1a1ae207c19b5b14be702e3ff4a4b1f13d229c6823cbcf43eff9a0f600a6e48b

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3092	bcdedit.exe
4472	bcdedit.exe

Blocklisted process makes network request 9 IoCs

flow	pid	Process
3	3812	powershell.exe
10	1752	powershell.exe
11	1752	powershell.exe
13	1644	powershell.exe
15	4740	powershell.exe
16	3124	powershell.exe
17	3124	powershell.exe
20	1132	powershell.exe
21	4632	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 46 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4496	powershell.exe
4496	powershell.exe
1752	powershell.exe
1644	powershell.exe
4740	powershell.exe
3124	powershell.exe
1132	powershell.exe
4632	powershell.exe
3812	powershell.exe
4632	powershell.exe
4708	powershell.exe
3240	powershell.exe
3976	powershell.exe
2888	powershell.exe
536	powershell.exe
2188	powershell.exe
3460	powershell.exe
4120	powershell.exe
1924	powershell.exe
4040	powershell.exe
1736	powershell.exe
5116	powershell.exe
4168	powershell.exe
1808	powershell.exe
1744	powershell.exe
2808	powershell.exe
1424	powershell.exe
2896	powershell.exe
4536	powershell.exe
4496	powershell.exe
4820	powershell.exe
2576	powershell.exe
1412	powershell.exe
4652	powershell.exe
4740	powershell.exe
4180	powershell.exe
3148	powershell.exe
2856	powershell.exe
3232	powershell.exe
800	powershell.exe
3716	powershell.exe
2152	powershell.exe
4332	powershell.exe
2904	powershell.exe
3884	powershell.exe
5092	powershell.exe

Disables taskbar notifications via registry modification
defense_evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions\IoPriority = "3"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions\PagePriority = "5"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VSSVC.exe\PerfOptions\CpuPriorityClass = "3"	reg.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServiceDll = "%SystemRoot%\\System32\\dnsrslvr.dll"	reg.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\ImagePath = "System32\\drivers\\tcpip.sys"	reg.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
3260	dismhost.exe

Loads dropped DLL 23 IoCs

pid	Process
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe
3260	dismhost.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ThanksForUsing = "C:\\TT\\thanksforusing.bat"	reg.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	OneDriveSetup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
2	raw.githubusercontent.com
3	raw.githubusercontent.com
11	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
20	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence privilege_escalation

Power Settings

T1653

pid	Process
3360	powercfg.exe
4624	powercfg.exe
3280	powercfg.exe
2448	powercfg.exe
1684	powercfg.exe
1984	powercfg.exe
5088	powercfg.exe
1440	powercfg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2044	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2428	sc.exe
2480	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileSyncConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 47 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4536	PING.EXE
2040	PING.EXE
1676	PING.EXE
2104	PING.EXE
1844	PING.EXE
1044	PING.EXE
1644	PING.EXE
1028	PING.EXE
2496	PING.EXE
3460	PING.EXE
4740	PING.EXE
4668	PING.EXE
664	PING.EXE
1976	PING.EXE
3632	PING.EXE
1532	PING.EXE
4988	PING.EXE
4624	PING.EXE
644	PING.EXE
3844	PING.EXE
1020	PING.EXE
1380	PING.EXE
1808	PING.EXE
932	PING.EXE
4084	PING.EXE
2808	PING.EXE
5092	PING.EXE
1884	PING.EXE
1160	PING.EXE
2544	PING.EXE
1244	PING.EXE
4232	PING.EXE
3240	PING.EXE
2808	PING.EXE
2524	PING.EXE
1852	PING.EXE
2888	PING.EXE
3392	PING.EXE
3756	PING.EXE
1500	PING.EXE
2032	PING.EXE
5004	PING.EXE
3532	PING.EXE
4576	PING.EXE
3392	PING.EXE
1844	PING.EXE
5012	PING.EXE

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3700	netsh.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003c9263343ee389390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003c9263340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003c926334000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3c926334000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003c92633400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4988	ipconfig.exe
1320	ipconfig.exe
4948	ipconfig.exe
4500	ipconfig.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1044	taskkill.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "16"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "33"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseSpeed = "0"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "16"	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold1 = "0"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\MouseThreshold2 = "0"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TYPELIB	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{0776AE27-5AB9-4E18-9063-1836DA63117A}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\odopen\shell	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\FLAGS	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\INPROCSERVER32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\PROGRAMMABLE	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\OOBEREQUESTHANDLER.OOBEREQUESTHANDLER\CLSID	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{2387C6BD-9A36-41A2-88ED-FF731E529384}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}	OneDriveSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77708248-f839-436b-8919-527c410f48b9}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\ODOPEN\SHELL\OPEN\COMMAND	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\WOW6432NODE\INTERFACE\{1B7AED4F-FCAF-4DA4-8795-C03E635D8EDC}\PROXYSTUBCLSID32	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY\CURVER	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\FILESYNCCLIENT.AUTOPLAYHANDLER\CLSID	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\INTERFACE\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_CLASSES\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TYPELIB	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\0	OneDriveSetup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1736937623-2710279395-1526620350-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0	OneDriveSetup.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

pid	Process
3148	reg.exe
4652	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 47 IoCs

