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2520
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:2740
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\debugregsvc" /v "Start" /t REG_DWORD /d "4" /f2⤵PID:1684
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndu" /v "Start" /d "2" /t REG_DWORD /f2⤵PID:4536
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /d "3" /t REG_DWORD /f2⤵PID:3280
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:4056
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "3" /f2⤵
- Modifies security service
PID:4960
-
-
C:\Windows\system32\reg.exeReg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertPropSvc" /v "Start" /t REG_DWORD /d "3" /f2⤵PID:3332
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3632
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:1876
-
-
C:\Windows\system32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2032
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3300
-
-
C:\Windows\system32\taskkill.exeTaskKill /F /IM javaw.exe2⤵
- Kills process with taskkill
PID:1044
-
-
C:\Windows\System32\PING.EXEping 127.0.0.1 -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2496
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:224
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2104
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:2040
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:3912
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1532
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:2732
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:908
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1244
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:4568
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:904
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1844
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:2452
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:3844
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3460
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:1976
-
-
C:\Windows\System32\chcp.comchcp 650012⤵PID:4036
-
-
C:\Windows\System32\PING.EXEping localhost -n 32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4232
-
-
C:\Windows\System32\chcp.comchcp 4372⤵PID:3344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest "https://raw.githubusercontent.com/Teramanbr/TerabyteTweaker/main/src/thanksforusing.bat" -OutFile "C:\TT\thanksforusing.bat"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:1132
-
-
C:\Windows\System32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "ThanksForUsing" /t REG_SZ /d C:\TT\thanksforusing.bat /f2⤵
- Adds Run key to start application
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell Invoke-WebRequest "https://raw.githubusercontent.com/Teramanbr/TerabyteTweaker/main/src/shutdown.ps1" -OutFile "C:\TT\shutdown.ps1"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\TT\shutdown.ps1'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2888
-
-
C:\Windows\System32\shutdown.exeshutdown /r /t 500 -c " "2⤵PID:3092
-
-
C:\Windows\System32\shutdown.exeshutdown /r /t 02⤵PID:4552
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵PID:1888
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.GetHelp_8wekyb3d8bbwe1⤵PID:5068
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe1⤵PID:3304
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.People_8wekyb3d8bbwe1⤵PID:4820
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}1⤵
- System Location Discovery: System Language Discovery
PID:1140
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.BingNews_8wekyb3d8bbwe1⤵PID:3916
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.BingWeather_8wekyb3d8bbwe1⤵PID:2520
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe1⤵PID:4544
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe1⤵PID:5096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\TT\thanksforusing.bat1⤵PID:2552
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3976055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3536
