67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c

Resubmissions

27/03/2025, 09:39

250327-lm3m5sslv4 10

27/03/2025, 07:44

250327-jkzscsyxgx 10

27/03/2025, 04:15

250327-evp9fsyrx2 10

Analysis

max time kernel
149s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V7.0.bat
Size

201KB
MD5

c8e2a0c12285b709fc839a4c7cbd6e1a
SHA1

cae0726adbd932745e4e4db37c82c5839f632efa
SHA256

67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c
SHA512

a99ca57c12ab00bd160747812ef71518cff0db5b8962b6b21694f0e9d7682830642290c8cbef7a83368ea7b302730e3d0930761edae15fca51247ee8f14bdc18
SSDEEP

1536:8PSPKdigMQgPTjIV4QJ8STaggyjH/nvfHH4pXfCWOBEzCLiD15ToSmcj/DB:MfjvvfeTTmcTDB

Score

10^/10

defense_evasion evasion execution persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1108	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1648	powershell.exe
2476	powershell.exe
2648	powershell.exe
2236	powershell.exe
784	powershell.exe
2616	powershell.exe
3068	powershell.exe
3028	powershell.exe
2092	powershell.exe
1748	powershell.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2884	powercfg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1748	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2660	sc.exe
2124	sc.exe
864	sc.exe
1152	sc.exe
2648	sc.exe
1612	sc.exe
2900	sc.exe
2884	sc.exe
620	sc.exe
1188	sc.exe
924	sc.exe
1316	sc.exe
484	sc.exe
2644	sc.exe
2972	sc.exe
892	sc.exe
2824	sc.exe
2988	sc.exe
1148	sc.exe
1080	sc.exe
2172	sc.exe
2488	sc.exe
1164	sc.exe
1816	sc.exe
1816	sc.exe
2668	sc.exe
584	sc.exe
2584	sc.exe
2264	sc.exe
2088	sc.exe
1948	sc.exe
2268	sc.exe
1860	sc.exe
1148	sc.exe
2552	sc.exe
3068	sc.exe
2436	sc.exe
2176	sc.exe
2152	sc.exe
2812	sc.exe
892	sc.exe
2712	sc.exe
2740	sc.exe
784	sc.exe
1892	sc.exe
2124	sc.exe
2264	sc.exe
2088	sc.exe
1772	sc.exe
1528	sc.exe
2492	sc.exe
2640	sc.exe
620	sc.exe
1788	sc.exe
1704	sc.exe
1808	sc.exe
2052	sc.exe
716	sc.exe
2816	sc.exe
2740	sc.exe
2620	sc.exe
2676	sc.exe
1528	sc.exe
1504	sc.exe