Remote System Discovery

T1018

pid	Process
3240	PING.EXE
1380	PING.EXE
3844	PING.EXE
1852	PING.EXE
5012	PING.EXE
4740	PING.EXE
4576	PING.EXE
1644	PING.EXE
1028	PING.EXE
5092	PING.EXE
1884	PING.EXE
4668	PING.EXE
2040	PING.EXE
1976	PING.EXE
1844	PING.EXE
2808	PING.EXE
3756	PING.EXE
1244	PING.EXE
1844	PING.EXE
4232	PING.EXE
644	PING.EXE
3632	PING.EXE
2032	PING.EXE
4624	PING.EXE
1808	PING.EXE
2888	PING.EXE
2544	PING.EXE
1500	PING.EXE
1044	PING.EXE
1020	PING.EXE
5004	PING.EXE
2808	PING.EXE
2524	PING.EXE
3392	PING.EXE
4988	PING.EXE
1160	PING.EXE
3460	PING.EXE
932	PING.EXE
4084	PING.EXE
4536	PING.EXE
664	PING.EXE
1676	PING.EXE
2496	PING.EXE
2104	PING.EXE
1532	PING.EXE
3392	PING.EXE
3532	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	powershell.exe
1412	powershell.exe
3044	powershell.exe
3044	powershell.exe
2044	powershell.exe
2044	powershell.exe
3812	powershell.exe
3812	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
4496	powershell.exe
4496	powershell.exe
3460	powershell.exe
3460	powershell.exe
4168	powershell.exe
4168	powershell.exe
2856	powershell.exe
2856	powershell.exe
1808	powershell.exe
1808	powershell.exe
3232	powershell.exe
3232	powershell.exe
4120	powershell.exe
4120	powershell.exe
4496	powershell.exe
4496	powershell.exe
3200	OneDriveSetup.exe
3200	OneDriveSetup.exe
1924	powershell.exe
1924	powershell.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
3064	OneDriveSetup.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
5092	powershell.exe
5092	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4040	powershell.exe
4040	powershell.exe
4040	powershell.exe
800	powershell.exe
800	powershell.exe
800	powershell.exe
4632	powershell.exe
4632	powershell.exe
4632	powershell.exe
1736	powershell.exe
1736	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeBackupPrivilege	840	vssvc.exe
Token: SeRestorePrivilege	840	vssvc.exe
Token: SeAuditPrivilege	840	vssvc.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeBackupPrivilege	2468	srtasks.exe
Token: SeRestorePrivilege	2468	srtasks.exe
Token: SeSecurityPrivilege	2468	srtasks.exe
Token: SeTakeOwnershipPrivilege	2468	srtasks.exe
Token: SeBackupPrivilege	2468	srtasks.exe
Token: SeRestorePrivilege	2468	srtasks.exe
Token: SeSecurityPrivilege	2468	srtasks.exe
Token: SeTakeOwnershipPrivilege	2468	srtasks.exe
Token: SeBackupPrivilege	5060	Dism.exe
Token: SeRestorePrivilege	5060	Dism.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeIncreaseQuotaPrivilege	2044	powershell.exe
Token: SeSecurityPrivilege	2044	powershell.exe
Token: SeTakeOwnershipPrivilege	2044	powershell.exe
Token: SeLoadDriverPrivilege	2044	powershell.exe
Token: SeSystemProfilePrivilege	2044	powershell.exe
Token: SeSystemtimePrivilege	2044	powershell.exe
Token: SeProfSingleProcessPrivilege	2044	powershell.exe
Token: SeIncBasePriorityPrivilege	2044	powershell.exe
Token: SeCreatePagefilePrivilege	2044	powershell.exe
Token: SeBackupPrivilege	2044	powershell.exe
Token: SeRestorePrivilege	2044	powershell.exe
Token: SeShutdownPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeSystemEnvironmentPrivilege	2044	powershell.exe
Token: SeRemoteShutdownPrivilege	2044	powershell.exe
Token: SeUndockPrivilege	2044	powershell.exe
Token: SeManageVolumePrivilege	2044	powershell.exe
Token: 33	2044	powershell.exe
Token: 34	2044	powershell.exe
Token: 35	2044	powershell.exe
Token: 36	2044	powershell.exe
Token: SeIncreaseQuotaPrivilege	2044	powershell.exe
Token: SeSecurityPrivilege	2044	powershell.exe
Token: SeTakeOwnershipPrivilege	2044	powershell.exe
Token: SeLoadDriverPrivilege	2044	powershell.exe
Token: SeSystemProfilePrivilege	2044	powershell.exe
Token: SeSystemtimePrivilege	2044	powershell.exe
Token: SeProfSingleProcessPrivilege	2044	powershell.exe
Token: SeIncBasePriorityPrivilege	2044	powershell.exe
Token: SeCreatePagefilePrivilege	2044	powershell.exe
Token: SeBackupPrivilege	2044	powershell.exe
Token: SeRestorePrivilege	2044	powershell.exe
Token: SeShutdownPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeSystemEnvironmentPrivilege	2044	powershell.exe
Token: SeRemoteShutdownPrivilege	2044	powershell.exe
Token: SeUndockPrivilege	2044	powershell.exe
Token: SeManageVolumePrivilege	2044	powershell.exe
Token: 33	2044	powershell.exe
Token: 34	2044	powershell.exe
Token: 35	2044	powershell.exe
