3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
149s
max time network
134s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/1- Oneclick V6.7 (Ultimate Performance)/Oneclick V6.7.bat
Size

202KB
MD5

4acd7d1e7294d4ab4e9db8977d5135e4
SHA1

07c5474fcd09ff5843df3f776d665dcf0eef4284
SHA256

b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
SHA512

d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36
SSDEEP

1536:97SPKdigMQgPTjIV4wJzSwTgfGH/ngfHH4pX/paZSiDk2IWOmXmomk:9nnHgvOh4KmXmomk

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5072	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3620	powershell.exe
2440	powershell.exe
4960	powershell.exe
2396	powershell.exe
5084	powershell.exe
3976	powershell.exe
1724	powershell.exe
1148	powershell.exe
856	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
1172	OOSU10.exe
236	NSudoLG.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4536	icacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
27	raw.githubusercontent.com
53	drive.google.com
54	drive.google.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5056	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{6b7606c2-4a7a-4e11-a0c2-737c20a3cc1f}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3785588363-1079601362-4184885025-1000_StartupInfo2.xml	svchost.exe
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3785588363-1079601362-4184885025-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 3 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2440	powershell.exe
4408	powershell.exe
3976	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1468	sc.exe
3224	sc.exe
3824	sc.exe
4120	sc.exe
3048	sc.exe
4580	sc.exe
4312	sc.exe
1636	sc.exe
2344	sc.exe
3084	sc.exe
3352	sc.exe
4668	sc.exe
3248	sc.exe
2512	sc.exe
400	sc.exe
4804	sc.exe
4316	sc.exe
3320	sc.exe
2660	sc.exe
2592	sc.exe
2816	sc.exe
4572	sc.exe
2596	sc.exe
3424	sc.exe
4308	sc.exe
4308	sc.exe
1980	sc.exe
2368	sc.exe
1084	sc.exe
1736	sc.exe
3472	sc.exe
3920	sc.exe
3704	sc.exe
3460	sc.exe
2696	sc.exe
2136	sc.exe
876	sc.exe
3656	sc.exe
3732	sc.exe
3700	sc.exe
4492	sc.exe
4968	sc.exe
1448	sc.exe
944	sc.exe
2580	sc.exe
1352	sc.exe
2052	sc.exe
5108	sc.exe
2320	sc.exe
4220	sc.exe
1188	sc.exe
1184	sc.exe
1488	sc.exe
3352	sc.exe
3408	sc.exe
4004	sc.exe
1096	sc.exe
4304	sc.exe
1852	sc.exe
3016	sc.exe
4360	sc.exe
4588	sc.exe
1056	sc.exe
1156	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 47 IoCs

evasion

pid	Process
1224	timeout.exe
3016	timeout.exe
4228	timeout.exe
2496	timeout.exe
4112	timeout.exe
3396	timeout.exe
1836	timeout.exe
4680	timeout.exe
1224	timeout.exe
3352	timeout.exe
3048	timeout.exe
4772	timeout.exe
740	timeout.exe
2444	timeout.exe
936	timeout.exe
3816	timeout.exe
3932	timeout.exe
2344	timeout.exe
2316	timeout.exe
5084	timeout.exe
4768	timeout.exe
1096	timeout.exe
2512	timeout.exe
1084	timeout.exe
740	timeout.exe
4712	timeout.exe
704	timeout.exe
4316	timeout.exe
4684	timeout.exe
4852	timeout.exe
3212	timeout.exe
5080	timeout.exe
2192	timeout.exe
3480	timeout.exe
4912	timeout.exe
5072	timeout.exe
668	timeout.exe
1076	timeout.exe
1156	timeout.exe
3504	timeout.exe
4256	timeout.exe
1836	timeout.exe
1964	timeout.exe
60	timeout.exe
2356	timeout.exe
2412	timeout.exe
3476	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 1 IoCs

