3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
15s
max time network
29s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/2- Fixer-Help/2- Xbox Help/1- Xbox Service Enabler.bat
Size

15KB
MD5

053934c8f93b3ff714e1451f8d10c642
SHA1

16896e746055d5fa96730e7d6a637de170ff4ead
SHA256

3d9dce519843a1c5690504fb44f8043fa9eb2a3bdb1b4879352866fc0c12387c
SHA512

6d05cc4e160b0e96b29b6e5b65bd8eaa62b67540a7583b130b7698b15d4c60b67489aa8daa7b07c6adbb76fa19e0a1bf2dfc880d0499289f2761f3e585cb1337
SSDEEP

192:Yh4ZSsimg0gAP5L2e1NkJPnVPletM2TJQ2MqJMr2198Li5981:9iDYLD1NkJPnVPle82MqJMr2198Li59C

Score

10^/10

evasion execution

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "3"	reg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
936	sc.exe
1828	sc.exe
4832	sc.exe
4652	sc.exe
5096	sc.exe
4860	sc.exe
4928	sc.exe
2880	sc.exe
1144	sc.exe
1900	sc.exe
4132	sc.exe
1032	sc.exe
2104	sc.exe
740	sc.exe
1880	sc.exe
4312	sc.exe
3468	sc.exe
1480	sc.exe
1500	sc.exe
3280	sc.exe
4884	sc.exe
4580	sc.exe
1584	sc.exe
852	sc.exe
1252	sc.exe
4428	sc.exe
4732	sc.exe
1100	sc.exe
4368	sc.exe
4844	sc.exe
3260	sc.exe
2748	sc.exe
4972	sc.exe
4796	sc.exe
4560	sc.exe
2724	sc.exe
3432	sc.exe
3868	sc.exe
4824	sc.exe
1572	sc.exe
1764	sc.exe
4288	sc.exe
772	sc.exe
1652	sc.exe
1972	sc.exe
4940	sc.exe
3924	sc.exe
2584	sc.exe
4400	sc.exe
4220	sc.exe
444	sc.exe
4388	sc.exe
1676	sc.exe
1848	sc.exe
2020	sc.exe
3708	sc.exe
4196	sc.exe
2316	sc.exe
1556	sc.exe
2960	sc.exe
3524	sc.exe
3516	sc.exe
3480	sc.exe
1088	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2256	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3644	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2256	powershell.exe
2256	powershell.exe
4856	svchost.exe
4856	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeIncreaseQuotaPrivilege	4828	WMIC.exe
Token: SeSecurityPrivilege	4828	WMIC.exe
Token: SeTakeOwnershipPrivilege	4828	WMIC.exe
Token: SeLoadDriverPrivilege	4828	WMIC.exe
Token: SeSystemProfilePrivilege	4828	WMIC.exe
Token: SeSystemtimePrivilege	4828	WMIC.exe
Token: SeProfSingleProcessPrivilege	4828	WMIC.exe
Token: SeIncBasePriorityPrivilege	4828	WMIC.exe
Token: SeCreatePagefilePrivilege	4828	WMIC.exe
Token: SeBackupPrivilege	4828	WMIC.exe
Token: SeRestorePrivilege	4828	WMIC.exe
Token: SeShutdownPrivilege	4828	WMIC.exe
Token: SeDebugPrivilege	4828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4828	WMIC.exe
Token: SeRemoteShutdownPrivilege	4828	WMIC.exe
Token: SeUndockPrivilege	4828	WMIC.exe
Token: SeManageVolumePrivilege	4828	WMIC.exe
Token: 33	4828	WMIC.exe
Token: 34	4828	WMIC.exe
Token: 35	4828	WMIC.exe
Token: 36	4828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4828	WMIC.exe
Token: SeSecurityPrivilege	4828	WMIC.exe
Token: SeTakeOwnershipPrivilege	4828	WMIC.exe
Token: SeLoadDriverPrivilege	4828	WMIC.exe
Token: SeSystemProfilePrivilege	4828	WMIC.exe
Token: SeSystemtimePrivilege	4828	WMIC.exe
Token: SeProfSingleProcessPrivilege	4828	WMIC.exe
Token: SeIncBasePriorityPrivilege	4828	WMIC.exe
Token: SeCreatePagefilePrivilege	4828	WMIC.exe
Token: SeBackupPrivilege	4828	WMIC.exe
Token: SeRestorePrivilege	4828	WMIC.exe
Token: SeShutdownPrivilege	4828	WMIC.exe
Token: SeDebugPrivilege	4828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4828	WMIC.exe
Token: SeRemoteShutdownPrivilege	4828	WMIC.exe
Token: SeUndockPrivilege	4828	WMIC.exe
Token: SeManageVolumePrivilege	4828	WMIC.exe
Token: 33	4828	WMIC.exe
Token: 34	4828	WMIC.exe
Token: 35	4828	WMIC.exe
Token: 36	4828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	880	WMIC.exe
Token: SeSecurityPrivilege	880	WMIC.exe
Token: SeTakeOwnershipPrivilege	880	WMIC.exe
Token: SeLoadDriverPrivilege	880	WMIC.exe
Token: SeSystemProfilePrivilege	880	WMIC.exe
Token: SeSystemtimePrivilege	880	WMIC.exe
Token: SeProfSingleProcessPrivilege	880	WMIC.exe
Token: SeIncBasePriorityPrivilege	880	WMIC.exe
Token: SeCreatePagefilePrivilege	880	WMIC.exe
Token: SeBackupPrivilege	880	WMIC.exe
Token: SeRestorePrivilege	880	WMIC.exe
Token: SeShutdownPrivilege	880	WMIC.exe
Token: SeDebugPrivilege	880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	880	WMIC.exe
Token: SeRemoteShutdownPrivilege	880	WMIC.exe
Token: SeUndockPrivilege	880	WMIC.exe
Token: SeManageVolumePrivilege	880	WMIC.exe
Token: 33	880	WMIC.exe
Token: 34	880	WMIC.exe
Token: 35	880	WMIC.exe
Token: 36	880	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2256	3964	cmd.exe	83
PID 3964 wrote to memory of 2256	3964	cmd.exe	83
PID 3964 wrote to memory of 3644	3964	cmd.exe	84
PID 3964 wrote to memory of 3644	3964	cmd.exe	84
PID 3964 wrote to memory of 1468	3964	cmd.exe	85
PID 3964 wrote to memory of 1468	3964	cmd.exe	85
PID 3964 wrote to memory of 1720	3964	cmd.exe	86
PID 3964 wrote to memory of 1720	3964	cmd.exe	86
PID 3964 wrote to memory of 216	3964	cmd.exe	87