Token: 36	2044	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2888	powershell.exe
2888	powershell.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2888	powershell.exe
2888	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3536	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 1092	4484	cmd.exe	81
PID 4484 wrote to memory of 1092	4484	cmd.exe	81
PID 4484 wrote to memory of 3532	4484	cmd.exe	82
PID 4484 wrote to memory of 3532	4484	cmd.exe	82
PID 4484 wrote to memory of 4792	4484	cmd.exe	84
PID 4484 wrote to memory of 4792	4484	cmd.exe	84
PID 4484 wrote to memory of 3496	4484	cmd.exe	85
PID 4484 wrote to memory of 3496	4484	cmd.exe	85
PID 4484 wrote to memory of 1044	4484	cmd.exe	86
PID 4484 wrote to memory of 1044	4484	cmd.exe	86
PID 4484 wrote to memory of 1444	4484	cmd.exe	87
PID 4484 wrote to memory of 1444	4484	cmd.exe	87
PID 4484 wrote to memory of 1412	4484	cmd.exe	88
PID 4484 wrote to memory of 1412	4484	cmd.exe	88
PID 4484 wrote to memory of 3044	4484	cmd.exe	93
PID 4484 wrote to memory of 3044	4484	cmd.exe	93
PID 4484 wrote to memory of 2500	4484	cmd.exe	97
PID 4484 wrote to memory of 2500	4484	cmd.exe	97
PID 4484 wrote to memory of 3240	4484	cmd.exe	98
PID 4484 wrote to memory of 3240	4484	cmd.exe	98
PID 4484 wrote to memory of 1604	4484	cmd.exe	99
PID 4484 wrote to memory of 1604	4484	cmd.exe	99
PID 4484 wrote to memory of 2892	4484	cmd.exe	100
PID 4484 wrote to memory of 2892	4484	cmd.exe	100
PID 4484 wrote to memory of 5060	4484	cmd.exe	101
PID 4484 wrote to memory of 5060	4484	cmd.exe	101
PID 5060 wrote to memory of 3260	5060	Dism.exe	102
PID 5060 wrote to memory of 3260	5060	Dism.exe	102
PID 4484 wrote to memory of 1380	4484	cmd.exe	103
PID 4484 wrote to memory of 1380	4484	cmd.exe	103
PID 4484 wrote to memory of 1084	4484	cmd.exe	104
PID 4484 wrote to memory of 1084	4484	cmd.exe	104
PID 4484 wrote to memory of 4576	4484	cmd.exe	105
PID 4484 wrote to memory of 4576	4484	cmd.exe	105
PID 4484 wrote to memory of 2336	4484	cmd.exe	106
PID 4484 wrote to memory of 2336	4484	cmd.exe	106
PID 4484 wrote to memory of 1808	4484	cmd.exe	107
PID 4484 wrote to memory of 1808	4484	cmd.exe	107
PID 4484 wrote to memory of 1880	4484	cmd.exe	108
PID 4484 wrote to memory of 1880	4484	cmd.exe	108
PID 4484 wrote to memory of 932	4484	cmd.exe	109
PID 4484 wrote to memory of 932	4484	cmd.exe	109
PID 4484 wrote to memory of 1912	4484	cmd.exe	110
PID 4484 wrote to memory of 1912	4484	cmd.exe	110
PID 4484 wrote to memory of 4540	4484	cmd.exe	111
PID 4484 wrote to memory of 4540	4484	cmd.exe	111
PID 4484 wrote to memory of 2876	4484	cmd.exe	112
PID 4484 wrote to memory of 2876	4484	cmd.exe	112
PID 4484 wrote to memory of 1888	4484	cmd.exe	113
PID 4484 wrote to memory of 1888	4484	cmd.exe	113
PID 4484 wrote to memory of 1904	4484	cmd.exe	114
PID 4484 wrote to memory of 1904	4484	cmd.exe	114
PID 4484 wrote to memory of 5096	4484	cmd.exe	115
PID 4484 wrote to memory of 5096	4484	cmd.exe	115
PID 4484 wrote to memory of 3828	4484	cmd.exe	116
PID 4484 wrote to memory of 3828	4484	cmd.exe	116
PID 4484 wrote to memory of 420	4484	cmd.exe	117
PID 4484 wrote to memory of 420	4484	cmd.exe	117
PID 4484 wrote to memory of 2584	4484	cmd.exe	118
PID 4484 wrote to memory of 2584	4484	cmd.exe	118
PID 4484 wrote to memory of 3344	4484	cmd.exe	119
PID 4484 wrote to memory of 3344	4484	cmd.exe	119
PID 4484 wrote to memory of 4760	4484	cmd.exe	120
PID 4484 wrote to memory of 4760	4484	cmd.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Terabyte.Tweaker.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
  2⤵
  PID:1092
- C:\Windows\system32\PING.EXE
  ping -n 2 -w 700 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3532
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:4792
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:3496
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1044
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Checkpoint-Computer -Description 'Terabyte Restore Point'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:2500
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3240
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:1604
- C:\Windows\System32\sfc.exe
  sfc /scannow
  2⤵
  PID:2892
- C:\Windows\System32\Dism.exe
  DISM /Online /Cleanup-Image /RestoreHealth