evasion

pid	Process
4592	taskkill.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	OOSU10.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\CLSID	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1"	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0"	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ShowSearchSuggestionsGlobal = "0"	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\EnableCortana = "0"	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory\ = "0"	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	OOSU10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no"	OOSU10.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1500	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1148	powershell.exe
1148	powershell.exe
2440	powershell.exe
2440	powershell.exe
4960	powershell.exe
4960	powershell.exe
2396	powershell.exe
2396	powershell.exe
856	powershell.exe
856	powershell.exe
3620	powershell.exe
3620	powershell.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
4408	powershell.exe
4408	powershell.exe
2320	svchost.exe
2320	svchost.exe
1724	powershell.exe
1724	powershell.exe
5084	powershell.exe
5084	powershell.exe
3976	powershell.exe
3976	powershell.exe
236	NSudoLG.exe
236	NSudoLG.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeBackupPrivilege	2652	TiWorker.exe
Token: SeRestorePrivilege	2652	TiWorker.exe
Token: SeSecurityPrivilege	2652	TiWorker.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeShutdownPrivilege	5056	powercfg.exe
Token: SeCreatePagefilePrivilege	5056	powercfg.exe
Token: SeShutdownPrivilege	5056	powercfg.exe
Token: SeCreatePagefilePrivilege	5056	powercfg.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeIncreaseQuotaPrivilege	856	powershell.exe
Token: SeSecurityPrivilege	856	powershell.exe
Token: SeTakeOwnershipPrivilege	856	powershell.exe
Token: SeLoadDriverPrivilege	856	powershell.exe
Token: SeSystemProfilePrivilege	856	powershell.exe
Token: SeSystemtimePrivilege	856	powershell.exe
Token: SeProfSingleProcessPrivilege	856	powershell.exe
Token: SeIncBasePriorityPrivilege	856	powershell.exe
Token: SeCreatePagefilePrivilege	856	powershell.exe
Token: SeBackupPrivilege	856	powershell.exe
Token: SeRestorePrivilege	856	powershell.exe
Token: SeShutdownPrivilege	856	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeSystemEnvironmentPrivilege	856	powershell.exe
Token: SeRemoteShutdownPrivilege	856	powershell.exe
Token: SeUndockPrivilege	856	powershell.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe
3680	Taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 3032	4420	cmd.exe	81
PID 4420 wrote to memory of 3032	4420	cmd.exe	81
PID 4420 wrote to memory of 3920	4420	cmd.exe	82
PID 4420 wrote to memory of 3920	4420	cmd.exe	82
PID 4420 wrote to memory of 4680	4420	cmd.exe	83
PID 4420 wrote to memory of 4680	4420	cmd.exe	83
PID 4420 wrote to memory of 2592	4420	cmd.exe	84
PID 4420 wrote to memory of 2592	4420	cmd.exe	84
PID 4420 wrote to memory of 4368	4420	cmd.exe	85
PID 4420 wrote to memory of 4368	4420	cmd.exe	85
PID 4420 wrote to memory of 4452	4420	cmd.exe	86
PID 4420 wrote to memory of 4452	4420	cmd.exe	86
PID 4420 wrote to memory of 1040	4420	cmd.exe	87
PID 4420 wrote to memory of 1040	4420	cmd.exe	87
PID 4420 wrote to memory of 2596	4420	cmd.exe	88
PID 4420 wrote to memory of 2596	4420	cmd.exe	88
PID 4420 wrote to memory of 944	4420	cmd.exe	89
PID 4420 wrote to memory of 944	4420	cmd.exe	89
PID 944 wrote to memory of 824	944	net.exe	90
PID 944 wrote to memory of 824	944	net.exe	90
PID 4420 wrote to memory of 2852	4420	cmd.exe	93
PID 4420 wrote to memory of 2852	4420	cmd.exe	93
PID 4420 wrote to memory of 936	4420	cmd.exe	98
PID 4420 wrote to memory of 936	4420	cmd.exe	98
PID 4420 wrote to memory of 2320	4420	cmd.exe	99
PID 4420 wrote to memory of 2320	4420	cmd.exe	99
PID 4420 wrote to memory of 4760	4420	cmd.exe	100
PID 4420 wrote to memory of 4760	4420	cmd.exe	100
PID 4420 wrote to memory of 2316	4420	cmd.exe	101
PID 4420 wrote to memory of 2316	4420	cmd.exe	101
PID 4420 wrote to memory of 3256	4420	cmd.exe	102
PID 4420 wrote to memory of 3256	4420	cmd.exe	102
PID 4420 wrote to memory of 892	4420	cmd.exe	103
PID 4420 wrote to memory of 892	4420	cmd.exe	103
PID 4420 wrote to memory of 1148	4420	cmd.exe	104
PID 4420 wrote to memory of 1148	4420	cmd.exe	104
PID 4420 wrote to memory of 3816	4420	cmd.exe	107
PID 4420 wrote to memory of 3816	4420	cmd.exe	107
PID 4420 wrote to memory of 1104	4420	cmd.exe	108
PID 4420 wrote to memory of 1104	4420	cmd.exe	108
PID 4420 wrote to memory of 2496	4420	cmd.exe	109
PID 4420 wrote to memory of 2496	4420	cmd.exe	109
PID 4420 wrote to memory of 4024	4420	cmd.exe	110
PID 4420 wrote to memory of 4024	4420	cmd.exe	110
PID 4420 wrote to memory of 2972	4420	cmd.exe	111
PID 4420 wrote to memory of 2972	4420	cmd.exe	111
PID 4420 wrote to memory of 4772	4420	cmd.exe	112
PID 4420 wrote to memory of 4772	4420	cmd.exe	112
PID 4420 wrote to memory of 3840	4420	cmd.exe	113
PID 4420 wrote to memory of 3840	4420	cmd.exe	113
PID 4420 wrote to memory of 1224	4420	cmd.exe	114
PID 4420 wrote to memory of 1224	4420	cmd.exe	114
PID 4420 wrote to memory of 4468	4420	cmd.exe	115
PID 4420 wrote to memory of 4468	4420	cmd.exe	115
PID 4420 wrote to memory of 2292	4420	cmd.exe	116
PID 4420 wrote to memory of 2292	4420	cmd.exe	116
PID 4420 wrote to memory of 2604	4420	cmd.exe	117
PID 4420 wrote to memory of 2604	4420	cmd.exe	117
PID 4420 wrote to memory of 1980	4420	cmd.exe	118
PID 4420 wrote to memory of 1980	4420	cmd.exe	118
PID 4420 wrote to memory of 740	4420	cmd.exe	119
PID 4420 wrote to memory of 740	4420	cmd.exe	119
PID 4420 wrote to memory of 1448	4420	cmd.exe	120
PID 4420 wrote to memory of 1448	4420	cmd.exe	120