Delays execution with timeout.exe 64 IoCs

defense_evasion

pid	Process
2848	timeout.exe
2712	timeout.exe
2736	timeout.exe
2084	timeout.exe
2264	timeout.exe
2268	timeout.exe
2212	timeout.exe
1324	timeout.exe
2748	timeout.exe
1800	timeout.exe
2652	timeout.exe
1812	timeout.exe
588	timeout.exe
1620	timeout.exe
2820	timeout.exe
2868	timeout.exe
1964	timeout.exe
1808	timeout.exe
2888	timeout.exe
2608	timeout.exe
376	timeout.exe
2860	timeout.exe
2772	timeout.exe
3052	timeout.exe
1248	timeout.exe
380	timeout.exe
2032	timeout.exe
2612	timeout.exe
1860	timeout.exe
2240	timeout.exe
2860	timeout.exe
2628	timeout.exe
2800	timeout.exe
2600	timeout.exe
2520	timeout.exe
1896	timeout.exe
1380	timeout.exe
2692	timeout.exe
2252	timeout.exe
1864	timeout.exe
2644	timeout.exe
2928	timeout.exe
1080	timeout.exe
2584	timeout.exe
1924	timeout.exe
940	timeout.exe
2044	timeout.exe
1524	timeout.exe
2876	timeout.exe
704	timeout.exe
1592	timeout.exe
2416	timeout.exe
1940	timeout.exe
1600	timeout.exe
2828	timeout.exe
2820	timeout.exe
1816	timeout.exe
1188	timeout.exe
2684	timeout.exe
2864	timeout.exe
1780	timeout.exe
2404	timeout.exe
1964	timeout.exe
2564	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Modifies data under HKEY_USERS 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CLSID	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2808	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	powershell.exe
2476	powershell.exe
2648	powershell.exe
2236	powershell.exe
784	powershell.exe
1748	powershell.exe
3028	powershell.exe
2092	powershell.exe
2616	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeBackupPrivilege	1712	vssvc.exe
Token: SeRestorePrivilege	1712	vssvc.exe
Token: SeAuditPrivilege	1712	vssvc.exe
Token: SeRestorePrivilege	2548	DrvInst.exe
Token: SeRestorePrivilege	2548	DrvInst.exe
Token: SeRestorePrivilege	2548	DrvInst.exe
Token: SeRestorePrivilege	2548	DrvInst.exe
Token: SeRestorePrivilege	2548	DrvInst.exe
Token: SeRestorePrivilege	2548	DrvInst.exe
Token: SeRestorePrivilege	2548	DrvInst.exe
Token: SeLoadDriverPrivilege	2548	DrvInst.exe
Token: SeLoadDriverPrivilege	2548	DrvInst.exe
Token: SeLoadDriverPrivilege	2548	DrvInst.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeShutdownPrivilege	2884	powercfg.exe
Token: SeShutdownPrivilege	2884	powercfg.exe
Token: SeShutdownPrivilege	2884	powercfg.exe
Token: SeShutdownPrivilege	2884	powercfg.exe
Token: SeShutdownPrivilege	2884	powercfg.exe
Token: SeCreatePagefilePrivilege	2884	powercfg.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1756	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1904	2532	cmd.exe	31
PID 2532 wrote to memory of 1904	2532	cmd.exe	31
PID 2532 wrote to memory of 1904	2532	cmd.exe	31
PID 2532 wrote to memory of 1524	2532	cmd.exe	32
PID 2532 wrote to memory of 1524	2532	cmd.exe	32
PID 2532 wrote to memory of 1524	2532	cmd.exe	32
PID 1524 wrote to memory of 2356	1524	cmd.exe	33
PID 1524 wrote to memory of 2356	1524	cmd.exe	33
PID 1524 wrote to memory of 2356	1524	cmd.exe	33
PID 1524 wrote to memory of 2092	1524	cmd.exe	34
PID 1524 wrote to memory of 2092	1524	cmd.exe	34
PID 1524 wrote to memory of 2092	1524	cmd.exe	34
PID 2532 wrote to memory of 3068	2532	cmd.exe	35
PID 2532 wrote to memory of 3068	2532	cmd.exe	35
PID 2532 wrote to memory of 3068	2532	cmd.exe	35
PID 2532 wrote to memory of 2476	2532	cmd.exe	36
PID 2532 wrote to memory of 2476	2532	cmd.exe	36
PID 2532 wrote to memory of 2476	2532	cmd.exe	36
PID 2532 wrote to memory of 2884	2532	cmd.exe	38
PID 2532 wrote to memory of 2884	2532	cmd.exe	38
PID 2532 wrote to memory of 2884	2532	cmd.exe	38
PID 2532 wrote to memory of 2640	2532	cmd.exe	39
PID 2532 wrote to memory of 2640	2532	cmd.exe	39
PID 2532 wrote to memory of 2640	2532	cmd.exe	39
PID 2532 wrote to memory of 2860	2532	cmd.exe	40
PID 2532 wrote to memory of 2860	2532	cmd.exe	40
PID 2532 wrote to memory of 2860	2532	cmd.exe	40
PID 2532 wrote to memory of 2628	2532	cmd.exe	41
PID 2532 wrote to memory of 2628	2532	cmd.exe	41
PID 2532 wrote to memory of 2628	2532	cmd.exe	41
PID 2532 wrote to memory of 2800	2532	cmd.exe	42
PID 2532 wrote to memory of 2800	2532	cmd.exe	42
PID 2532 wrote to memory of 2800	2532	cmd.exe	42
PID 2800 wrote to memory of 1776	2800	net.exe	43
PID 2800 wrote to memory of 1776	2800	net.exe	43
PID 2800 wrote to memory of 1776	2800	net.exe	43
PID 2532 wrote to memory of 2876	2532	cmd.exe	44
PID 2532 wrote to memory of 2876	2532	cmd.exe	44
PID 2532 wrote to memory of 2876	2532	cmd.exe	44
PID 2532 wrote to memory of 2828	2532	cmd.exe	45
PID 2532 wrote to memory of 2828	2532	cmd.exe	45
PID 2532 wrote to memory of 2828	2532	cmd.exe	45
PID 2532 wrote to memory of 2776	2532	cmd.exe	46
PID 2532 wrote to memory of 2776	2532	cmd.exe	46
PID 2532 wrote to memory of 2776	2532	cmd.exe	46
PID 2532 wrote to memory of 2652	2532	cmd.exe	47
PID 2532 wrote to memory of 2652	2532	cmd.exe	47
PID 2532 wrote to memory of 2652	2532	cmd.exe	47
PID 2532 wrote to memory of 2864	2532	cmd.exe	48
PID 2532 wrote to memory of 2864	2532	cmd.exe	48
PID 2532 wrote to memory of 2864	2532	cmd.exe	48
PID 2532 wrote to memory of 2608	2532	cmd.exe	49
PID 2532 wrote to memory of 2608	2532	cmd.exe	49
PID 2532 wrote to memory of 2608	2532	cmd.exe	49
PID 2532 wrote to memory of 2616	2532	cmd.exe	50
PID 2532 wrote to memory of 2616	2532	cmd.exe	50
PID 2532 wrote to memory of 2616	2532	cmd.exe	50
PID 2532 wrote to memory of 2624	2532	cmd.exe	51
PID 2532 wrote to memory of 2624	2532	cmd.exe	51
PID 2532 wrote to memory of 2624	2532	cmd.exe	51
PID 2532 wrote to memory of 2648	2532	cmd.exe	52
PID 2532 wrote to memory of 2648	2532	cmd.exe	52
PID 2532 wrote to memory of 2648	2532	cmd.exe	52
PID 2532 wrote to memory of 2236	2532	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
    3⤵
    PID:2356
- - C:\Windows\system32\findstr.exe
    findstr "REG_SZ"
    3⤵
    PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  - Launches sc.exe
  PID:2884
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:2640
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:2860
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=auto
  2⤵
  PID:2628
- C:\Windows\system32\net.exe
  net start TrustedInstaller
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 start TrustedInstaller
    3⤵
    PID:1776
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2876
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  PID:2828
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:2776
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:2652
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2864
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2608
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2616
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:600
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:2896
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Checkpoint-Computer -Description 'OneClick V7.0 Restore Point'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:376
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:972
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1380
