3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
16s
max time network
39s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/2- Xbox Help/1- Xbox Service Enabler.bat
Size

15KB
MD5

053934c8f93b3ff714e1451f8d10c642
SHA1

16896e746055d5fa96730e7d6a637de170ff4ead
SHA256

3d9dce519843a1c5690504fb44f8043fa9eb2a3bdb1b4879352866fc0c12387c
SHA512

6d05cc4e160b0e96b29b6e5b65bd8eaa62b67540a7583b130b7698b15d4c60b67489aa8daa7b07c6adbb76fa19e0a1bf2dfc880d0499289f2761f3e585cb1337
SSDEEP

192:Yh4ZSsimg0gAP5L2e1NkJPnVPletM2TJQ2MqJMr2198Li5981:9iDYLD1NkJPnVPle82MqJMr2198Li59C

Score

10^/10

evasion execution

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3"	reg.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2684	sc.exe
1816	sc.exe
2344	sc.exe
2012	sc.exe
1552	sc.exe
3852	sc.exe
4508	sc.exe
1508	sc.exe
1472	sc.exe
4644	sc.exe
220	sc.exe
1676	sc.exe
2696	sc.exe
1792	sc.exe
4576	sc.exe
1620	sc.exe
4360	sc.exe
272	sc.exe
2884	sc.exe
2144	sc.exe
4500	sc.exe
2672	sc.exe
1600	sc.exe
2552	sc.exe
1968	sc.exe
1064	sc.exe
2692	sc.exe
1676	sc.exe
3960	sc.exe
2288	sc.exe
2848	sc.exe
4984	sc.exe
1816	sc.exe
4756	sc.exe
2712	sc.exe
1776	sc.exe
1920	sc.exe
1884	sc.exe
3076	sc.exe
3992	sc.exe
4920	sc.exe
1244	sc.exe
3736	sc.exe
5060	sc.exe
1940	sc.exe
2776	sc.exe
3652	sc.exe
1260	sc.exe
4400	sc.exe
1680	sc.exe
544	sc.exe
2764	sc.exe
2516	sc.exe
416	sc.exe
4708	sc.exe
1396	sc.exe
3768	sc.exe
4232	sc.exe
4408	sc.exe
4532	sc.exe
864	sc.exe
920	sc.exe
4236	sc.exe
3216	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4436	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3152	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4436	powershell.exe
4436	powershell.exe
4760	WMIC.exe
4760	WMIC.exe
4760	WMIC.exe
4760	WMIC.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeIncreaseQuotaPrivilege	4760	WMIC.exe
Token: SeSecurityPrivilege	4760	WMIC.exe
Token: SeTakeOwnershipPrivilege	4760	WMIC.exe
Token: SeLoadDriverPrivilege	4760	WMIC.exe
Token: SeSystemProfilePrivilege	4760	WMIC.exe
Token: SeSystemtimePrivilege	4760	WMIC.exe
Token: SeProfSingleProcessPrivilege	4760	WMIC.exe
Token: SeIncBasePriorityPrivilege	4760	WMIC.exe
Token: SeCreatePagefilePrivilege	4760	WMIC.exe
Token: SeBackupPrivilege	4760	WMIC.exe
Token: SeRestorePrivilege	4760	WMIC.exe
Token: SeShutdownPrivilege	4760	WMIC.exe
Token: SeDebugPrivilege	4760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4760	WMIC.exe
Token: SeRemoteShutdownPrivilege	4760	WMIC.exe
Token: SeUndockPrivilege	4760	WMIC.exe
Token: SeManageVolumePrivilege	4760	WMIC.exe
Token: 33	4760	WMIC.exe
Token: 34	4760	WMIC.exe
Token: 35	4760	WMIC.exe
Token: 36	4760	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 4436	2980	cmd.exe	81
PID 2980 wrote to memory of 4436	2980	cmd.exe	81
PID 2980 wrote to memory of 3152	2980	cmd.exe	84
PID 2980 wrote to memory of 3152	2980	cmd.exe	84
PID 2980 wrote to memory of 4028	2980	cmd.exe	87
PID 2980 wrote to memory of 4028	2980	cmd.exe	87
PID 2980 wrote to memory of 3860	2980	cmd.exe	88
PID 2980 wrote to memory of 3860	2980	cmd.exe	88
PID 2980 wrote to memory of 3992	2980	cmd.exe	89
PID 2980 wrote to memory of 3992	2980	cmd.exe	89
PID 2980 wrote to memory of 3644	2980	cmd.exe	90
PID 2980 wrote to memory of 3644	2980	cmd.exe	90
PID 2980 wrote to memory of 856	2980	cmd.exe	91
PID 2980 wrote to memory of 856	2980	cmd.exe	91
PID 2980 wrote to memory of 3328	2980	cmd.exe	92
PID 2980 wrote to memory of 3328	2980	cmd.exe	92
PID 2980 wrote to memory of 232	2980	cmd.exe	93
PID 2980 wrote to memory of 232	2980	cmd.exe	93
PID 2980 wrote to memory of 220	2980	cmd.exe	94
PID 2980 wrote to memory of 220	2980	cmd.exe	94
PID 2980 wrote to memory of 5060	2980	cmd.exe	95
PID 2980 wrote to memory of 5060	2980	cmd.exe	95
PID 2980 wrote to memory of 2012	2980	cmd.exe	96
PID 2980 wrote to memory of 2012	2980	cmd.exe	96
PID 2980 wrote to memory of 4920	2980	cmd.exe	97
PID 2980 wrote to memory of 4920	2980	cmd.exe	97
PID 2980 wrote to memory of 2692	2980	cmd.exe	98
PID 2980 wrote to memory of 2692	2980	cmd.exe	98
PID 2980 wrote to memory of 1792	2980	cmd.exe	99
PID 2980 wrote to memory of 1792	2980	cmd.exe	99
PID 2980 wrote to memory of 3776	2980	cmd.exe	100
PID 2980 wrote to memory of 3776	2980	cmd.exe	100
PID 2980 wrote to memory of 2232	2980	cmd.exe	101
PID 2980 wrote to memory of 2232	2980	cmd.exe	101
PID 2980 wrote to memory of 3504	2980	cmd.exe	102
PID 2980 wrote to memory of 3504	2980	cmd.exe	102
PID 2980 wrote to memory of 1132	2980	cmd.exe	103
PID 2980 wrote to memory of 1132	2980	cmd.exe	103
PID 2980 wrote to memory of 4984	2980	cmd.exe	104
PID 2980 wrote to memory of 4984	2980	cmd.exe	104
PID 2980 wrote to memory of 4284	2980	cmd.exe	105
PID 2980 wrote to memory of 4284	2980	cmd.exe	105
PID 2980 wrote to memory of 3216	2980	cmd.exe	106
PID 2980 wrote to memory of 3216	2980	cmd.exe	106
PID 2980 wrote to memory of 4708	2980	cmd.exe	107
PID 2980 wrote to memory of 4708	2980	cmd.exe	107
PID 2980 wrote to memory of 3040	2980	cmd.exe	108
PID 2980 wrote to memory of 3040	2980	cmd.exe	108
PID 2980 wrote to memory of 1676	2980	cmd.exe	109
PID 2980 wrote to memory of 1676	2980	cmd.exe	109
PID 2980 wrote to memory of 2884	2980	cmd.exe	110
PID 2980 wrote to memory of 2884	2980	cmd.exe	110
PID 2980 wrote to memory of 2672	2980	cmd.exe	111
PID 2980 wrote to memory of 2672	2980	cmd.exe	111