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	OOSU10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

cURL User-Agent 5 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	54	curl/8.7.1
HTTP User-Agent header	66	curl/8.7.1
HTTP User-Agent header	17	curl/8.7.1
HTTP User-Agent header	27	curl/8.7.1
HTTP User-Agent header	51	curl/8.7.1

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:3032
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  - Launches sc.exe
  PID:3920
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:4680
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:2592
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:4368
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:4452
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:1040
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=auto
  2⤵
  PID:2596
- C:\Windows\system32\net.exe
  net start TrustedInstaller
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start TrustedInstaller
    3⤵
    PID:824
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
  2⤵
  PID:2852
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:936
- C:\Windows\system32\tar.exe
  tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
  2⤵
  PID:2320
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4760
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2316
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3256
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3816
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1104
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2496
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4024
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:2972
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:4772
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:3840
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1224
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:4468
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:2292
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:2604
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1980
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:740
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:1448
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:856
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:668
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:3108
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1076
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:380
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5084
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4924
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3352
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:2136
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3476
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:1668
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1156
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:3976
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:3440
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:3324
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:3176
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:4680
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:2592
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:3016
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:1096
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:4000
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4852
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:3680
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:704
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:4224
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:4316
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2252
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3932
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4800
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2180
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3212
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:5080
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2192
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:1500
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4768
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:1168
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:3472
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4112
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:2232
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4772
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:3840
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:1224
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3504
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:448
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2344
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:4328
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:740
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4256
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:4804
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3396
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2812
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3480
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:4120
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:3284
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3048
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:1664
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  - Launches sc.exe
  PID:4668
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  PID:4524
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:4520
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  PID:4516
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:3216
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  PID:884
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  PID:3824
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  PID:4104
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  PID:3180
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:4452
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  PID:1040
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  - Launches sc.exe
  PID:2596
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  PID:4464
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  PID:1836
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  PID:944
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  PID:1556
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:3784
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:3620
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  PID:2296
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:4320
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:4080
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:4072
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  PID:4784
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:2852
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  PID:936
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  PID:2928
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:4476
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:240
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  PID:4460
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  PID:892
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:2584
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:3956
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  PID:3112
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  PID:716
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:4364
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:2324
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:2504
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:1656
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:4332
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:4124
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:2832
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  PID:4496
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:5032
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  - Launches sc.exe
  PID:1184
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:3484
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:2496
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  PID:4024
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:1964
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:1896
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  PID:2024
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:4384
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:928
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:4292
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  PID:2292
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  PID:2148
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  - Launches sc.exe
  PID:1980
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:2428
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:708
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:4012
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:1188
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  PID:408
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  PID:1828
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:1036
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:4872
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:1044
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  - Launches sc.exe
  PID:3704
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:4740
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3408
- C:\Windows\system32\sc.exe
  sc config MSDTC start=demand
  2⤵
  PID:2748
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:3084
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:3812
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  PID:3240
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  PID:1376
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:3600
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1156
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  PID:4536
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:3976
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:3440
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  PID:3324
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3424
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:3824
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:2592
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  PID:2848
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  - Launches sc.exe
  PID:3016
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  PID:1096
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:4000
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3248
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:1736
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:1488
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  PID:2400
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:1492
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:4324
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:3652
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:3360
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:4052
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:1172
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:1248
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  PID:3364
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:4648
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:4860
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:4976
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:956
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:4864
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:2368
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:2628
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  PID:4712
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:5080
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:1068
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:796
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  PID:1732
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  PID:2456
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:1168
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:3472
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:1100
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  PID:1136
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  PID:1060
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  PID:2588
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:4076
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  - Launches sc.exe
  PID:4968
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  PID:2864
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:3504
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:2580
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:464
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:1032
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:2936
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  PID:3828
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:3304
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  PID:3848
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:2640
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  PID:3516
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:3752
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:2356
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  PID:2348
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  PID:4352
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:2512
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  PID:1996
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:1088
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:1352
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  PID:4960
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  - Launches sc.exe
  PID:3352
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:2136
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:3356
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  PID:4492
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:4604
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  PID:3528
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:3032
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  - Launches sc.exe