PID 3964 wrote to memory of 216	3964	cmd.exe	87
PID 3964 wrote to memory of 2716	3964	cmd.exe	88
PID 3964 wrote to memory of 2716	3964	cmd.exe	88
PID 3964 wrote to memory of 3164	3964	cmd.exe	89
PID 3964 wrote to memory of 3164	3964	cmd.exe	89
PID 3964 wrote to memory of 1584	3964	cmd.exe	90
PID 3964 wrote to memory of 1584	3964	cmd.exe	90
PID 3964 wrote to memory of 4596	3964	cmd.exe	91
PID 3964 wrote to memory of 4596	3964	cmd.exe	91
PID 3964 wrote to memory of 532	3964	cmd.exe	92
PID 3964 wrote to memory of 532	3964	cmd.exe	92
PID 3964 wrote to memory of 2020	3964	cmd.exe	93
PID 3964 wrote to memory of 2020	3964	cmd.exe	93
PID 3964 wrote to memory of 2724	3964	cmd.exe	94
PID 3964 wrote to memory of 2724	3964	cmd.exe	94
PID 3964 wrote to memory of 4584	3964	cmd.exe	95
PID 3964 wrote to memory of 4584	3964	cmd.exe	95
PID 3964 wrote to memory of 2928	3964	cmd.exe	96
PID 3964 wrote to memory of 2928	3964	cmd.exe	96
PID 3964 wrote to memory of 2308	3964	cmd.exe	97
PID 3964 wrote to memory of 2308	3964	cmd.exe	97
PID 3964 wrote to memory of 3028	3964	cmd.exe	98
PID 3964 wrote to memory of 3028	3964	cmd.exe	98
PID 3964 wrote to memory of 856	3964	cmd.exe	99
PID 3964 wrote to memory of 856	3964	cmd.exe	99
PID 3964 wrote to memory of 4920	3964	cmd.exe	100
PID 3964 wrote to memory of 4920	3964	cmd.exe	100
PID 3964 wrote to memory of 2720	3964	cmd.exe	101
PID 3964 wrote to memory of 2720	3964	cmd.exe	101
PID 3964 wrote to memory of 4968	3964	cmd.exe	102
PID 3964 wrote to memory of 4968	3964	cmd.exe	102
PID 3964 wrote to memory of 2756	3964	cmd.exe	103
PID 3964 wrote to memory of 2756	3964	cmd.exe	103
PID 3964 wrote to memory of 3172	3964	cmd.exe	104
PID 3964 wrote to memory of 3172	3964	cmd.exe	104
PID 3964 wrote to memory of 1652	3964	cmd.exe	105
PID 3964 wrote to memory of 1652	3964	cmd.exe	105
PID 3964 wrote to memory of 3708	3964	cmd.exe	106
PID 3964 wrote to memory of 3708	3964	cmd.exe	106
PID 3964 wrote to memory of 936	3964	cmd.exe	107
PID 3964 wrote to memory of 936	3964	cmd.exe	107
PID 3964 wrote to memory of 1252	3964	cmd.exe	108
PID 3964 wrote to memory of 1252	3964	cmd.exe	108
PID 3964 wrote to memory of 4884	3964	cmd.exe	109
PID 3964 wrote to memory of 4884	3964	cmd.exe	109
PID 3964 wrote to memory of 3444	3964	cmd.exe	110
PID 3964 wrote to memory of 3444	3964	cmd.exe	110
PID 3964 wrote to memory of 1972	3964	cmd.exe	111
PID 3964 wrote to memory of 1972	3964	cmd.exe	111
PID 3964 wrote to memory of 4428	3964	cmd.exe	112
PID 3964 wrote to memory of 4428	3964	cmd.exe	112
PID 3964 wrote to memory of 1900	3964	cmd.exe	113
PID 3964 wrote to memory of 1900	3964	cmd.exe	113
PID 3964 wrote to memory of 1560	3964	cmd.exe	114
PID 3964 wrote to memory of 1560	3964	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\2- Fixer-Help\2- Xbox Help\1- Xbox Service Enabler.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Get-AppxPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register '$($_.InstallLocation)\AppXManifest.xml'}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3644
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:1468
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /fd
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= demand
  2⤵
  PID:216
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= demand
  2⤵
  PID:2716
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= demand
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1584
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= demand
  2⤵
  PID:4596
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= demand
  2⤵
  PID:532
- C:\Windows\system32\sc.exe
  sc config Fax start= demand
  2⤵
  - Launches sc.exe
  PID:2020
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= demand
  2⤵
  - Launches sc.exe
  PID:2724
- C:\Windows\system32\sc.exe
  sc config lfsvc start= demand
  2⤵
  PID:4584
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= demand
  2⤵
  PID:2928
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= demand
  2⤵
  PID:2308
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= demand
  2⤵
  PID:3028
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= demand
  2⤵
  PID:856
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= demand
  2⤵
  PID:4920
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= demand
  2⤵
  PID:2720
- C:\Windows\system32\sc.exe
  sc config CscService start= demand
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config TermService start= demand
  2⤵
  PID:2756
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= demand
  2⤵
  PID:3172
- C:\Windows\system32\sc.exe
  sc config SensorService start= demand
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= demand
  2⤵
  - Launches sc.exe
  PID:3708
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= demand
  2⤵