PID 2980 wrote to memory of 1816	2980	cmd.exe	112
PID 2980 wrote to memory of 1816	2980	cmd.exe	112
PID 2980 wrote to memory of 1064	2980	cmd.exe	113
PID 2980 wrote to memory of 1064	2980	cmd.exe	113
PID 2980 wrote to memory of 2556	2980	cmd.exe	114
PID 2980 wrote to memory of 2556	2980	cmd.exe	114
PID 2980 wrote to memory of 3852	2980	cmd.exe	115
PID 2980 wrote to memory of 3852	2980	cmd.exe	115
PID 2980 wrote to memory of 920	2980	cmd.exe	116
PID 2980 wrote to memory of 920	2980	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\2- Fixer-Help\2- Xbox Help\1- Xbox Service Enabler.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-AppxPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register '$($_.InstallLocation)\AppXManifest.xml'}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3152
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:4028
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /fd
  2⤵
  PID:3860
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= demand
  2⤵
  - Launches sc.exe
  PID:3992
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= demand
  2⤵
  PID:3644
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= demand
  2⤵
  PID:856
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= demand
  2⤵
  PID:3328
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= demand
  2⤵
  PID:232
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= demand
  2⤵
  PID:220
- C:\Windows\system32\sc.exe
  sc config Fax start= demand
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= demand
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\sc.exe
  sc config lfsvc start= demand
  2⤵
  - Launches sc.exe
  PID:4920
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= demand
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= demand
  2⤵
  - Launches sc.exe
  PID:1792
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= demand
  2⤵
  PID:3776
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= demand
  2⤵
  PID:2232
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= demand
  2⤵
  PID:3504
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= demand
  2⤵
  PID:1132
- C:\Windows\system32\sc.exe
  sc config CscService start= demand
  2⤵
  - Launches sc.exe
  PID:4984
- C:\Windows\system32\sc.exe
  sc config TermService start= demand
  2⤵
  PID:4284
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= demand
  2⤵
  - Launches sc.exe
  PID:3216
- C:\Windows\system32\sc.exe
  sc config SensorService start= demand
  2⤵
  PID:4708
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= demand
  2⤵
  PID:3040
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= demand
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= demand
  2⤵
  PID:2884
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= demand
  2⤵
  - Launches sc.exe
  PID:2672
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= demand
  2⤵
  - Launches sc.exe
  PID:1816
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= demand
  2⤵
  PID:1064
- C:\Windows\system32\sc.exe
  sc config WalletService start= demand
  2⤵
  PID:2556
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= demand
  2⤵
  - Launches sc.exe
  PID:3852
- C:\Windows\system32\sc.exe
  sc config WebClient start= demand
  2⤵
  - Launches sc.exe
  PID:920
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4236
- C:\Windows\system32\sc.exe
  sc config stisvc start= demand
  2⤵
  - Launches sc.exe
  PID:2764
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= demand
  2⤵
  PID:4376
- C:\Windows\system32\sc.exe
  sc config icssvc start= demand
  2⤵
  PID:1028
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= demand
  2⤵
  PID:2356
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= demand
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= demand
  2⤵
  PID:2224
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= demand
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= demand
  2⤵
  - Launches sc.exe
  PID:3960
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= demand
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= demand
  2⤵
  PID:2544
- C:\Windows\system32\sc.exe
  sc config Backupper Service" start= demand
  2⤵
  PID:2868
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4500
- C:\Windows\system32\sc.exe
  sc config BDESVC start= demand
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= demand
  2⤵
  PID:5108
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= demand
  2⤵
  PID:444
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1396
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= demand
  2⤵
  PID:3360
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1600
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= demand
  2⤵
  PID:2752
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4232
- C:\Windows\system32\sc.exe
  sc config TrkWks start= demand
  2⤵
  PID:4112
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= demand
  2⤵
  PID:3908
- C:\Windows\system32\sc.exe
  sc config EFS start= demand
  2⤵
  PID:2616
- C:\Windows\system32\sc.exe
  sc config fdPHost start= demand
  2⤵
  - Launches sc.exe
  PID:4576
- C:\Windows\system32\sc.exe
  sc config FDResPub start= demand
  2⤵
  - Launches sc.exe
  PID:2776
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= demand
  2⤵
  - Launches sc.exe
  PID:2288