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Users\Admin\AppData\Local\Temp\EB6701F7-2A8F-4F77-A9B3-3FCE51A5FA14\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\EB6701F7-2A8F-4F77-A9B3-3FCE51A5FA14\dismhost.exe {B778A3E7-F4FF-445E-887B-65104915DA8F}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3260
- C:\Windows\System32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1380
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:1084
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4576
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:2336
- C:\Windows\System32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1808
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:1880
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:932
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:1912
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4540
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
  2⤵
  PID:2876
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f
  2⤵
  PID:1888
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
  2⤵
  PID:1904
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
  2⤵
  PID:5096
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:3828
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:420
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2584
- C:\Windows\System32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
  2⤵
  PID:3344
- C:\Windows\System32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:4760
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:3972
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f
  2⤵
  PID:4568
- C:\Windows\System32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "UseActionCenterExperience" /t REG_DWORD /d "00000000" /f
  2⤵
  PID:4792
- C:\Windows\System32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d 1 /f
  2⤵
  PID:4536
- C:\Windows\System32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d 0 /f
  2⤵
  PID:4332
- C:\Windows\System32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "CacheHashTableBucketSize" /t REG_DWORD /d "1" /f
  2⤵
  PID:1132
- C:\Windows\System32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "CacheHashTableSize" /t REG_DWORD /d "180" /f
  2⤵
  PID:344
- C:\Windows\System32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "MaxCacheEntryTtlLimit" /t REG_DWORD /d "fa00" /f
  2⤵
  PID:820
- C:\Windows\System32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "MaxSOACacheEntryTtlLimit" /t REG_DWORD /d "12d" /f
  2⤵
  PID:3536
- C:\Windows\System32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t REG_DWORD /d "2" /f
  2⤵
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell Invoke-WebRequest "https://raw.githubusercontent.com/Teramanbr/TerabyteTweaker/main/src/Regedit.reg" -OutFile "C:\Users\Admin\AppData\Local\Temp\Regedit.reg"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\System32\reg.exe
  reg import C:\Users\Admin\AppData\Local\Temp\Regedit.reg
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Server Software Component: Terminal Services DLL
  - Sets service image path in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:3232
- C:\Windows\System32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3392
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:744
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1644
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:4660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "ps onedrive | Stop-Process -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "start-process "$env:windir\SysWOW64\OneDriveSetup.exe" "/uninstall""
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- - C:\Windows\SysWOW64\OneDriveSetup.exe
    "C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3200
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      "C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-1736937623-2710279395-1526620350-1000
      4⤵
      System Location Discovery: System Language Discovery
      PID:5056
  - - C:\Windows\SysWOW64\OneDriveSetup.exe
      C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe
      4⤵
      Modifies system executable filetype association
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:3064
    - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
        