  - Launches sc.exe
  PID:936
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= demand
  2⤵
  - Launches sc.exe
  PID:1252
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4884
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= demand
  2⤵
  PID:3444
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= demand
  2⤵
  - Launches sc.exe
  PID:1972
- C:\Windows\system32\sc.exe
  sc config WalletService start= demand
  2⤵
  - Launches sc.exe
  PID:4428
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= demand
  2⤵
  - Launches sc.exe
  PID:1900
- C:\Windows\system32\sc.exe
  sc config WebClient start= demand
  2⤵
  PID:1560
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= demand
  2⤵
  - Launches sc.exe
  PID:3432
- C:\Windows\system32\sc.exe
  sc config stisvc start= demand
  2⤵
  PID:1688
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= demand
  2⤵
  PID:3580
- C:\Windows\system32\sc.exe
  sc config icssvc start= demand
  2⤵
  PID:1132
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= demand
  2⤵
  PID:440
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4196
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= demand
  2⤵
  - Launches sc.exe
  PID:1828
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= demand
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= demand
  2⤵
  - Launches sc.exe
  PID:5096
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= demand
  2⤵
  - Launches sc.exe
  PID:2960
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= demand
  2⤵
  - Launches sc.exe
  PID:4132
- C:\Windows\system32\sc.exe
  sc config Backupper Service" start= demand
  2⤵
  - Launches sc.exe
  PID:4832
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= demand
  2⤵
  - Launches sc.exe
  PID:3468
- C:\Windows\system32\sc.exe
  sc config BDESVC start= demand
  2⤵
  - Launches sc.exe
  PID:740
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= demand
  2⤵
  - Launches sc.exe
  PID:1480
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1880
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1500
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= demand
  2⤵
  PID:4476
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= demand
  2⤵
  - Launches sc.exe
  PID:3516
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= demand
  2⤵
  PID:2072
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= demand
  2⤵
  PID:3988
- C:\Windows\system32\sc.exe
  sc config TrkWks start= demand
  2⤵
  - Launches sc.exe
  PID:3524
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= demand
  2⤵
  PID:3408
- C:\Windows\system32\sc.exe
  sc config EFS start= demand
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config fdPHost start= demand
  2⤵
  - Launches sc.exe
  PID:3280
- C:\Windows\system32\sc.exe
  sc config FDResPub start= demand
  2⤵
  - Launches sc.exe
  PID:3868
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= demand
  2⤵
  PID:3116
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= demand
  2⤵
  PID:3544
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= demand
  2⤵
  PID:1104
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= demand
  2⤵
  PID:3908
- C:\Windows\system32\sc.exe
  sc config RasMan start= demand
  2⤵
  - Launches sc.exe
  PID:4940
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  - Launches sc.exe
  PID:3924
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4732
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= demand
  2⤵
  - Launches sc.exe
  PID:4824
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= demand
  2⤵
  - Launches sc.exe
  PID:2584
- C:\Windows\system32\sc.exe
  sc config SysMain start= demand
  2⤵
  PID:3632
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= demand
  2⤵
  PID:3852
- C:\Windows\system32\sc.exe
  sc config lmhosts start= demand
  2⤵
  - Launches sc.exe
  PID:4220
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1032
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= demand
  2⤵
  PID:468
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= demand
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config FontCache start= demand
  2⤵
  PID:1832
- C:\Windows\system32\sc.exe
  sc config W32Time start= demand
  2⤵
  - Launches sc.exe
  PID:1764
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= demand
  2⤵
  PID:2608
- C:\Windows\system32\sc.exe
  sc config DsSvc start= demand
  2⤵
  PID:768
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:1100
- C:\Windows\system32\sc.exe
  sc config diagsvc start= demand
  2⤵
  - Launches sc.exe
  PID:1572
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= demand
  2⤵
  PID:1684
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:2104
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= demand
  2⤵