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1552
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= demand
  2⤵
  - Launches sc.exe
  PID:1776
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= demand
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  sc config RasMan start= demand
  2⤵
  - Launches sc.exe
  PID:1508
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:3416
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3652
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= demand
  2⤵
  - Launches sc.exe
  PID:1920
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= demand
  2⤵
  - Launches sc.exe
  PID:1244
- C:\Windows\system32\sc.exe
  sc config SysMain start= demand
  2⤵
  PID:3088
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= demand
  2⤵
  - Launches sc.exe
  PID:3768
- C:\Windows\system32\sc.exe
  sc config lmhosts start= demand
  2⤵
  - Launches sc.exe
  PID:2516
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= demand
  2⤵
  PID:2992
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1680
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= demand
  2⤵
  - Launches sc.exe
  PID:1884
- C:\Windows\system32\sc.exe
  sc config FontCache start= demand
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc config W32Time start= demand
  2⤵
  PID:2864
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= demand
  2⤵
  - Launches sc.exe
  PID:2848
- C:\Windows\system32\sc.exe
  sc config DsSvc start= demand
  2⤵
  PID:4516
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:2684
- C:\Windows\system32\sc.exe
  sc config diagsvc start= demand
  2⤵
  - Launches sc.exe
  PID:544
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= demand
  2⤵
  - Launches sc.exe
  PID:1260
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:3076
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:4756
- C:\Windows\system32\sc.exe
  sc config AppVClient start= demand
  2⤵
  - Launches sc.exe
  PID:3736
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= demand
  2⤵
  PID:4524
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= demand
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= demand
  2⤵
  PID:388
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= demand
  2⤵
  PID:1140
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:4400
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= demand
  2⤵
  - Launches sc.exe
  PID:416
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1472
- C:\Windows\system32\sc.exe
  sc config WerSvc start= demand
  2⤵
  PID:1868
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:4644
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:4420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Enable
  2⤵
  PID:1228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Enable
  2⤵
  PID:2576
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Enable
  2⤵
  PID:3024
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Enable
  2⤵
  PID:3840
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Enable
  2⤵
  PID:4100
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Enable
  2⤵
  PID:3576
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Enable
  2⤵
  PID:1984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Enable
  2⤵
  PID:652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Enable
  2⤵
  PID:2148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Enable
  2⤵
  PID:5088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Enable
  2⤵
  PID:2004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Enable
  2⤵
  PID:4068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Enable
  2⤵
  PID:4860
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Enable
  2⤵
  PID:4128
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Enable
  2⤵
  PID:2188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Enable
  2⤵
  PID:2320
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Enable
  2⤵
  PID:4052
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Enable
  2⤵
  PID:116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Enable
  2⤵
  PID:1128
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Enable
  2⤵
  PID:3996
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Enable
  2⤵
  PID:3828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Enable
  2⤵
  PID:676
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Enable
  2⤵
  PID:660
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Enable
  2⤵
  PID:3772
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Enable
  2⤵
  PID:4056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Enable
  2⤵
  PID:3984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Enable
  2⤵
  PID:1936
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Enable
  2⤵
  PID:1148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Enable
  2⤵
  PID:620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Enable
  2⤵
  PID:3012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Enable
  2⤵
  PID:4156
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Enable
  2⤵
  PID:4888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Enable
  2⤵
  PID:4548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Enable
  2⤵
  PID:8
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Enable
  2⤵
