b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

Resubmissions

07/07/2024, 23:12

240707-26tgkstaqe 10

Analysis

max time kernel
125s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V6.7.bat
Size

202KB
MD5

4acd7d1e7294d4ab4e9db8977d5135e4
SHA1

07c5474fcd09ff5843df3f776d665dcf0eef4284
SHA256

b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
SHA512

d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
SSDEEP

1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk

Score

10^/10

defense_evasion evasion execution persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3028	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
920	powershell.exe
2404	powershell.exe
2636	powershell.exe
2828	powershell.exe
2788	powershell.exe
1036	powershell.exe
684	powershell.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2328	powercfg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1304	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1520	sc.exe
904	sc.exe
1260	sc.exe
668	sc.exe
3044	sc.exe
2904	sc.exe
2740	sc.exe
2604	sc.exe
1824	sc.exe
2848	sc.exe
2372	sc.exe
600	sc.exe
1556	sc.exe
2128	sc.exe
2984	sc.exe
2388	sc.exe
1056	sc.exe
912	sc.exe
2716	sc.exe
1400	sc.exe
2116	sc.exe
2996	sc.exe
1804	sc.exe
2852	sc.exe
892	sc.exe
1332	sc.exe
2188	sc.exe
568	sc.exe
2488	sc.exe
1384	sc.exe
556	sc.exe
2872	sc.exe
2672	sc.exe
1652	sc.exe
1308	sc.exe
908	sc.exe
2496	sc.exe
2364	sc.exe
1496	sc.exe
1936	sc.exe
1156	sc.exe
1040	sc.exe
1560	sc.exe
2244	sc.exe
1036	sc.exe
2476	sc.exe
1388	sc.exe
1544	sc.exe
856	sc.exe
2680	sc.exe
1700	sc.exe
2292	sc.exe
2820	sc.exe
2236	sc.exe
2192	sc.exe
1484	sc.exe
564	sc.exe
2536	sc.exe
1640	sc.exe
2660	sc.exe
2072	sc.exe
2956	sc.exe
2352	sc.exe
2932	sc.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
876	timeout.exe
1484	timeout.exe
1764	timeout.exe
1760	timeout.exe
2408	timeout.exe
2940	timeout.exe
860	timeout.exe
3008	timeout.exe
688	timeout.exe
1136	timeout.exe
2684	timeout.exe
908	timeout.exe
2516	timeout.exe
2916	timeout.exe
904	timeout.exe
1844	timeout.exe
1592	timeout.exe
2504	timeout.exe
2056	timeout.exe
856	timeout.exe
1936	timeout.exe
2372	timeout.exe
448	timeout.exe
1836	timeout.exe
2792	timeout.exe
1040	timeout.exe
1152	timeout.exe
880	timeout.exe
2160	timeout.exe
1056	timeout.exe
1552	timeout.exe
1784	timeout.exe
2408	timeout.exe
2780	timeout.exe
2932	timeout.exe
2748	timeout.exe
792	timeout.exe
1520	timeout.exe
600	timeout.exe
2332	timeout.exe
1700	timeout.exe
2360	timeout.exe
1928	timeout.exe
2804	timeout.exe
2964	timeout.exe
2844	timeout.exe
2608	timeout.exe
2760	timeout.exe
2488	timeout.exe
1316	timeout.exe
1920	timeout.exe
2028	timeout.exe
1304	timeout.exe
1188	timeout.exe
2772	timeout.exe
2560	timeout.exe
1672	timeout.exe
844	timeout.exe
1352	timeout.exe
544	timeout.exe
2812	timeout.exe
1496	timeout.exe
1992	timeout.exe
2128	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\CLSID	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2332	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2828	powershell.exe
2788	powershell.exe
1036	powershell.exe
1304	powershell.exe
920	powershell.exe
2404	powershell.exe
2636	powershell.exe
684	powershell.exe
684	powershell.exe
684	powershell.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeBackupPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2020	vssvc.exe
Token: SeAuditPrivilege	2020	vssvc.exe
Token: SeRestorePrivilege	2800	DrvInst.exe
Token: SeRestorePrivilege	2800	DrvInst.exe
Token: SeRestorePrivilege	2800	DrvInst.exe
Token: SeRestorePrivilege	2800	DrvInst.exe
Token: SeRestorePrivilege	2800	DrvInst.exe
Token: SeRestorePrivilege	2800	DrvInst.exe
Token: SeRestorePrivilege	2800	DrvInst.exe
Token: SeLoadDriverPrivilege	2800	DrvInst.exe
Token: SeLoadDriverPrivilege	2800	DrvInst.exe
Token: SeLoadDriverPrivilege	2800	DrvInst.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeShutdownPrivilege	2328	powercfg.exe
Token: SeShutdownPrivilege	2328	powercfg.exe
Token: SeShutdownPrivilege	2328	powercfg.exe
Token: SeShutdownPrivilege	2328	powercfg.exe
Token: SeShutdownPrivilege	2328	powercfg.exe
Token: SeCreatePagefilePrivilege	2328	powercfg.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1960	taskmgr.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe

Suspicious use of SendNotifyMessage 52 IoCs

pid	Process
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe
1960	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2600	2064	cmd.exe	31
PID 2064 wrote to memory of 2600	2064	cmd.exe	31
PID 2064 wrote to memory of 2600	2064	cmd.exe	31
PID 2064 wrote to memory of 2180	2064	cmd.exe	32
PID 2064 wrote to memory of 2180	2064	cmd.exe	32
PID 2064 wrote to memory of 2180	2064	cmd.exe	32
PID 2064 wrote to memory of 1792	2064	cmd.exe	33
PID 2064 wrote to memory of 1792	2064	cmd.exe	33
PID 2064 wrote to memory of 1792	2064	cmd.exe	33
PID 2064 wrote to memory of 2068	2064	cmd.exe	34
PID 2064 wrote to memory of 2068	2064	cmd.exe	34
PID 2064 wrote to memory of 2068	2064	cmd.exe	34
PID 2064 wrote to memory of 1744	2064	cmd.exe	35
PID 2064 wrote to memory of 1744	2064	cmd.exe	35
PID 2064 wrote to memory of 1744	2064	cmd.exe	35
PID 2064 wrote to memory of 1760	2064	cmd.exe	36
PID 2064 wrote to memory of 1760	2064	cmd.exe	36
PID 2064 wrote to memory of 1760	2064	cmd.exe	36
PID 2064 wrote to memory of 1712	2064	cmd.exe	37
PID 2064 wrote to memory of 1712	2064	cmd.exe	37
PID 2064 wrote to memory of 1712	2064	cmd.exe	37
PID 2064 wrote to memory of 2172	2064	cmd.exe	38
PID 2064 wrote to memory of 2172	2064	cmd.exe	38
PID 2064 wrote to memory of 2172	2064	cmd.exe	38
PID 2064 wrote to memory of 2432	2064	cmd.exe	39
PID 2064 wrote to memory of 2432	2064	cmd.exe	39
PID 2064 wrote to memory of 2432	2064	cmd.exe	39
PID 2432 wrote to memory of 2972	2432	net.exe	40
PID 2432 wrote to memory of 2972	2432	net.exe	40
PID 2432 wrote to memory of 2972	2432	net.exe	40
PID 2064 wrote to memory of 2332	2064	cmd.exe	41
PID 2064 wrote to memory of 2332	2064	cmd.exe	41
PID 2064 wrote to memory of 2332	2064	cmd.exe	41
PID 2064 wrote to memory of 2516	2064	cmd.exe	42
PID 2064 wrote to memory of 2516	2064	cmd.exe	42
PID 2064 wrote to memory of 2516	2064	cmd.exe	42
PID 2064 wrote to memory of 2844	2064	cmd.exe	43
PID 2064 wrote to memory of 2844	2064	cmd.exe	43
PID 2064 wrote to memory of 2844	2064	cmd.exe	43
PID 2064 wrote to memory of 2864	2064	cmd.exe	44
PID 2064 wrote to memory of 2864	2064	cmd.exe	44
PID 2064 wrote to memory of 2864	2064	cmd.exe	44
PID 2064 wrote to memory of 2860	2064	cmd.exe	45
PID 2064 wrote to memory of 2860	2064	cmd.exe	45
PID 2064 wrote to memory of 2860	2064	cmd.exe	45
PID 2064 wrote to memory of 2828	2064	cmd.exe	46
PID 2064 wrote to memory of 2828	2064	cmd.exe	46
PID 2064 wrote to memory of 2828	2064	cmd.exe	46
PID 2064 wrote to memory of 2788	2064	cmd.exe	48
PID 2064 wrote to memory of 2788	2064	cmd.exe	48
PID 2064 wrote to memory of 2788	2064	cmd.exe	48
PID 2064 wrote to memory of 1768	2064	cmd.exe	51
PID 2064 wrote to memory of 1768	2064	cmd.exe	51
PID 2064 wrote to memory of 1768	2064	cmd.exe	51
PID 2064 wrote to memory of 1544	2064	cmd.exe	52
PID 2064 wrote to memory of 1544	2064	cmd.exe	52
PID 2064 wrote to memory of 1544	2064	cmd.exe	52
PID 2064 wrote to memory of 576	2064	cmd.exe	53
PID 2064 wrote to memory of 576	2064	cmd.exe	53
PID 2064 wrote to memory of 576	2064	cmd.exe	53
PID 2064 wrote to memory of 2684	2064	cmd.exe	54
PID 2064 wrote to memory of 2684	2064	cmd.exe	54
PID 2064 wrote to memory of 2684	2064	cmd.exe	54
PID 2064 wrote to memory of 1036	2064	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:2600
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  PID:2180
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:1792
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:1744
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:1760
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:1712
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=auto
  2⤵
  PID:2172
- C:\Windows\system32\net.exe
  net start TrustedInstaller
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start TrustedInstaller
    3⤵
    PID:2972
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2332
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2516
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2844
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2864
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:1768
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:1544
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:576
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Checkpoint-Computer -Description 'OneClick V6.7 Restore Point'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1700
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:408
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:844
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1868
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:3004
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:2604
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:2292
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2608
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:904
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:616
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:1812
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:956
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1352
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:688
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1872
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1316
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:1336
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:544
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:1560
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2360
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2316
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1920
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:2392
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2408
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:2000
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1928
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:2264
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:1032
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:892
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:1952
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:2208
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:2356
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:884
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:1048
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1152
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:2540
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2180
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:2052
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:1724
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1924
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1760
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:1712
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2400
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2812
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:668
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2056
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2332
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2516
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:2868
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:3000
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:880
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2876
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:2632
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2748
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:2988
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  - Launches sc.exe
  PID:2984
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2780
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:2872
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2804
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:2508
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2760
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1188
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:2672
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:856
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1020
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1484
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  PID:2596
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:1788
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  - Launches sc.exe
  PID:2388
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  - Launches sc.exe
  PID:2932
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:2712
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  PID:2660
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:2928
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  PID:2080
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  PID:2852
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  - Launches sc.exe
  PID:1332
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  PID:2472
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:2560
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  PID:1388
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  PID:2132
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  PID:2808
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  PID:2968
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  - Launches sc.exe
  PID:1384
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  - Launches sc.exe
  PID:1824
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:2008
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1036
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:844
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  PID:2604
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:1124
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:904
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  - Launches sc.exe
  PID:912
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  PID:956
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:1352
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:2464
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  - Launches sc.exe
  PID:2848
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  - Launches sc.exe
  PID:2188
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:1280
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:1828
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:1056
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  PID:1636
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:2504