  PID:4004
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:3176
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:4632
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:4176
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:1040
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  PID:4380
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:1536
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:4232
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  PID:3732
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:4572
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  PID:824
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5108
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:2104
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  PID:3768
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  - Launches sc.exe
  PID:1636
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:4852
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  PID:3680
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:2980
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  PID:5096
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  PID:4224
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:4316
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  - Launches sc.exe
  PID:2320
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:2004
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:3932
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  PID:4800
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  PID:2180
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:1412
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  PID:716
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:4204
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:3376
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  - Launches sc.exe
  PID:4308
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:2192
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:5016
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:4948
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2660
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:2384
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  PID:3816
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:3984
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:4112
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:3388
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:2232
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:2020
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  PID:1688
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:4416
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  PID:4772
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  PID:5100
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:1224
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  - Launches sc.exe
  PID:4304
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  - Launches sc.exe
  PID:4580
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:4328
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  PID:740
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:1448
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:4564
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:2816
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  - Launches sc.exe
  PID:4312
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:60
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  PID:3320
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  - Launches sc.exe
  PID:4588
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  PID:2708
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:3396
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  PID:5084
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:4924
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:1468
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  PID:2984
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  - Launches sc.exe
  PID:1056
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:1668
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:4668
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  sc config smphost start=demand
  2⤵
  PID:4536
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:3976
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:3660
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:3324
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  PID:3424
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:3180
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  - Launches sc.exe
  PID:2592
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:2848
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  - Launches sc.exe
  PID:1096
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  PID:4000
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:3248
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:1736
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  PID:1488
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:2400
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:1492
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:4324
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:3656
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  PID:3360
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  PID:4052
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:704
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:1248
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  PID:3364
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:2316
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:4860
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:4976
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  PID:956
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:4864
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  - Launches sc.exe
  PID:2368
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:2628
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4712
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:1656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:1844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:1500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:1732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:2456
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:3788
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:5036
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:1100
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:1136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:4268
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:4592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:1060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:4408
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:3836
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3840
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2580
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:464
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1588
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2936
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3828
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3304
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:3848
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:3516
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:3752
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:2356
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2348
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:3704
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:2512
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2532
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:1996
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:1088
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:2068
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:4220
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:3048
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:3356
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:1156
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:884
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:4684
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:3920
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:3176
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:4680
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:4176
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1836
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:944
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:3732
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- - C:\Windows\system32\Taskmgr.exe
    "C:\Windows\system32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3680
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:704
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:4280
- C:\Windows\system32\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  PID:4592
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
  2⤵
  PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
  2⤵
  PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:4536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1096
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4000
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4556
- C:\Windows\system32\curl.exe
  curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
  2⤵
  PID:4904
- C:\Windows\system32\curl.exe
  curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"
  2⤵
  PID:2104
- C:\Oneclick Tools\OOShutup10\OOSU10.exe
  "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Modifies Control Panel
  - Modifies registry class
  - System policy modification
  PID:1172
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4912
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5056
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1964
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1992
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4316
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4948
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3696
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1872
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1980
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:740
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1868
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:448
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:1896
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4468
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:1656
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3840
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1448
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:4564
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  PID:856
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:4256
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:4804
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:3396
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:976
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:5088
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:2348
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  - Launches sc.exe
  PID:2816
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:3600
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:4524
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:4668
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  - Launches sc.exe
  PID:1468
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  - Launches sc.exe
  PID:4220
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:2984
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  PID:4516
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:3084
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:3440
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:3180
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3224
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  PID:4536
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:2924
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:4004
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  - Launches sc.exe
  PID:3824
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  PID:3324
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:4684
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:780
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:1836
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:1556
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:3732
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:684
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:232
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1736
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:4232
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  PID:3624
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  PID:2264
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:828
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4360
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:4052
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:3768
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:2104
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3472
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:2496
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  - Launches sc.exe
  PID:1852
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:4880
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:704
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:2232
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  PID:2736
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:4928
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:4460
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  PID:1060
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:3364
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:4496
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:2660
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:1472
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:2024
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  - Launches sc.exe
  PID:2580
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:1032
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:1588
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:2416
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1188