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Power Settings
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Discovery
Peripheral Device Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
2System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD588dc70c361a22feac57b031dd9c1f02f
SHA1a9b4732260c2a323750022a73480f229ce25d46d
SHA25643244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59
SHA51219c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c
-
Filesize
77B
MD559b6646f46bdf95a054c52f85805eeed
SHA1886eb3aa43626ab8da38c003f998c85fef5799ca
SHA2563e4c500eb4e9fbfcda2d494a810288269821d87ae5f54e60b9a3ea4cb8c4a31a
SHA512e6195e883169cf57d9a8fa897fbb7f29eee00e0db1a400438fb7bd5c872804a06babd030a5ca33a47481bc8184dbdb653200b950457ef3aeb31e7d25856c1a28
-
Filesize
1KB
MD5f29ff8b1e0f396a194a6782749830b8e
SHA12f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69
SHA2565bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f
SHA5120689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19
-
Filesize
664KB
MD5a31cb807bf0ab4ddbbe2b6bb96ae6cd1
SHA1cf63765b41aee9cd7ae76c04dfbb6151e909b3c9
SHA25637f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47
SHA5126a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3
-
Filesize
136KB
MD5702f9c8fb68fd19514c106e749ec357d
SHA17c141106e4ae8f3a0e5f75d8277ec830fc79eccc
SHA25621ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358
SHA5122e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9
-
Filesize
1004KB
MD5f51151b2d8d84cddbedbeffebdc6ec6a
SHA1adc9c19aa0663e65997f54835228968e13532198
SHA2567fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884
SHA512802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3
-
Filesize
444KB
MD5c73ee8f61bce89d1edad64d16fedcdd6
SHA1e8fe02e68fd278fd4af501e350d412a5a91b269f
SHA256b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413
SHA5128a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25
-
Filesize
200KB
MD57f751738de9ac0f2544b2722f3a19eb0
SHA17187c57cd1bd378ef73ba9ad686a758b892c89dc
SHA256db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc
SHA5120891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb
-
Filesize
168KB
MD517275206102d1cf6f17346fd73300030
SHA1bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166
SHA256dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6
SHA512ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3
-
Filesize
436KB
MD5e54120aa50f14e0d3d257e77db46ece5
SHA1922203542962ec5f938dcb3c876f060ecf17f9dc
SHA256b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54
SHA512fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9
-
Filesize
200KB
MD5c22cc16103ee51ba59b765c6b449bddb
SHA1b0683f837e1e44c46c9a050e0a3753893ece24ad
SHA256eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b
SHA5122c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e
-
Filesize
680KB
MD5a41b0e08419de4d9874893b813dccb5c
SHA12390e00f2c2bc9779e99a669193666688064ea77
SHA25657ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3
SHA512bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a
-
Filesize
92KB
MD50e6d074c223b6706c29de2e9d6d9d05c
SHA1c4758d6e444b5f943c9ae8570c6d1945d7b2ab8f
SHA2563129bd336b26f9da626189a2386c362584204a5d24ec0733be3cf0c8f5d855e2
SHA512fa48aa14b7e66749a34a7195944966b670649935f1eef9d6f17cf7d9893dc83339fed4bcfeb5c5be0be8f4c0a250cf71e4e0bbc6456017890b8b5ef0ee2d885b
-
Filesize
172KB
MD520fb116831396d9477e352d42097741c
SHA17e063ac9bc173a81dc56dc5864f912041e2c725a
SHA2566a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4
SHA512851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a
-
Filesize
84KB
MD5f6b7301c18f651567a5f816c2eb7384d
SHA140cd6efc28aa7efe86b265af208b0e49bec09ae4
SHA2568f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61
SHA5124087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286
-
Filesize
248KB
MD54c6d681704e3070df2a9d3f42d3a58a2
SHA1a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81
SHA256f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137
SHA512daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86
-
Filesize
312KB
MD534035aed2021763bec1a7112d53732f1