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:2956
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:1784
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:1308
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  - Launches sc.exe
  PID:1260
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:2352
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  - Launches sc.exe
  PID:1804
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:544
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:924
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:2312
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:2348
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  - Launches sc.exe
  PID:556
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:2480
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:2996
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  PID:920
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:2412
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:1920
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  PID:828
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:2108
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  - Launches sc.exe
  PID:1640
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  PID:2992
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  PID:2112
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:1268
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:468
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:884
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  PID:1664
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:1028
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  - Launches sc.exe
  PID:2364
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:1728
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:1944
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  PID:1152
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  PID:2436
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:2540
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc config MSDTC start=demand
  2⤵
  PID:1264
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:1712
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  - Launches sc.exe
  PID:668
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:2516
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  PID:2864
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:2756
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:2632
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  PID:2764
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:2776
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:2900
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:2804
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  PID:1572
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  - Launches sc.exe
  PID:2680
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  PID:2888
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:2568
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2372
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  - Launches sc.exe
  PID:2476
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:1708
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  PID:684
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:1052
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:2636
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3044
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:2752
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:1660
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:2096
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:2772
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:2840
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  - Launches sc.exe
  PID:1544
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  - Launches sc.exe
  PID:1484
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:2596
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:1788
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:2932
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:2712
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  - Launches sc.exe
  PID:2660
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:2928
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:2080
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2852
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:1332
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  PID:2472
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  PID:2560
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  - Launches sc.exe
  PID:1388
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:2132
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:2160
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1520
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  PID:592
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  PID:1084
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  - Launches sc.exe
  PID:1496
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  - Launches sc.exe
  PID:600
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:552
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  - Launches sc.exe
  PID:1700
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  PID:408
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  PID:1868
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  PID:3004
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:2608
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:616
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:1812
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:1408
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  PID:1672
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:1648
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  PID:264
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:532
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  - Launches sc.exe
  PID:1156
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:1592
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:2692
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  PID:1940
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1400
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:1552
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  PID:1288
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:1136
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  - Launches sc.exe
  PID:1040
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  - Launches sc.exe
  PID:1556
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:2252
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  - Launches sc.exe
  PID:564
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:940
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:1100
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:760
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  - Launches sc.exe
  PID:2244
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:2316
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  - Launches sc.exe
  PID:1936
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  - Launches sc.exe
  PID:2536
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:2416
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:2324
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:2264
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:2032
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  - Launches sc.exe
  PID:892
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:1000
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:2208
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2116
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  PID:1508
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:1048
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:3020
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  PID:1728
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  PID:1608
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:2404
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  PID:2428
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:840
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:1792
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:1744
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  - Launches sc.exe
  PID:2904
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  PID:2860
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  PID:880
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  - Launches sc.exe
  PID:2820
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2740
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:2748
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  - Launches sc.exe
  PID:2236
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  PID:2828
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:2784
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  - Launches sc.exe
  PID:2872
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:2508
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  PID:2760
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:1224
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  PID:2736
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:2384
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:3028
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  - Launches sc.exe
  PID:2192
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:2688
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  PID:2624
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:2644
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  PID:2656
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:2672
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  PID:1960
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:2344
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  PID:2832
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  - Launches sc.exe
  PID:856
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:1020
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  PID:2684
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:2376
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  PID:380
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:792
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:2944
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:2964