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:2640
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:1224
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:5100
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:1640
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:408
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2512
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:1044
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  - Launches sc.exe
  PID:1084
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:4740
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  - Launches sc.exe
  PID:1352
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:3752
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:1724
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:4520
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2136
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:3240
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  - Launches sc.exe
  PID:3352
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:3480
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:3476
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:4604
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:3216
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:3176
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:4680
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:3068
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:1148
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:884
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:3424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:4176
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:2892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:5000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:4208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:1096
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:4000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:4556
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:1736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:4232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:4100
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:3624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:2264
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:2696
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:4360
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:4052
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:3768
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:2104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:3472
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:2496
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:4308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:1852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:4880
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:704
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:2232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:2736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:4928
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:1964
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:1992
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:4316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:3700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:2700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:1248
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:4948
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:3696
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:1872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:4076
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:1980
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:2016
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:1868
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:1896
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:4468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:1656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:3840
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:1448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:4588
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:856
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:4256
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:4352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:3396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:976
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:5088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:2348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:4796
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:4312
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:2816
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:3600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:4524
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:3812
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:3284
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:3528
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:3584
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:3440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:2596
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:2956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:2844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:3032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:2848
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:4464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:3976
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:4380
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5072
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:3784
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:1388
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:2272
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  - Launches sc.exe
  PID:944
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:3228
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  - Launches sc.exe
  PID:400
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4572
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:1788
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:5108
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  - Launches sc.exe
  PID:876
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  PID:2396
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  PID:3620
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:796
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:1184
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4124
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:2652
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2676
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1300
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:936
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:1964
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:4316
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:3700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:2700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:1248
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:4948
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:1472
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:4916
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:3504
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:2372
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:1032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:1588
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:2416
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:1188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:2640
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1224
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:5100
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  PID:1640
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:408
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:4564
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2512
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:4408
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:2068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:1044
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1084
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:4740
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:1352
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3048
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:3356
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:1156
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:4924
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:3352
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:5084
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:656
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:4604
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  - Launches sc.exe
  PID:3084
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:3176
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:3224
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:3660
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:884
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:2052
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:1744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:3920
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:3476
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3016
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1040
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4684
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4208
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4228
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2480
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1836
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:3188
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  - Launches sc.exe
  PID:3732
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:3844
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:3248
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:4904
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:3168
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:1488
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:2400
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:3272
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:3252
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:4088
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3656
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:4072
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:2628
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:3788
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:1840
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:3472
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  PID:2496
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4308
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:4912
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:4880
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  PID:704
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:2232
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:2736
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:2116
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:2028
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:4636
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:936
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  PID:1964
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  - Launches sc.exe
  PID:3700
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:5032
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:2936
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:3088
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  PID:3504
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:2372
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:1032
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:1588
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:2416
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:1188
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:464
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:4504
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3460
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:472
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:3792
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:2020
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:1224
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  - Launches sc.exe
  PID:3320
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:3728
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=disabled
  2⤵
  - Launches sc.exe
  PID:4804
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:60
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:2356
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:1996
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:4344
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:2348
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:1352
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:1664
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2444
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  PID:4960
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:4120
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  - Launches sc.exe
  PID:4492
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  PID:5084
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  PID:656
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:4604
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:3084
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:3176
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4680
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:3224
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:3660
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:884
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  - Launches sc.exe
  PID:2052
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:1744
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:3920
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc config esifsvc start=disabled
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc config LMS start=disabled
  2⤵
  PID:1040
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:236