  PID:1040
- C:\Windows\system32\sc.exe
  sc config AppVClient start= demand
  2⤵
  PID:1372
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= demand
  2⤵
  - Launches sc.exe
  PID:2316
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= demand
  2⤵
  PID:2488
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= demand
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1556
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:3480
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= demand
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= demand
  2⤵
  PID:1564
- C:\Windows\system32\sc.exe
  sc config WerSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4860
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= demand
  2⤵
  - Launches sc.exe
  PID:1848
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:4916
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Enable
  2⤵
  PID:4416
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Enable
  2⤵
  PID:2760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Enable
  2⤵
  PID:444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Enable
  2⤵
  PID:4560
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Enable
  2⤵
  PID:1948
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Enable
  2⤵
  PID:4188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Enable
  2⤵
  PID:2796
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Enable
  2⤵
  PID:3360
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Enable
  2⤵
  PID:4140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Enable
  2⤵
  PID:3260
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Enable
  2⤵
  PID:536
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Enable
  2⤵
  PID:4448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Enable
  2⤵
  PID:4376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Enable
  2⤵
  PID:4364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Enable
  2⤵
  PID:3136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Enable
  2⤵
  PID:1988
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Enable
  2⤵
  PID:384
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Enable
  2⤵
  PID:2732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Enable
  2⤵
  PID:2748
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Enable
  2⤵
  PID:852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Enable
  2⤵
  PID:2168
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Enable
  2⤵
  PID:4652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Enable
  2⤵
  PID:2568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Enable
  2⤵
  PID:4980
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Enable
  2⤵
  PID:2940
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Enable
  2⤵
  PID:4160
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Enable
  2⤵
  PID:3532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Enable
  2⤵
  PID:2144
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Enable
  2⤵
  PID:2672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Enable
  2⤵
  PID:4108
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Enable
  2⤵
  PID:1852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Enable
  2⤵
  PID:2964
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Enable
  2⤵
  PID:3636
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Enable
  2⤵
  PID:4776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Enable
  2⤵
  PID:2300
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Enable
  2⤵
  PID:336
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Enable
  2⤵
  PID:720
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Enable
  2⤵
  PID:4328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Enable
  2⤵
  PID:2548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Enable
  2⤵
  PID:2040
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Enable
  2⤵
  PID:4316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Enable
  2⤵
  PID:228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Enable
  2⤵
  PID:216
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Enable
  2⤵
  PID:2716
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Enable
  2⤵
  PID:2456
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Enable
  2⤵
  PID:2776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Enable
  2⤵
  PID:3696
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Enable
  2⤵
  PID:4692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Enable
  2⤵
  PID:2724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Enable
  2⤵
  PID:5004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Enable
  2⤵
  PID:2196
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Enable
  2⤵
  PID:856