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.Getstarted | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.ZuneVideo | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.ZuneMusic | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.GetHelp | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.Messaging | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.WindowsFeedbackHub | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.People | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.3DBuilder | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.Print3D | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage EclipseManager | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage ActiproSoftwareLLC | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage AdobeSystemsIncorporated.AdobePhotoshopExpress | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage 'D5EA27B7.Duolingo-LearnLanguagesforFree' | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage PandoraMediaInc | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage CandyCrush | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage *Wunderlist* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage *Flipboard* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage *Twitter* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage *Facebook* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage *Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage *disney* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BingTravel | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BingHealthAndFitness | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BingFoodAndDrink | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.MicrosoftSolitaireCollection | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage Microsoft.BioEnrollment | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage ContentDeliveryManager | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -command "Get-AppxPackage 'Microsoft.Advertising.Xaml' | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4652
- C:\Windows\System32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3844
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:3972
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1020
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:2532
- C:\Windows\System32\powercfg.exe
  powercfg -restoredefaultschemes
  2⤵
  - Power Settings
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest "https://github.com/Teramanbr/TerabyteTweaker/blob/main/src/PowerPlan.pow?raw=true" -OutFile "C:\TT\PowerPlan.pow"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:1752
- C:\Windows\System32\powercfg.exe
  powercfg /d 44444444-4444-4444-4444-444444444449
  2⤵
  - Power Settings
  PID:3360
- C:\Windows\System32\powercfg.exe
  powercfg -import "C:\TT\PowerPlan.pow" 44444444-4444-4444-4444-444444444449
  2⤵
  - Power Settings
  PID:4624
- C:\Windows\System32\powercfg.exe
  powercfg -SETACTIVE "44444444-4444-4444-4444-444444444449"
  2⤵
  - Power Settings
  PID:3280
- C:\Windows\System32\powercfg.exe
  powercfg /changename 44444444-4444-4444-4444-444444444449 "HoneCtrl's Power Plan" "The Ultimate Power Plan to increase FPS, improve latency and reduce input lag. (Added by Terabyte Tweaker)"
  2⤵
  - Power Settings
  PID:2448
- C:\Windows\System32\powercfg.exe
  powercfg /d 381b4222-f694-41f0-9685-ff5bb260df2e
  2⤵
  - Power Settings
  PID:1684
- C:\Windows\System32\powercfg.exe
  powercfg /d 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
  2⤵
  - Power Settings
  PID:1984
- C:\Windows\System32\powercfg.exe
  powercfg /d a1841308-3541-4fab-bc81-f71556f20b4a
  2⤵
  - Power Settings
  PID:5088
- C:\Windows\System32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1852
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:1336
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4084
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:3396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest "https://cdn.discordapp.com/attachments/798314687321735199/923239120367673434/CLOCKRES.exe" -OutFile "C:\TT\CLOCKRES.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CLOCKRES.exe | find "Current"
  2⤵
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest "https://cdn.discordapp.com/attachments/798314687321735199/923239064738627594/SetTimerResolutionService.exe" -OutFile "C:\TT\SetTimerResolutionService.exe"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:4740
- C:\Windows\system32\sc.exe
  sc config "STR" start= auto
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\net.exe
  NET START STR
  2⤵
  PID:5072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 START STR
    3⤵
    PID:2560
- C:\Windows\system32\bcdedit.exe
  bcdedit /set useplatformtick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3092
- C:\Windows\system32\bcdedit.exe
  bcdedit /set disabledynamictick yes
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:4472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /quiet /s /i SetTimerResolutionService.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888
- C:\Windows\system32\sc.exe
  sc config "STR" start= auto
  2⤵
  - Launches sc.exe
  PID:2480
- C:\Windows\system32\net.exe
  NET START STR
  2⤵
  PID:1780
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 START STR
    3⤵
    PID:1692
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5004
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2732
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1844
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1244
- C:\Windows\system32\reg.exe
  Reg query "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode"
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  Reg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t Reg_DWORD /d "2" /f
  2⤵
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s | findstr "HKEY"
  2⤵
  PID:2884
- - C:\Windows\system32\reg.exe
    Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s
    3⤵
    PID:4652
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:1412
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3844
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3972
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:2636
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
  2⤵
  PID:2532
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
  2⤵
  PID:3384
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t Reg_DWORD /d "4" /f
  2⤵
  PID:1440
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t Reg_DWORD /d "4" /f
  2⤵
  PID:1648
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnablePreemption" /t Reg_DWORD /d "0" /f
  2⤵
  PID:1784
- C:\Windows\system32\reg.exe
  Reg delete "HKCU\Software\Hone" /v "AllGPUTweaks" /f
  2⤵
  PID:1932
- C:\Windows\system32\reg.exe
  reg query "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode"
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  Reg add "HKLM\System\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t Reg_DWORD /d "2" /f