  PID:2628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Enable
  2⤵
  PID:420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Enable
  2⤵
  PID:2072
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Enable
  2⤵
  PID:3508
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Enable
  2⤵
  PID:1032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Enable
  2⤵
  PID:2368
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Enable
  2⤵
  PID:3788
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Enable
  2⤵
  PID:3744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Enable
  2⤵
  PID:4712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Enable
  2⤵
  PID:4636
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Enable
  2⤵
  PID:724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Enable
  2⤵
  PID:1672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Enable
  2⤵
  PID:2404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Enable
  2⤵
  PID:3684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Enable
  2⤵
  PID:4304
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Enable
  2⤵
  PID:4696
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Enable
  2⤵
  PID:4836
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Enable
  2⤵
  PID:3124
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Enable
  2⤵
  PID:664
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Enable
  2⤵
  PID:2768
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Enable
  2⤵
  PID:3564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Enable
  2⤵
  PID:872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Enable
  2⤵
  PID:3004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Enable
  2⤵
  PID:1396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Enable
  2⤵
  PID:3360
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Enable
  2⤵
  PID:1600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Enable
  2⤵
  PID:2752
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Enable
  2⤵
  PID:4232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Enable
  2⤵
  PID:1648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Enable
  2⤵
  PID:4260
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Enable
  2⤵
  PID:64
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Enable
  2⤵
  PID:3396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Enable
  2⤵
  PID:4168
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Enable
  2⤵
  PID:2288
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Enable
  2⤵
  PID:1552
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Enable
  2⤵
  PID:1776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Enable
  2⤵
  PID:1752
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Enable
  2⤵
  PID:1508
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Enable
  2⤵
  PID:3416
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Enable
  2⤵
  PID:3652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Enable
  2⤵
  PID:1920
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Enable
  2⤵
  PID:1244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Enable
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config uhssvc start= demand
  2⤵
  - Launches sc.exe
  PID:1620
- C:\Windows\system32\sc.exe
  sc config upfc start= demand
  2⤵
  PID:4264
- C:\Windows\system32\sc.exe
  sc config PushToInstall start= demand
  2⤵
  - Launches sc.exe
  PID:2552
- C:\Windows\system32\sc.exe
  sc config BITS start= demand
  2⤵
  - Launches sc.exe
  PID:4508
- C:\Windows\system32\sc.exe
  sc config InstallService start= demand
  2⤵
  - Launches sc.exe
  PID:1968
- C:\Windows\system32\sc.exe
  sc config uhssvc start= demand
  2⤵
  PID:3516
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= demand
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config wuauserv start= demand
  2⤵
  PID:4768
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= demand
  2⤵
  - Launches sc.exe
  PID:4408
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4532
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:2508
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:908
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:4656
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 3 /f
  2⤵
  - Modifies security service
  PID:1532
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:4960
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:812
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:556
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:3620
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:2576
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "0" /f
  2⤵
  PID:3300
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:2732
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "0" /f
  2⤵
  PID:4316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Enable
  2⤵
  PID:4764
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Enable
  2⤵
  PID:936
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Enable
  2⤵
  PID:4640
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Enable
  2⤵
  PID:540
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Enable
  2⤵
  PID:3020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Enable
  2⤵
  PID:3804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Enable
  2⤵
