Analysis
-
max time kernel
128s -
max time network
145s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
29-11-2024 08:28
General
-
Target
Oneclick-V6.7.bat
-
Size
202KB
-
MD5
4acd7d1e7294d4ab4e9db8977d5135e4
-
SHA1
07c5474fcd09ff5843df3f776d665dcf0eef4284
-
SHA256
b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
-
SHA512
d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
-
SSDEEP
1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk
Score
10/10
Malware Config
Signatures
-
Disables service(s) 3 TTPs
-
Modifies security service 2 TTPs 2 IoCs
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 11 IoCs
-
Stops running service(s) 4 TTPs
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 3 IoCs
-
Modifies file permissions 1 TTPs 11 IoCs
-
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Power Settings 1 TTPs 1 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 57 IoCs
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Kills process with taskkill 8 IoCs
-
Modifies Control Panel 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 53 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
cURL User-Agent 5 IoCs
Uses User-Agent string associated with cURL utility.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fltMC.exefltmc2⤵
-
-
C:\Windows\system32\sc.exesc query "WinDefend"2⤵
-
-
C:\Windows\system32\find.exefind "STATE"2⤵
-
-
C:\Windows\system32\find.exefind "RUNNING"2⤵
-
-
C:\Windows\system32\sc.exesc qc "TrustedInstaller"2⤵
-
-
C:\Windows\system32\find.exefind "START_TYPE"2⤵
-
-
C:\Windows\system32\find.exefind "DISABLED"2⤵
-
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=auto2⤵
-
-
C:\Windows\system32\net.exenet start TrustedInstaller2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TrustedInstaller3⤵
-
-
-
C:\Windows\system32\curl.execurl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\tar.exetar -xf "C:\\Oneclick Tools.zip" --strip-components=12⤵
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout 22⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f2⤵
- Modifies visibility of file extensions in Explorer
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f2⤵
- Modifies registry key
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\powercfg.exepowercfg.exe /hibernate off2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 02⤵
- UAC bypass
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config ALG start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config AppIDSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config AppMgmt start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config AppReadiness start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config AppVClient start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config AppXSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Appinfo start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config AssignedAccessManagerSvc start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config AudioEndpointBuilder start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config AudioSrv start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config Audiosrv start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config AxInstSV start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config BDESVC start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config BFE start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config BITS start=delayed-auto2⤵
-
-
C:\Windows\system32\sc.exesc config BTAGService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config BcastDVRUserService_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config BluetoothUserService_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config BrokerInfrastructure start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config Browser start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config BthHFSrv start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config CDPSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config CDPUserSvc_dc2a4 start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config COMSysApp start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config CaptureService_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config CertPropSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config ClipSVC start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config ConsentUxUserSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config CoreMessagingRegistrar start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config CryptSvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config CscService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DPS start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config DcomLaunch start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config DcpSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DevQueryBroker start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DeviceAssociationBrokerSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DeviceInstall start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DevicePickerUserSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Dhcp start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DialogBlockingService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config Dnscache start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config DoSvc start=delayed-auto2⤵
-
-
C:\Windows\system32\sc.exesc config DsSvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DsmSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config DusmSvc start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config EFS start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config EapHost start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config EntAppSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config EventLog start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config EventSystem start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config FDResPub start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Fax start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config FontCache start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config FrameServer start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config FrameServerMonitor start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config GraphicsPerfSvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config HomeGroupListener start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config HomeGroupProvider start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config HvHost start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config IEEtwCollectorService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config IKEEXT start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config InstallService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config InventorySvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config IpxlatCfgSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config KeyIso start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config KtmRm start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config LSM start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config LanmanServer start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config LicenseManager start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config LxpSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config MSDTC start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config MSiSCSI start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config MapsBroker start=delayed-auto2⤵
-
-