SHA17132595f73755c3ae20a01b6863ac9518f7b75a4
SHA256aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731
SHA512ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d
-
Filesize
108KB
MD5c63f6b6d4498f2ec95de15645c48e086
SHA129f71180feed44f023da9b119ba112f2e23e6a10
SHA25656aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde
SHA5123a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc
-
Filesize
208KB
MD5eb171b7a41a7dd48940f7521da61feb0
SHA19f2a5ddac7b78615f5a7af753d835aaa41e788fc
SHA25656a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55
SHA5125917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12
-
Filesize
180KB
MD5e9833a54c1a1bfdab3e5189f3f740ff9
SHA1ffb999c781161d9a694a841728995fda5b6da6d3
SHA256ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85
SHA5120b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9
-
Filesize
213KB
MD53437087e6819614a8d54c9bc59a23139
SHA1ae84efe44b02bacdb9da876e18715100a18362be
SHA2568b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74
SHA512018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde
-
Filesize
800KB
MD52ef388f7769205ca319630dd328dcef1
SHA16dc9ed84e72af4d3e7793c07cfb244626470f3b6
SHA2564915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf
SHA512b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b
-
Filesize
944KB
MD507231bdae9d15bfca7d97f571de3a521
SHA104aec0f1afcf7732bc4cd1f7aab36e460c325ba6
SHA256be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935
SHA5122a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129
-
Filesize
272KB
MD546e3e59dbf300ae56292dea398197837
SHA178636b25fdb32c8fcdf5fe73cac611213f13a8be
SHA2565a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339
SHA512e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c
-
Filesize
820KB
MD54dfa1eeec0822bfcfb95e4fa8ec6c143
SHA154251e697e289020a72e1fd412e34713f2e292cf
SHA256901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494
SHA5125f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4
-
Filesize
1.3MB
MD5c1c56a9c6ea636dbca49cfcc45a188c3
SHA1d852e49978a08e662804bf3d7ec93d8f6401a174
SHA256b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf
SHA512f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e
-
Filesize
256KB
MD57c61284580a6bc4a4c9c92a39bd9ea08
SHA14579294e3f3b6c03b03b15c249b9cac66e730d2a
SHA2563665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8
SHA512b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe
-
Filesize
596KB
MD58a655555544b2915b5d8676cbf3d77ab
SHA15a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2
SHA256d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27
SHA512c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93
-
Filesize
672KB
MD5bcf8735528bb89555fc687b1ed358844
SHA15ef5b24631d2f447c58b0973f61cb02118ae4adc
SHA25678b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c
SHA5128b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5
-
Filesize
292KB
MD52ac64cc617d144ae4f37677b5cdbb9b6
SHA113fe83d7489d302de9ccefbf02c7737e7f9442f9
SHA256006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44
SHA512acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7
-
Filesize
2KB
MD5fb17429f4d39fe142e5b682f180a9e7d
SHA1165e81224b64775364e8f5e4bfc952b65d5a5b56
SHA256a48e621724c5a977373d10de1420d7e5a8b902b2a3896d9b00b53ae8adffe071
SHA512374c6223cef75443fe35198d352e7b27b6958f69cc035e01a0b560085bacd19ad7f61ed890f6055c238f41cccbbb8f4a9b674c6903edcf347a1c26eab03ce00b
-
Filesize
25KB
MD5b9213d296ae309355c6907e171f06ba8
SHA1a3ff2d2ebf60168e8219723084f43b50ae129b50
SHA2565c42cd23447b405ecda06e87e5d77ab3e5d4cac81f5a39891daf5eab0c551134
SHA51221c269844663be0dc37734be85069d27f33775fa6373c14ac4b82e599c7b4cef9541273a0d4a5fafb7538a5dd2bbf48a8aa2b48ba1cd8432ae484c07e2e50afe
-
Filesize
9KB
MD54cc03d269070909cabce711df3ab92ff
SHA17cabaf92bb29aa8c3bf1d8e2deedf24a6f827643
SHA256213bc9e7652f07f62950db93fdc9e0654e31fb7a01d7d2fa779fba3347f4f1ce
SHA512bc20d5811298f11f09c1a1eac9787382d1a21e5ebbcaa255965bd77581715aa4ed13d74c589085b3c1e1c46e74984733757edce282499932c4a8776a20a0bd05
-
Filesize
59KB
MD5803fac6610cba62141da61d44055fea1
SHA1e13c9d6ad8a6a2ec25e05eafb716b127bdfb8498