  2⤵
  PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s | findstr "HKEY"
  2⤵
  PID:420
- - C:\Windows\system32\reg.exe
    Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class" /v "VgaCompatible" /s
    3⤵
    PID:3344
- - C:\Windows\system32\findstr.exe
    findstr "HKEY"
    3⤵
    PID:3360
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4496
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /f
  2⤵
  PID:5088
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /f
  2⤵
  PID:4040
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /f
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /f
  2⤵
  PID:3208
- C:\Windows\system32\reg.exe
  reg delete "HKCU\System\GameConfigStore" /v "GameDVR_DSEBehavior" /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t Reg_DWORD /d "2" /f
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t Reg_DWORD /d "2" /f
  2⤵
  PID:644
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Scheduler" /v "EnablePreemption" /t Reg_DWORD /d "1" /f
  2⤵
  PID:1460
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5012
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4932
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2808
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest "https://github.com/Teramanbr/TerabyteTweaker/blob/main/src/CPUTweaks.ps1?raw=true" -OutFile "C:\TT\CPUTweaks.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\TT\CPUTweaks.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1424
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" query HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
    3⤵
    - Modifies registry key
    PID:3148
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" export HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} C:\TT\TTRevert\ognic.reg /y
    3⤵
    PID:2888
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v MIMOPowerSaveMode /t REG_SZ /d 3 /f
    3⤵
    PID:3996
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v PowerSavingMode /t REG_SZ /d 0 /f
    3⤵
    PID:932
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableGreenEthernet /t REG_SZ /d 0 /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *EEE /t REG_SZ /d 0 /f
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *IPSecOffloadV1IPv4 /t REG_SZ /d 0 /f
    3⤵
    PID:2576
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *IPSecOffloadV2IPv4 /t REG_SZ /d 0 /f
    3⤵
    PID:536
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *IPSecOffloadV2 /t REG_SZ /d 0 /f
    3⤵
    PID:2336
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RscIPv4 /t REG_SZ /d 0 /f
    3⤵
    PID:4828
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RscIPv6 /t REG_SZ /d 0 /f
    3⤵
    PID:2884
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *PMNSOffload /t REG_SZ /d 0 /f
    3⤵
    PID:920
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *PMARPOffload /t REG_SZ /d 0 /f
    3⤵
    PID:2188
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *JumboPacket /t REG_SZ /d 0 /f
    3⤵
    PID:3976
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableConnectedPowerGating /t REG_DWORD /d 0 /f
    3⤵
    PID:1020
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableDynamicPowerGating /t REG_SZ /d 0 /f
    3⤵
    PID:3452
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnableSavePowerNow /t REG_SZ /d 0 /f
    3⤵
    PID:5108
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *FlowControl /t REG_SZ /d 0 /f
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *NicAutoPowerSaver /t REG_SZ /d 0 /f
    3⤵
    PID:1784
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v ULPMode /t REG_SZ /d 0 /f
    3⤵
    PID:3904
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v EnablePME /t REG_SZ /d 0 /f
    3⤵
    PID:1732
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v AlternateSemaphoreDelay /t REG_SZ /d 0 /f
    3⤵
    PID:820
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v AutoPowerSaveModeEnabled /t REG_SZ /d 0 /f
    3⤵
    PID:4532
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *NumRssQueues /t REG_SZ /d 2 /f
    3⤵
    PID:1752
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" query HKLM\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
    3⤵
    - Modifies registry key
    PID:4652
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RssBaseProcNumber /f
    3⤵
    PID:2856
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} /v *RssMaxProcNumber /f
    3⤵
    PID:1984
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_USBController get PNPDeviceID
    3⤵
    PID:3220
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v DevicePolicy /t REG_DWORD /d 4 /f
    3⤵
    PID:3464
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_8086&DEV_24CD&SUBSYS_11001AF4&REV_10\3&11583659&0&20\Device Parameters\Interrupt Management\Affinity Policy" /v AssignmentSetOverride /t REG_BINARY /d 08 /f
    3⤵
    PID:404
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_VideoController get PNPDeviceID
    3⤵
    PID:4792
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v DevicePolicy /t REG_DWORD /d 4 /f
    3⤵
    PID:1724
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&11583659&0&08\Device Parameters\Interrupt Management\Affinity Policy" /v AssignmentSetOverride /t REG_BINARY /d 02 /f
    3⤵
    PID:3308
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" path Win32_NetworkAdapter get PNPDeviceID
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v DevicePolicy /t REG_DWORD /d 4 /f
    3⤵
    PID:4760
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v AssignmentSetOverride /t REG_BINARY /d 0 /f
    3⤵
    PID:2368
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1028
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2100
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5092
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get totalphysicalmemory /value
  2⤵
  PID:4924
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory /value
    3⤵
    PID:540
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "PagingFiles" /t REG_MULTI_SZ /D "c:\pagefile.sys 6141 6141" /f
  2⤵
  PID:3908
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SystemPages" /t REG_DWORD /D "0" /f
  2⤵
  PID:3844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize /format:value
  2⤵
  PID:4972
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get TotalVisibleMemorySize /format:value
    3⤵
    PID:4036
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d 5217772 /f
  2⤵
  PID:2584
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\FTH" /v "Enabled" /t Reg_DWORD /d "0" /f
  2⤵
  PID:872
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d "0" /f
  2⤵
  PID:1972
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4176
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Policies\Microsoft\Windows\AppPrivacy" /v "LetAppsRunInBackground" /t Reg_DWORD /d "2" /f
  2⤵
  PID:1504