C:\Windows\system32\sc.exesc config McpManagementService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config MessagingService_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config MpsSvc start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NPSMSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NaturalAuthentication start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NcaSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NcbService start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config NcdAutoSetup start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NetSetupSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Netlogon start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config Netman start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NgcCtnrSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NgcSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config NlaSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config OneSyncSvc_dc2a4 start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config P9RdrService_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PNRPsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PcaSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PeerDistSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PenService_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PerfHost start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PhoneSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PlugPlay start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config PolicyAgent start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Power start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config PrintNotify start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config PrintWorkflowUserSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config ProfSvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config PushToInstall start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config QWAVE start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config RasAuto start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config RasMan start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config RemoteAccess start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RetailDemo start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config RmSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config RpcEptMapper start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config RpcLocator start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config RpcSs start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config SCPolicySvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SCardSvr start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SDRSVC start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SENS start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config SNMPTRAP start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config SNMPTrap start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SSDPSRV start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SamSs start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config ScDeviceEnum start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Schedule start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config SecurityHealthService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Sense start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SensorDataService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SensorService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SensrSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SessionEnv start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config SgrmBroker start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config SharedAccess start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SharedRealitySvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config ShellHWDetection start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config SmsRouter start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Spooler start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config SstpSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config StateRepository start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config StiSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config StorSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config SysMain start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config SystemEventsBroker start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config TabletInputService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config TapiSrv start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config TermService start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config TextInputManagementService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Themes start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config TieringEngineService start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config TimeBroker start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config TimeBrokerSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config TokenBroker start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config TrkWks start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config TroubleshootingSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config TrustedInstaller start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config UI0Detect start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config UdkUserSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config UevAgentService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config UmRdpService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config UnistoreSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config UserDataSvc_dc2a4 start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config UserManager start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config UsoSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config VGAuthService start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config VMTools start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config VSS start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config VacSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config VaultSvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config W32Time start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WEPHOSTSVC start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WFDSConMgrSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WManSvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WPDBusEnum start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WSService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WSearch start=delayed-auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WaaSMedicSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WalletService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WarpJITSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WbioSrvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Wcmsvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config WcsPlugInService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WdNisSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WebClient start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Wecsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WerSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WiaRpc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WinRM start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config Winmgmt start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config WlanSvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WpnService start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config WpnUserService_dc2a4 start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WwanSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config XblAuthManager start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config XblGameSave start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config XboxGipSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config autotimesvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config bthserv start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config camsvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config cbdhsvc_dc2a4 start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config cloudidsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config dcsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config defragsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config diagsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config dmwappushservice start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config dot3svc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config edgeupdate start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config edgeupdatem start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config embeddedmode start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config fdPHost start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config fhsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config gpsvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config hidserv start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config icssvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config iphlpsvc start=auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config lfsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config lltdsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config lmhosts start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config mpssvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config msiserver start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config netprofm start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config nsi start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config p2pimsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config p2psvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config perceptionsimulation start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config pla start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config seclogon start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config shpamsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config smphost start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config spectrum start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config sppsvc start=delayed-auto2⤵
-
-
C:\Windows\system32\sc.exesc config ssh-agent start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config svsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config swprv start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config tiledatamodelsvc start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config tzautoupdate start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config uhssvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config upnphost start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vds start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vm3dservice start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vmicrdv start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config vmicshutdown start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vmictimesync start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config vmicvmsession start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vmicvss start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config vmvss start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config wbengine start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config wcncsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config webthreatdefsvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config webthreatdefusersvc_dc2a4 start=auto2⤵
-
-
C:\Windows\system32\sc.exesc config wercplsupport start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config wisvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config wlidsvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config wlpasvc start=demand2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config wmiApSrv start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config workfolderssvc start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config wscsvc start=delayed-auto2⤵
-
-
C:\Windows\system32\sc.exesc config wuauserv start=demand2⤵
-
-
C:\Windows\system32\sc.exesc config wudfsvc start=demand2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {current} bootmenupolicy Legacy2⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"2⤵
-
C:\Windows\system32\reg.exereg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild3⤵
-
-
C:\Windows\system32\findstr.exefindstr /r /c:"CurrentBuild"3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\Taskmgr.exe"C:\Windows\system32\Taskmgr.exe"3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Windows\system32\timeout.exetimeout /t 22⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences2⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im taskmgr.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\icacls.exeicacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\system32\curl.execurl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"2⤵
-
-
C:\Windows\system32\curl.execurl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"2⤵
-
-
C:\Oneclick Tools\OOShutup10\OOSU10.exe"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet2⤵
- Modifies security service
- Executes dropped EXE
- Modifies Control Panel
- Modifies registry class
- System policy modification
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\sc.exesc config wlidsvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DisplayEnhancementService start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DiagTrack start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DusmSvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config TabletInputService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RetailDemo start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Fax start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SharedAccess start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config lfsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WpcMonSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SessionEnv start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config MicrosoftEdgeElevationService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config edgeupdate start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config edgeupdatem start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config autotimesvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config CscService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config TermService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SensorDataService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SensorService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SensrSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config shpamsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config PhoneSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config TapiSrv start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config UevAgentService start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WalletService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config TokenBroker start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WebClient start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config MixedRealityOpenXRSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config stisvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WbioSrvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config icssvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config Wecsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config XboxGipSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config XblAuthManager start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config XblGameSave start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config SEMgrSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config iphlpsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Backupper Service start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config BDESVC start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config cbdhsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config CDPSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config CDPUserSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DevQueryBroker start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config dmwappushservice start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DispBrokerDesktopSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config TrkWks start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config dLauncherLoopback start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config EFS start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config fdPHost start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config FDResPub start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config IKEEXT start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config NPSMSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WPDBusEnum start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config PcaSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RasMan start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SstpSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config ShellHWDetection start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SSDPSRV