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:3956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Oneclick Tools.zip

Filesize
564KB

MD5
d2be90c23063c07c5bf6e02c9400ac35

SHA1
c2ca99de035c17ba9b7912c26725efffe290b1db

SHA256
9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3

SHA512
13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

Download Submit
C:\Oneclick Tools\NSudo\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Oneclick Tools\OOShutup10\OOSU10.exe

Filesize
1.9MB

MD5
4803e06db91fdb8b6d1b65c0010d2f87

SHA1
f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c

SHA256
beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b

SHA512
f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

Download Submit
C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg

Filesize
2KB

MD5
109f47ced5da3f92362c49069fc4624e

SHA1
79b611073aa0006f1bb4058a6ecb6f3cc97391d6

SHA256
2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b

SHA512
55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
26aacc3b83c5c1f97af3105d84596efc

SHA1
ebb08764bdfd38897080a280db1a6b3b2ca62418

SHA256
41e19aa1aa475429965c6340997449def507693f19dc1c1c015d77db081e8ecf

SHA512
e8efaa3b3acd91b7b95fe8b7a6100b3c5c2f1f6e6eba9ec0a87deed80fd5415ed5afc8e484bbf5ff47aff29edb556763915cf4b4c93013967f04551a07e5b944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ee0b8820c7d05b6373323fb9fe86b03

SHA1
903a38b30017911439016430da005d50a0be6f1d

SHA256
6139a2bc3de6b9e99ada678d6b875e63b02aa64b9667d1281a021bdf7d923f25

SHA512
79c94bcad00ccbcf0961a86bff7a06d6bc75fd83f50836747be6ba9ca74efc1290da84d91646dade522755047d3ba7783738fcbc770480310e541989419d0e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d8604063d3b1449932092d18faab1746

SHA1
e3d9f2e5d39a454cef14846b5db727ac4540ecaf

SHA256
be361fe0cba50865d5f816a65aca5cd91622390788910cd995aeb9e313f62391

SHA512
21d89a1267c46699d6d00da1a103f52bf5fface9c2b272fcbb02f0e19813fc9d3779cb152606e959285c8e303f517d4a7dd40fa5259a327105e00e4905e95f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
670c4920a79e1c12a6c4e8ff4007562b