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t Reg_DWORD /d "0" /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t Reg_DWORD /d "1" /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  Reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePageCombining" /t REG_DWORD /d "1" /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t Reg_DWORD /d "1" /f
  2⤵
  PID:3228
- C:\Windows\system32\reg.exe
  Reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "HeapDeCommitFreeBlockThreshold" /t REG_DWORD /d "262144" /f
  2⤵
  PID:4040
- C:\Windows\system32\reg.exe
  Reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d "1" /f
  2⤵
  PID:3208
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "DontVerifyRandomDrivers" /t REG_DWORD /d "1" /f
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "LongPathsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1460
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t Reg_DWORD /d "0" /f
  2⤵
  PID:2232
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t Reg_DWORD /d "0" /f
  2⤵
  PID:5012
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4116
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabledDefault" /t REG_DWORD /d "0" /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  Reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t Reg_SZ /d "1000" /f
  2⤵
  PID:4520
- C:\Windows\system32\reg.exe
  Reg add "HKLM\System\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t Reg_SZ /d "1000" /f
  2⤵
  PID:3192
- C:\Windows\system32\reg.exe
  Reg add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t Reg_SZ /d "1000" /f
  2⤵
  PID:4748
- C:\Windows\system32\fsutil.exe
  fsutil behavior set memoryusage 2
  2⤵
  PID:1752
- C:\Windows\system32\fsutil.exe
  fsutil behavior set mftzone 2
  2⤵
  PID:3220
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disablelastaccess 1
  2⤵
  PID:1020
- C:\Windows\system32\fsutil.exe
  fsutil behavior set encryptpagingfile 0
  2⤵
  PID:1784
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disable8dot3 1
  2⤵
  PID:3996
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disablecompression 1
  2⤵
  PID:2576
- C:\Windows\system32\fsutil.exe
  fsutil behavior set disabledeletenotify 0
  2⤵
  PID:2884
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2888
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:564
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4740
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2684
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:1320
- C:\Windows\system32\ipconfig.exe
  ipconfig /renew
  2⤵
  - Gathers network information
  PID:4948
- C:\Windows\system32\ARP.EXE
  arp -d *
  2⤵
  PID:228
- C:\Windows\system32\nbtstat.exe
  nbtstat -R
  2⤵
  PID:3304
- C:\Windows\system32\nbtstat.exe
  nbtstat -RR
  2⤵
  PID:3952
- C:\Windows\system32\ipconfig.exe
  ipconfig /flushdns
  2⤵
  - Gathers network information
  PID:4500
- C:\Windows\system32\ipconfig.exe
  ipconfig /registerdns
  2⤵
  - Gathers network information
  PID:4988
- C:\Windows\system32\netsh.exe
  netsh int tcp set global autotuninglevel=normal
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3808
- C:\Windows\system32\netsh.exe
  netsh interface 6to4 set state disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4624
- C:\Windows\system32\netsh.exe
  netsh int isatap set state disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:644
- C:\Windows\system32\netsh.exe
  netsh int tcp set global timestamps=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  - System Time Discovery
  PID:3700
- C:\Windows\system32\netsh.exe
  netsh int tcp set heuristics disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:764
- C:\Windows\system32\netsh.exe
  netsh int tcp set global chimney=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1532
- C:\Windows\system32\netsh.exe
  netsh int tcp set global ecncapability=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2100
- C:\Windows\system32\netsh.exe
  netsh int tcp set global rsc=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:848
- C:\Windows\system32\netsh.exe
  netsh int tcp set global nonsackrttresiliency=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:908
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1844
- C:\Windows\system32\netsh.exe
  netsh int tcp set security profiles=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2096
- C:\Windows\system32\netsh.exe
  netsh int ip set global icmpredirects=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2636
- C:\Windows\system32\netsh.exe
  netsh int tcp set security mpp=disabled profiles=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3880
- C:\Windows\system32\netsh.exe
  netsh int ip set global multicastforwarding=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3712
- C:\Windows\system32\netsh.exe
  netsh int tcp set supplemental internet congestionprovider=ctcp
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:2840
- C:\Windows\system32\netsh.exe
  netsh interface teredo set state disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:4040
- C:\Windows\system32\netsh.exe
  netsh winsock reset
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3688
- C:\Windows\system32\netsh.exe
  netsh int isatap set state disable
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1880
- C:\Windows\system32\netsh.exe
  netsh int ip set global taskoffload=disabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1092
- C:\Windows\system32\netsh.exe
  netsh int ip set global neighborcachelimit=4096
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1984
- C:\Windows\system32\netsh.exe
  netsh int tcp set global dca=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:820
- C:\Windows\system32\netsh.exe
  netsh int tcp set global netdma=enabled
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell Disable-NetAdapterLso -Name "*"
  2⤵
  PID:1580
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4988
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4552
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4536
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3280
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 0 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4624
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1473 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2808
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 736 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:644
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1104 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1884
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1288 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3392
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1380 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4668
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1426 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1160
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1403 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2544