start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SysMain start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config OneSyncSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config UserDataSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config UnistoreSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config FontCache start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config W32Time start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config tzautoupdate start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DsSvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DevicesFlowUserSvc_5f1ad start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config diagsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DialogBlockingService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config PimIndexMaintenanceSvc_5f1ad start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config MessagingService_5f1ad start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config AppVClient start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config MsKeyboardFilter start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config NetTcpPortSharing start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config ssh-agent start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config OneSyncSvc_5f1ad start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config wercplsupport start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WerSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WpnUserService_5f1ad start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= disabled2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDInstallLauncher" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDLinkUpdate" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "Driver Easy Scheduled Scan" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "ModifyLinkUpdate" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "SoftMakerUpdater" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartCN" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /DELETE /TN "StartDVR" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc stop uhssvc2⤵
-
-
C:\Windows\system32\sc.exesc stop upfc2⤵
-
-
C:\Windows\system32\sc.exesc stop PushToInstall2⤵
-
-
C:\Windows\system32\sc.exesc stop BITS2⤵
-
-
C:\Windows\system32\sc.exesc stop InstallService2⤵
-
-
C:\Windows\system32\sc.exesc stop uhssvc2⤵
-
-
C:\Windows\system32\sc.exesc stop UsoSvc2⤵
-
-
C:\Windows\system32\sc.exesc stop wuauserv2⤵
-
-
C:\Windows\system32\sc.exesc stop LanmanServer2⤵
-
-
C:\Windows\system32\sc.exesc config BITS start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config InstallService start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config uhssvc start= disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config LanmanServer start= disabled2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f2⤵
- Modifies security service
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config RemoteRegistry start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RemoteAccess start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WinRM start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RmSvc start= disabled2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config PrintNotify start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Spooler start= disabled2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config NlaSvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config LanmanWorkstation start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config BFE start= demand2⤵
-
-
C:\Windows\system32\sc.exesc config Dnscache start= demand2⤵
-
-
C:\Windows\system32\sc.exesc config WinHttpAutoProxySvc start= demand2⤵
-
-
C:\Windows\system32\sc.exesc config Dhcp start= auto2⤵
-
-
C:\Windows\system32\sc.exesc config DPS start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config lmhosts start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config nsi start= auto2⤵
-
-
C:\Windows\system32\sc.exesc config Wcmsvc start= disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Winmgmt start= auto2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WlanSvc start= demand2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 650012⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config ALG start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config AJRouter start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config XblAuthManager start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config XblGameSave start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config XboxNetApiSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WSearch start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RemoteRegistry start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SEMgrSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config SCardSvr start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Netlogon start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config CscService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config icssvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config wisvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config RetailDemo start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WalletService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Fax start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config iphlpsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config wcncsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config fhsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config PhoneSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config seclogon start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config FrameServer start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WbioSrvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config StiSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config PcaSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config MapsBroker start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config bthserv start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config BDESVC start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config BthAvctpSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WpcMonSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DiagTrack start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config CertPropSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WdiServiceHost start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config lmhosts start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WdiSystemHost start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config TrkWks start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WerSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config TabletInputService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config EntAppSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Spooler start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config BcastDVRUserService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config WMPNetworkSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config diagnosticshub.standardcollector.service start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DmEnrollmentSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config PNRPAutoReg start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config wlidsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config AXInstSV start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config lfsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config DeviceAssociationService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config StorSvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config TieringEngineService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config DPS start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config Themes start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config AppReadiness start=disabled2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config HvHost start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmickvpexchange start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmicguestinterface start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmicshutdown start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmicheartbeat start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmicvmsession start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmicrdv start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmictimesync start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config vmicvss start=disabled2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config edgeupdate start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config edgeupdatem start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config GoogleChromeElevationService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config gupdate start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config gupdatem start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config BraveElevationService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config brave start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config bravem start=disabled2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\sc.exesc config NcbService start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config jhi_service start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config WMIRegistrationService start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc config "Intel(R) TPM Provisioning Service" start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config ipfsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config igccservice start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config cplspcon start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config esifsvc start=disabled2⤵
-
-
C:\Windows\system32\sc.exesc config LMS start=disabled2⤵
-
-
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Oneclick Tools\NSudo\NSudoLG.exe"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleaner Update" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerCrashReporting" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleaner Update" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerCrashReporting" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "OneDrive.exe"2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill.exe /F /IM "explorer.exe"2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\reg.exereg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg load "hku\Default" "C:\Users\Default\NTUSER.DAT"2⤵
-
-
C:\Windows\system32\reg.exereg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f2⤵
-
-
C:\Windows\system32\reg.exereg unload "hku\Default"2⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn "OneDrive*" /f2⤵
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\UsoClient.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM WidgetService.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\taskkill.exetaskkill /F /IM Widgets.exe2⤵
- Kills process with taskkill
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f2⤵
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\System32\smartscreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
C:\Windows\system32\timeout.exetimeout 12⤵
- Delays execution with timeout.exe
-
-
C:\Windows\system32\chcp.comchcp 4372⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Power Settings
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Active Setup
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
2Hidden Files and Directories
1Ignore Process Interrupts
1Impair Defenses
3Disable or Modify Tools
2Indicator Removal
1File Deletion
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
564KB
MD5d2be90c23063c07c5bf6e02c9400ac35
SHA1c2ca99de035c17ba9b7912c26725efffe290b1db
SHA2569422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA51213935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e
-
Filesize
174KB
MD5423129ddb24fb923f35b2dd5787b13dd
SHA1575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA2565094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce
-
Filesize
1.9MB
MD54803e06db91fdb8b6d1b65c0010d2f87
SHA1f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6
-
Filesize
2KB
MD5109f47ced5da3f92362c49069fc4624e
SHA179b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA2562508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA51255a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774
-
Filesize
2KB
MD5ed30ca9187bf5593affb3dc9276309a6
SHA1c63757897a6c43a44102b221fe8dc36355e99359
SHA25681fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122
SHA5121df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810
-
Filesize
414KB
MD5ab79489e9704fc9cc9d8bee4f8e17ec5
SHA1b2e19a89b43d537bb5b02ee9ca2418f027259c1e
SHA2564d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e
SHA51260d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD57ee0b8820c7d05b6373323fb9fe86b03
SHA1903a38b30017911439016430da005d50a0be6f1d
SHA2566139a2bc3de6b9e99ada678d6b875e63b02aa64b9667d1281a021bdf7d923f25
SHA51279c94bcad00ccbcf0961a86bff7a06d6bc75fd83f50836747be6ba9ca74efc1290da84d91646dade522755047d3ba7783738fcbc770480310e541989419d0e5b
-
Filesize
1KB
MD58f2086d6a5f6d698abcc042a8d743adb
SHA1dae50035e31c8431f0c958a8b5d784ffdc5c648c
SHA2565f7e6bf3e9b1a1089addb242b6765d0d04830607d209fb24d72e1b0308e32dea
SHA51238a2f55356d78a08212a4e64d164c50f367bf735fd410239d8e9f95ca4a9fbea8bbfab44c74e2b4807266aa294c05e9d0554ec6ad4a08d000b77c7c4d64d9005
-
Filesize
1KB
MD5f13461195b049aecbed62579f19d9255
SHA1a5494c5f797faf38fa88d5bc160a77952a1e3a21
SHA25658671d2e63925ba5948347b53b9bbeb905ced7a923d844ee2288e91636f98e1b
SHA5127973aea496653e73df46a23ab97243bfa47e133016e47579fa7ecab4402bfbcad4cc1c8ad69ba5073ad829dc3b52e5d82c17893ee3d31b3c2452c18dd1d17208
-
Filesize
1KB
MD5288697c4ef77463da4208102a08c264b
SHA11b850fe04dfe803cf4dd455c2839311d0f5d0aea
SHA256cd11232439c16f8f53befddc6159b51ef456cfa355c1b4d67737bf4032b06dc5
SHA512e431c37d313ea300a2732e4008490719b3eba8a4003962de471771671438b9bfec2bebbedf345e9241145e70f3aad3b66c0c9c3c71e1dab057e6d12e536e93d9
-
Filesize
1KB
MD5f5011a071cca0ab57be15bf247cab695
SHA1ac3085865e4d5622d5143f2cb032bc3e38e860ca
SHA2565b43149e0c4acb1af32f4592119761afac28b3597178851ac7bb72c8b52b77ef
SHA5127e712c7a9165b2ea5e60039338a11b00d0b697f9faa902ca7b752a2c3c1f359cc0270969fce6337926c074c001099556c3044a15f148dae5612bda166a74e97b
-
Filesize
64B
MD58147d41cbfc6d2a7d20a296fbfe23f85
SHA1c95e8744e9223e63f1887627e4d6b91dc1ace4c8
SHA2560c2622523a70e4f811504f2f92e8fb811398626e1374811c52f451c9076fd925
SHA512afa0f60a070ed13df3866c9824fc40739cf55ed902b5c2b02eb5c7983863a395643b10591166750bf06ea73b1c9d370db707de5caef9778fee3851de813745fa
-
Filesize
1KB
MD5b393e1aae554dd45961c38666996e0dd
SHA1ecdbf730b4bdbb19b63824f20726ed621c224fb8
SHA2563bf951123b475242f39407221b43207386af7a5fef5dc70f3eb262ce9ee7cdc4
SHA512283c040139a98d82dedbbebd5bf9875bcb668c17eaf7b1ebe3c76ca17f3d5b06f7d9820ea17878c96560c305a4c006c076da4b76106aa72120f3d41cafd56380
-
Filesize
1KB
MD530f38c2df9473fe5e5d827e8df7a8874
SHA1e13d48170de6ced3d5b6eac81f775c4a1af6d84d
SHA2568323994ec4fb5fa6a8854ca32c97b7e22547fa92b96dd577b6d3ee59c03607bf
SHA51246b0979c20f17b3982ccb62b8ec8f83747a202b1cb46151bb87002f8c7748938447c6e797f333db8268eb73979bb1fed725cd4530b1ba3cfea8ad49461864d9e
-
Filesize
1KB
MD5d2a94c40f72f8257c0606d218d0bfdb1
SHA1320fa2cf2b67cc1517646bb7508ab5cb54be5cb2
SHA2568e210ed77ff692f070c1131c50f1f37e7327089117b0a5184f5082868607b6ee
SHA512db8186f9b304ac7309c895c9ce6562882a58fdd6553741062c648c7ab3b25af8df066fd1280d664234512798c96b672ed9e098754a81002ee084187e07782243
-
Filesize
64B
MD5f1747542a671fd107fed2cfd2d896d90
SHA18ac126edf52674efd183c743f91576721bac649f
SHA2563a7e5cb5abda57415f6567a66400c2949cee9050c0660c9c5d68fb126c4895dd
SHA512b1ea7c875bed498d6ca9cc25a5f48dbcdc0ec0f3075485351697ac8dc35b3badbc528082b7fb1e1a3784967cfdb5ed5963f60b38083b12da0f399ab28836e0e3
-
Filesize
2KB
MD5b66bbcab3295357256db139e1fa8988d
SHA169a1960204b3978607490c66c0035ef414af8b6f
SHA256ffe6dce230c72ddab014febcb24219d3c7ea28e7a8d62753cb1274e6d211ac97
SHA512a7dfec7be087b2ec211a2d5e2f4e2d536bd4b1530c3fe1e63e4a7c4adcd9c9348c4886d77091538f2e922b632c75f312342bf721da152c98f84139978136aa97
-
Filesize
96B
MD5981b6e891674d906874cdc21d1721367
SHA1808933593c0ce3813bc22e972ca04e4e21177648
SHA2560ef58a35ea0209dc424f1d8fbd2118b05c37da5b70cf006c5ad04899c1ffbc7d
SHA512db0901f67dd4b2f8d1bd0ee0d109918312eb705163938e3e4427e9ad4fdf400343ed684eb661febd13d65e81de7464a17a3772958b14f706666e30f6691585ca
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
144KB
-
Filesize
168KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
104KB
-
Filesize
664KB
-
Filesize
1.9MB
-
Filesize
744KB
-
Filesize
136KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
1024KB
-
Filesize
88KB
-
Filesize
152KB
-
Filesize
40KB