SHA256fe271f611235ccf377ddbac64a71a738d917aa9a62d427239631c70c22d3c158
SHA51279b5cf9e50660b48983a8afa2000d7e29e4dda8a864ba5fa9ec19f8e9b899a4497df1e463888139ec0489c8fdc2a5e080b07960f8bcfc7601f255ca02de3eb33
-
Filesize
7KB
MD5150981543fbb667e323c06eef1ec9533
SHA178adcbc30e40c05e8b9a3d128e681d35bc25fbdd
SHA2567c1fd6f8fdc24b14298548a263272f50ff9d0a5f2b89cddb57589d749d78be56
SHA5122c81fd7136245ebc1111b192cd48acdf59cdc9f8462af32c97bf75cf297f6b3377cee96caa82f14bd4c98a4de26ee32306abe48b9d90b413054e98daeac0a1b6
-
Filesize
20KB
MD5fe1dbc465d4b70f343e604d3a1e17d98
SHA19e275cf47f4560ff9144cb668ae55ba836fde431
SHA256a6f519affd3b65cac65e57154f7eadbc016338fba3fe554c3a2a5ed074fcc11c
SHA5126a1a0c739ac33865bd0673d01c8585bd87e5b663658a322ffb6299db7fc3c6ab76501602ab70b2e1a0b1b9c958254878558acc26eabd68cb1b2aaf63d5e02184
-
Filesize
6KB
MD561f982e7471ca89bd108301a369235ce
SHA1a0efce2a045150ff0d845bf0d932ee488ab20b15
SHA256ed0e8b1d42ebc372268f263125c891c63d7fb9351f2f5eb834e76f0c8fcea4c0
SHA512de0568584fedd906691700b3b64cb975a06896bf9aed401206da2a56ac88a0f24a684e9d0427bb8b6c189f4e822b7e4ac07b64e9bbd6c9af85528a4c4f4e849e
-
Filesize
10KB
MD520aad1b3269924f38164acd6468a4e5e
SHA1930ae5a7e9f0a0ad344504f8a2c7419b19c63db2
SHA256e104e5be0669cfd5672c6e6c6ae1f65cfb36a9897de9d4da48ad6649cdf13f2e
SHA51207d51e98d90f5cce0eec52004dbe00fe07b601e2b0235250d6f6ebae89cd801f84e2e6c571b7e517098b2fc3931352bea13e0003e9cf2dcd16cac6229fb1e1e9
-
Filesize
2KB
MD5cc931bb73cbf5cf791d0e2bc6bb82c52
SHA11d91eb9a632fd1a63f03e5345bca8caaed04f5c4
SHA256eadf325b8cec700470a1bb342320deb0d9c3f467372df3665c0f376134932f18
SHA512475cab191321504f525dc97c33765b6d1c75ed9fb7e477d7ffc6e041747a08a06f5c8973c6ca593148ee332be798737c0ab45341d2ab087aad9710d60c4f8b1a
-
C:\Users\Admin\AppData\Local\Temp\EB6701F7-2A8F-4F77-A9B3-3FCE51A5FA14\es-ES\GenericProvider.dll.mui
Filesize5KB
MD5a89a4bdd0bcca9a3a063e929f988118e
SHA1cc8c9370618a2ec652fa2644cfa579739d4f7209
SHA2569d91f085dc25ef689d4f2d3e1eebc8135355cbb5d01b8704a85318fd0bea8c0a
SHA5123e57298f3028c305db84b9e39325d28e63b28bf47a85739132662440fc824f57ae1de64a3eb4befa6d7f7105672edaae926499c02fab9bc29ef7b6134dd4fdf0
-
C:\Users\Admin\AppData\Local\Temp\EB6701F7-2A8F-4F77-A9B3-3FCE51A5FA14\es-ES\ImagingProvider.dll.mui
Filesize19KB
MD50ceb43a770a335c04c0f05095496f730
SHA1226599920b1f2f62ce91f3d4ec4a8bda39e09cc8
SHA256458558ad7a78fc12b8032c30af13561132dc8348f9a672cd1aa2d87ea859bd53
SHA51246cbd6c6f52c9b7db4b9d21319b36695b135fc92cadd390523d4500ce3f44385a3ab2a4d138580e0aaea2fcc7e9ba370011c23ff58f279356a2401a877a67bc4
-
Filesize
33KB
MD5742667af6d205f6b58b4663d70c0be70
SHA13d0281615e884e4b532f646444b50dcddab3e35f
SHA256e2db17861c69a80e6f43d986c0e95cdfacfefafdd25a2f789da469d7873d1790
SHA512ce0a23bc3da0f23ccd36a3f39572b66687ae1f9883b2d6747e6ab5314bf15baa2f021af5c1c8b29c5297bb9c29d00ae9a0a781e034f1f400328e28faa525c7e8
-
Filesize
2KB
MD543a69f85ab6bba7e82e13e1ac9df170b
SHA1d36acd8b1d6bbf0ff8cfcad2080df932eec245f8
SHA25611e88589b10b6b697dcc76157e81951ecdfebe1cbe3a9fc578d384406a24f2f1
SHA5123a5c1c896ddb814d8df309a3d869198bf3f0e9e5d66cbfa9fd0b91899cf899f436c71a77cc12407bebb6b2c4c7df24566b8abd0c8733f105433a65452cf1672d
-
Filesize
32KB
MD599cdb3cc0ca02ca7e41480fb5b27b075
SHA1096519c89ee88f704f2d026394b479fca76b5536
SHA256f0fe34cb30344fe9a271ec381591c08f55f0f157feccea1978ca58fb1477969e
SHA5128f7e72abc1d683f381eba7904d0ccf07f0b6196a0c6d049197a0b64afba694f05aa4a508f904cce0e119e794f9253ba1d281886370899d6690df04a48b822951
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
285KB
MD54a2dfbcc980fbf211663ad9b272507d5
SHA149344e2d3150c018492f8b29e9233f5ae3455a49
SHA2569e7e6b533dc99ada5c8dbae8f30e02ee3971bc1b68cce80638fe1aaea4b25530
SHA512d044c75ffee41f38f0faf601cc63a31e109a4af5353b7306d037819e8407932daec96d2d88496020e75f71f2d2e9557726b69479fd6f38d11baa1fc6dd15bbcc
-
Filesize
288KB
MD52c79b1b343727895b5e7e687dca8f883
SHA108aaa0d79cce57a499315b96e4f46dd10356abf5
SHA25623e46c6ed63aeb35a41fd2088f95d4318f15bf42275579cc4904c5e5b3d24265
SHA512b04dfe6b430e0d4195628b49a326e420ba4beba37e85855b602a73ada33f2bae38986e718091de8e506fd937a9f1abb4f5effddf99be5778b2d3e0aa23ceaa54