SHA1
5023e825d4a8af071498411f589f3b25ff335f0f

SHA256
37c4a07c009ffa6061e7ffcec01d0eb2c1a2c7ac94fc3d2208e1bfee6815c92f

SHA512
d717acfd4aea4d2788b06be081c00d97929eadaa97b9144ebc02617837d8c9ffaad30f3bef0a662c560dc2bc98603853af3404120f5ac2430335dda06e7c5bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
80dc9522fd8c6f446d4870600f0eb164

SHA1
fe37d3b69e8ebac10f847f33912ae67f484cd3ca

SHA256
be21d0662808b49f16836a32ab5e32d1341bd5ec169ca289e5f9f0f28fdc424a

SHA512
3287cc0e5b8202c979df7339fd2e54970aa89b83f8ed839b373127d7786887c0c43c00723137c5e6b2920ecd14b7907c5243a9fb6e9068f63536cd60fa95545f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b393e1aae554dd45961c38666996e0dd

SHA1
ecdbf730b4bdbb19b63824f20726ed621c224fb8

SHA256
3bf951123b475242f39407221b43207386af7a5fef5dc70f3eb262ce9ee7cdc4

SHA512
283c040139a98d82dedbbebd5bf9875bcb668c17eaf7b1ebe3c76ca17f3d5b06f7d9820ea17878c96560c305a4c006c076da4b76106aa72120f3d41cafd56380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba3fcc0cfed6617387f04dbc5ed8eb55

SHA1
27ddcdabacca06128444d6be06a69057de6e05fb

SHA256
20df135edb9f676a5530c45898bd73253fd281ebef5d6f2138d66310dd09442d

SHA512
2675f1824de7d46ce412a38bce19cd572480fe1f8e5b98eb6f0534d09bcb416a9b4a24bdd7956cc16b096d94a7249b7f55b5ca01223a18bd0a51e3f2bfe25405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
093eb1af2f835fcae1936d2f27cc552d

SHA1
9294e5f6ceebf48e8cc54ca0c6b096d6ee030132

SHA256
aae7f0add6b6b2b5edc0068b0da75f8fc6eda6482bfd1171f367945c67b92f46

SHA512
dbddf588abb5cb1252e5e85d0fbd8462cc165de2544959b05a832d9709708c7b52738b6bc7ce4abd58014651fee6bcca9916ee16915a235fe8884ab14b1a22c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyjekl2i.idp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1148-15-0x0000025947CB0000-0x0000025947CD2000-memory.dmp

Filesize
136KB

Download
memory/1172-150-0x000001FC27320000-0x000001FC27510000-memory.dmp

Filesize
1.9MB

Download
memory/1172-151-0x000001FC27920000-0x000001FC2794C000-memory.dmp

Filesize
176KB

Download
memory/1172-152-0x000001FC29230000-0x000001FC292D6000-memory.dmp

Filesize
664KB

Download
memory/1172-154-0x000001FC41BB0000-0x000001FC41C6A000-memory.dmp

Filesize
744KB

Download
memory/1172-153-0x000001FC292D0000-0x000001FC292EA000-memory.dmp

Filesize
104KB

Download
memory/1724-120-0x0000015FD1480000-0x0000015FD14AA000-memory.dmp

Filesize
168KB

Download
memory/1724-121-0x0000015FD1480000-0x0000015FD14A4000-memory.dmp

Filesize
144KB

Download
memory/2320-94-0x000001F6983D0000-0x000001F6983E0000-memory.dmp

Filesize
64KB

Download
memory/2320-90-0x000001F698390000-0x000001F6983A0000-memory.dmp

Filesize
64KB

Download
memory/2320-107-0x000001F698F80000-0x000001F698F81000-memory.dmp

Filesize
4KB

Download
memory/3680-76-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-83-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-84-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-85-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-86-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-88-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-87-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-82-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-78-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download
memory/3680-77-0x000001B92A840000-0x000001B92A841000-memory.dmp

Filesize
4KB

Download