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1391 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3756
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1385 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2040
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1382 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:664
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1381 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2524
- C:\Windows\system32\PING.EXE
  ping -n 1 -l 1380 -f -4 google.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1676
- C:\Windows\System32\Wbem\WMIC.exe
  wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("8.8.8.8", "8.8.4.4")
  2⤵
  PID:3708
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeContent" /t REG_SZ /d "8.8.4.4" /f
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeContentV6" /t REG_SZ /d "2001:4860:4860::8844" /f
  2⤵
  PID:2852
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeHost" /t REG_SZ /d "dns.google" /f
  2⤵
  PID:712
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveDnsProbeHostV6" /t REG_SZ /d "dns.google" /f
  2⤵
  PID:4180
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "ActiveWebProbeHost" /t REG_SZ /d "www.msftconnecttest.com" /f
  2⤵
  PID:2184
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
  2⤵
  PID:244
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1976
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4036
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1500
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1932
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5068
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spectrum" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3864
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3812
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1360
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserDataSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stisvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4932
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdobeFlashPlayerUpdateSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1880
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GoogleChromeElevationService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2368
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:404
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ibtsiva" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ssh-agent" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3904
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1020
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PcaSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3472
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wersvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdatem" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPUserSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1412
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\debugregsvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndu" /v "Start" /d "2" /t REG_DWORD /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /d "3" /t REG_DWORD /f
  2⤵
  PID:3280
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:4056
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  - Modifies security service
  PID:4960
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertPropSvc" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:3332
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3632
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1876
- C:\Windows\system32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2032
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3300
- C:\Windows\system32\taskkill.exe
  TaskKill /F /IM javaw.exe
  2⤵
  - Kills process with taskkill
  PID:1044
- C:\Windows\System32\PING.EXE
  ping 127.0.0.1 -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2496
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:224
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2104
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:2040
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:3912
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1532
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:2732
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:908
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1244
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:4568
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:904
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1844
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:2452
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:3844
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3460
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:1976
- C:\Windows\System32\chcp.com
  chcp 65001
  2⤵
  PID:4036
- C:\Windows\System32\PING.EXE
  ping localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4232
- C:\Windows\System32\chcp.com
  chcp 437
  2⤵
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Invoke-WebRequest "https://raw.githubusercontent.com/Teramanbr/TerabyteTweaker/main/src/thanksforusing.bat" -OutFile "C:\TT\thanksforusing.bat"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:1132
- C:\Windows\System32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "ThanksForUsing" /t REG_SZ /d C:\TT\thanksforusing.bat /f
  2⤵
  - Adds Run key to start application
  PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell Invoke-WebRequest "https://raw.githubusercontent.com/Teramanbr/TerabyteTweaker/main/src/shutdown.ps1" -OutFile "C:\TT\shutdown.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\TT\shutdown.ps1'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2888
- C:\Windows\System32\shutdown.exe
  shutdown /r /t 500 -c " "
  2⤵
  PID:3092
- C:\Windows\System32\shutdown.exe
  shutdown /r /t 0
  2⤵
  PID:4552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:1888

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.GetHelp_8wekyb3d8bbwe
1⤵
PID:5068

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
1⤵
PID:3304

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.People_8wekyb3d8bbwe
1⤵
PID:4820

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
- System Location Discovery: System Language Discovery
PID:1140

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.BingNews_8wekyb3d8bbwe
1⤵
PID:3916

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.BingWeather_8wekyb3d8bbwe
1⤵
PID:2520

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe
1⤵
PID:4544

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe
1⤵
PID:5096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\TT\thanksforusing.bat
1⤵
PID:2552

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3976055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Power Settings

T1653

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Modify Registry