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Enable
  2⤵
  PID:3440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Enable
  2⤵
  PID:3068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Enable
  2⤵
  PID:3612
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Enable
  2⤵
  PID:3708
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Enable
  2⤵
  PID:936
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Enable
  2⤵
  PID:4760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Enable
  2⤵
  PID:3232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Enable
  2⤵
  PID:1972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Enable
  2⤵
  PID:4444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Enable
  2⤵
  PID:4524
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Enable
  2⤵
  PID:2096
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Enable
  2⤵
  PID:1688
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Enable
  2⤵
  PID:2596
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Enable
  2⤵
  PID:2808
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Enable
  2⤵
  PID:3676
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Enable
  2⤵
  PID:1828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Enable
  2⤵
  PID:4648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Enable
  2⤵
  PID:3316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Enable
  2⤵
  PID:4932
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Enable
  2⤵
  PID:400
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Enable
  2⤵
  PID:4812
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Enable
  2⤵
  PID:740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Enable
  2⤵
  PID:1480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Enable
  2⤵
  PID:1880
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Enable
  2⤵
  PID:1488
- C:\Windows\system32\sc.exe
  sc config uhssvc start= demand
  2⤵
  PID:1656
- C:\Windows\system32\sc.exe
  sc config upfc start= demand
  2⤵
  - Launches sc.exe
  PID:4288
- C:\Windows\system32\sc.exe
  sc config PushToInstall start= demand
  2⤵
  - Launches sc.exe
  PID:4844
- C:\Windows\system32\sc.exe
  sc config BITS start= demand
  2⤵
  PID:1064
- C:\Windows\system32\sc.exe
  sc config InstallService start= demand
  2⤵
  PID:4788
- C:\Windows\system32\sc.exe
  sc config uhssvc start= demand
  2⤵
  - Launches sc.exe
  PID:1088
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= demand
  2⤵
  - Launches sc.exe
  PID:4796
- C:\Windows\system32\sc.exe
  sc config wuauserv start= demand
  2⤵
  - Launches sc.exe
  PID:4928
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= demand
  2⤵
  PID:716
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= demand
  2⤵
  - Launches sc.exe
  PID:2880
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:3572
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 3 /f
  2⤵
  - Modifies security service
  PID:4876
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:1620
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:4824
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:4076
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 3 /f
  2⤵
  PID:1032
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:1768
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "0" /f
  2⤵
  PID:2480
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "0" /f
  2⤵
  PID:768
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "0" /f
  2⤵
  PID:1112
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Enable
  2⤵
  PID:3084
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Enable
  2⤵
  PID:2104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Enable
  2⤵
  PID:4292
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Enable
  2⤵
  PID:2316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Enable
  2⤵
  PID:2488
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Enable
  2⤵
  PID:2220
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Enable
  2⤵
  PID:1728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Enable
  2⤵
  PID:3076
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Enable
  2⤵
  PID:2696
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Enable
  2⤵
  PID:1800
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Enable
  2⤵
  PID:1848
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Enable
  2⤵
  PID:4916
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Enable
  2⤵
  PID:2676
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= demand
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= demand
  2⤵
  - Launches sc.exe
  PID:444
- C:\Windows\system32\sc.exe
  sc config WinRM start= demand
  2⤵
  - Launches sc.exe
  PID:4560
- C:\Windows\system32\sc.exe
  sc config RmSvc start= demand
  2⤵
  - Launches sc.exe