  PID:3692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Enable
  2⤵
  PID:4028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Enable
  2⤵
  PID:4120
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Enable
  2⤵
  PID:3644
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Enable
  2⤵
  PID:856
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Enable
  2⤵
  PID:2440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Enable
  2⤵
  PID:4976
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= demand
  2⤵
  - Launches sc.exe
  PID:220
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= demand
  2⤵
  - Launches sc.exe
  PID:5060
- C:\Windows\system32\sc.exe
  sc config WinRM start= demand
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc config RmSvc start= demand
  2⤵
  PID:4920
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= demand
  2⤵
  PID:2692
- C:\Windows\system32\sc.exe
  sc config Spooler start= demand
  2⤵
  PID:1792
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Enable
  2⤵
  PID:4256
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Enable
  2⤵
  PID:3988
- C:\Windows\system32\sc.exe
  sc config BTAGService start= demand
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\system32\sc.exe
  sc config bthserv start= demand
  2⤵
  PID:2956
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= demand
  2⤵
  PID:4540
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start= demand
  2⤵
  - Launches sc.exe
  PID:4360
- C:\Windows\system32\sc.exe
  sc config NcbService start= demand
  2⤵
  PID:572
- C:\Windows\system32\sc.exe
  sc config ndu start= demand
  2⤵
  - Launches sc.exe
  PID:4708
- C:\Windows\system32\sc.exe
  sc config Netman start= demand
  2⤵
  - Launches sc.exe
  PID:272
- C:\Windows\system32\sc.exe
  sc config netprofm start= demand
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  sc config WwanSvc start= demand
  2⤵
  - Launches sc.exe
  PID:2884
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:2672
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  - Launches sc.exe
  PID:1816
- C:\Windows\system32\sc.exe
  sc config lmhosts start= auto
  2⤵
  - Launches sc.exe
  PID:1064
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= auto
  2⤵
  - Launches sc.exe
  PID:864
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\system32\sc.exe
  sc config RmSvc start= auto
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= auto
  2⤵
  - Launches sc.exe
  PID:2712
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:4452
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= auto
  2⤵
  PID:4212
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Enable
  2⤵
  PID:2228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Enable
  2⤵
  PID:564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Enable
  2⤵
  PID:4856
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Enable
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "0" /f
  2⤵
  PID:2144
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
  2⤵
  PID:3960
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f
  2⤵
  PID:2220
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "2" /f
  2⤵
  PID:2544
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:2868
- C:\Windows\system32\net.exe
  net start DPS
  2⤵
  PID:4500
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start DPS
    3⤵
    PID:4468
- C:\Windows\system32\net.exe
  net start nsi
  2⤵
  PID:1732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start nsi
    3⤵
    PID:3416
- C:\Windows\system32\net.exe
  net start NlaSvc
  2⤵
  PID:704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start NlaSvc
    3⤵
    PID:1168
- C:\Windows\system32\net.exe
  net start Dhcp
  2⤵
  PID:4680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dhcp
    3⤵
    PID:1620
- C:\Windows\system32\net.exe
  net start Wcmsvc
  2⤵
  PID:4264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Wcmsvc
    3⤵
    PID:1208
- C:\Windows\system32\net.exe
  net start RmSvc
  2⤵
  PID:4584
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start RmSvc
    3⤵
    PID:544
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_networkadapter where index=0 call disable
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_networkadapter where index=1 call disable
  2⤵
  PID:4864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Checks processor information in registry
PID:5108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:3176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppqw00t3.kux.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4436-0-0x00007FF880903000-0x00007FF880905000-memory.dmp

Filesize
8KB

Download
memory/4436-1-0x000002D882700000-0x000002D882722000-memory.dmp

Filesize
136KB

Download
memory/4436-8-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/4436-12-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/4436-13-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download
memory/4436-14-0x000002D89CED0000-0x000002D89CEE6000-memory.dmp

Filesize
88KB

Download
memory/4436-15-0x000002D89CEB0000-0x000002D89CEBA000-memory.dmp

Filesize
40KB

Download
memory/4436-16-0x000002D89CF40000-0x000002D89CF66000-memory.dmp

Filesize
152KB

Download
memory/4436-19-0x00007FF880900000-0x00007FF8813C2000-memory.dmp

Filesize
10.8MB

Download