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  PID:2664
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:2800
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  - Launches sc.exe
  PID:2128
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  - Launches sc.exe
  PID:2072
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:2548
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:1844
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:2948
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:2968
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  PID:964
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:1824
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  - Launches sc.exe
  PID:568
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config smphost start=demand
  2⤵
  PID:1036
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:1876
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:844
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  - Launches sc.exe
  PID:2604
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:1124
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  - Launches sc.exe
  PID:904
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:1272
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:956
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  PID:1872
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  - Launches sc.exe
  PID:2488
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:2848
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:2188
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  PID:1280
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  PID:1964
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  PID:1740
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:1636
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:1356
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  - Launches sc.exe
  PID:2956
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:1784
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  - Launches sc.exe
  PID:1308
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  PID:1260
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  - Launches sc.exe
  PID:2352
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:1804
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  - Launches sc.exe
  PID:908
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:2312
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  - Launches sc.exe
  PID:2496
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  - Launches sc.exe
  PID:2996
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  PID:920
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:2392
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2408
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1936
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:2308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:2000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2108
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:1032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:2512
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:2552
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:1668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:2356
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:1512
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:884
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:2140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:936
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:932
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:1944
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:1612
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1608
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2460
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2428
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2180
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1792
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1924
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:1744
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:1264
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:2172
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2516
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:2856
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2868
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:880
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2328
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:2740
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:2764
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:2988
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:2236
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:2900
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:2196
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:2508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:2620
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:1948
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:2888
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:2736
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:952
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2372
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:2476
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:1708
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- - C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1960
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:2772
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2152
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:792
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1788
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2792
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2944
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2932
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2712
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2964
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2660
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2916
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2076
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2940
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2296
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2128
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1332
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:860
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2072
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2560
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1388
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1844
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2132
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2160
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2948
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1520
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2612
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1764
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1384
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1496
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1824
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:600
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1800
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1992
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1856
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:448
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1876
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3008
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:3012
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3016
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2604
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2028
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2380
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:904
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:912
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:688
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:956
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1672
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1648
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2488
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2164
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1836
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1156
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1592
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1964
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1056
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1940
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2504
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1356
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1552
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1864
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1784
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1288
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1136
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1260
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1040
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1316
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1f20a7451e4145d92ea675370ef5e471

SHA1
713465f699c4e476335742398e4a0867d9b51eeb

SHA256
dac524b722f4edee1de69b75feff45c0de9e0b1ff204bac12eb04eefe64eaf0a

SHA512
682029c1ac9b46a4972a99609935468dd2970f8a50e60a0aff7156e401f5a4b821f51f1a63a1d76cf24154d951c656d8a01fc103d2964eb480e1f6429977f877

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NBILZ6KEZGAY4E5DUVT5.temp

Filesize
7KB

MD5
e3807e4981d2bf852ed8cba6e598dd8a

SHA1
aff10f2aa3f1842032a9ac12722f65d4ccfa3fc6

SHA256
5a848e32adaa4448751365f812150b98150538389da11912f33bad2a583c4faf

SHA512
04d2a5c844810be4c8e102d3abdc2e6ea5d82255186a5dd76947141c59e4c6d4552d93e432973e0d1dee9cf83387ac5c6487aaba418527dcc2154b34275df1c4

Download Submit
memory/1960-49-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1960-50-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1960-51-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2788-11-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2788-12-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2828-4-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2828-5-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download