  PID:772
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= demand
  2⤵
  PID:2844
- C:\Windows\system32\sc.exe
  sc config Spooler start= demand
  2⤵
  PID:3144
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Enable
  2⤵
  PID:3564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Enable
  2⤵
  PID:2176
- C:\Windows\system32\sc.exe
  sc config BTAGService start= demand
  2⤵
  - Launches sc.exe
  PID:4312
- C:\Windows\system32\sc.exe
  sc config bthserv start= demand
  2⤵
  - Launches sc.exe
  PID:3260
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= demand
  2⤵
  - Launches sc.exe
  PID:4368
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start= demand
  2⤵
  - Launches sc.exe
  PID:4388
- C:\Windows\system32\sc.exe
  sc config NcbService start= demand
  2⤵
  - Launches sc.exe
  PID:1144
- C:\Windows\system32\sc.exe
  sc config ndu start= demand
  2⤵
  - Launches sc.exe
  PID:4400
- C:\Windows\system32\sc.exe
  sc config Netman start= demand
  2⤵
  - Launches sc.exe
  PID:4580
- C:\Windows\system32\sc.exe
  sc config netprofm start= demand
  2⤵
  PID:3136
- C:\Windows\system32\sc.exe
  sc config WwanSvc start= demand
  2⤵
  PID:220
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:4764
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:2468
- C:\Windows\system32\sc.exe
  sc config lmhosts start= auto
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= auto
  2⤵
  - Launches sc.exe
  PID:2748
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  - Launches sc.exe
  PID:852
- C:\Windows\system32\sc.exe
  sc config RmSvc start= auto
  2⤵
  PID:2924
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= auto
  2⤵
  PID:4528
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:4652
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= auto
  2⤵
  - Launches sc.exe
  PID:4972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Enable
  2⤵
  PID:4960
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Enable
  2⤵
  PID:3948
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Enable
  2⤵
  PID:3184
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Enable
  2⤵
  PID:1044
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "0" /f
  2⤵
  PID:5076
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "1" /f
  2⤵
  PID:1788
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "2" /f
  2⤵
  PID:3060
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "2" /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "3" /f
  2⤵
  PID:3208
- C:\Windows\system32\net.exe
  net start DPS
  2⤵
  PID:2064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start DPS
    3⤵
    PID:4136
- C:\Windows\system32\net.exe
  net start nsi
  2⤵
  PID:1468
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start nsi
    3⤵
    PID:4128
- C:\Windows\system32\net.exe
  net start NlaSvc
  2⤵
  PID:4132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start NlaSvc
    3⤵
    PID:1408
- C:\Windows\system32\net.exe
  net start Dhcp
  2⤵
  PID:3900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Dhcp
    3⤵
    PID:4512
- C:\Windows\system32\net.exe
  net start Wcmsvc
  2⤵
  PID:4288
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start Wcmsvc
    3⤵
    PID:4844
- C:\Windows\system32\net.exe
  net start RmSvc
  2⤵
  PID:2416
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start RmSvc
    3⤵
    PID:4732
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_networkadapter where index=0 call disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_networkadapter where index=1 call disable
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:5064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:4328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1zx345gs.r5l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2256-14-0x000001D0727D0000-0x000001D0727DA000-memory.dmp

Filesize
40KB

Download
memory/2256-6-0x000001D072770000-0x000001D072792000-memory.dmp

Filesize
136KB

Download
memory/2256-11-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2256-12-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2256-13-0x000001D072A10000-0x000001D072A26000-memory.dmp

Filesize
88KB

Download
memory/2256-0-0x00007FFB28113000-0x00007FFB28115000-memory.dmp

Filesize
8KB

Download
memory/2256-15-0x000001D074D50000-0x000001D074D76000-memory.dmp

Filesize
152KB

Download
memory/2256-16-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/2256-19-0x00007FFB28110000-0x00007FFB28BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4856-24-0x000001C5669A0000-0x000001C5669B0000-memory.dmp

Filesize
64KB

Download
memory/4856-20-0x000001C566960000-0x000001C566970000-memory.dmp

Filesize
64KB

Download
memory/4856-28-0x000001C56C450000-0x000001C56C451000-memory.dmp

Filesize
4KB

Download