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2040
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:1924
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:968
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:2452
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2968
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:2032
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:1772
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:1940
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2204
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1188
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1928
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1592
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:288
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2448
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:2544
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2264
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:2468
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1812
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:892
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2684
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:1960
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1964
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:1508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:2552
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:2244
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:2564
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:2432
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:2304
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:1904
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:1864
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:2356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2848
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:2708
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2824
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:2712
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2820
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:2880
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2268
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2808
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2416
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:880
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:2912
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:3020
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2612
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2908
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:2872
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2860
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:2960
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:1776
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2772
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:2140
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:2652
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2864
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:2648
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:588
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1480
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1860
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:536
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:1900
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  PID:1292
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:992
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:1396
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  PID:584
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:1612
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  PID:2900
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  - Launches sc.exe
  PID:1704
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  PID:3004
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:2988
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  - Launches sc.exe
  PID:2644
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  PID:1312
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  - Launches sc.exe
  PID:2488
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  PID:620
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:2436
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  - Launches sc.exe
  PID:2584
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  - Launches sc.exe
  PID:2972
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:2124
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:1788
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1148
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:604
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:484
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  - Launches sc.exe
  PID:784
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:376
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  PID:2040
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:1164
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:2072
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  PID:2212
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:1188
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  - Launches sc.exe
  PID:1892
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:1816
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  PID:2352
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:2176
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:2996
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:2964
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:2152
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:2744
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  PID:924
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  - Launches sc.exe
  PID:1528
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:288
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  PID:2360
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:2116
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:716
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  PID:2424
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:2980
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:1152
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  - Launches sc.exe
  PID:1808
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  - Launches sc.exe
  PID:2264
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:896
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  - Launches sc.exe
  PID:892
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  - Launches sc.exe
  PID:1080
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  - Launches sc.exe
  PID:1948
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:1512
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:2552
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  - Launches sc.exe
  PID:1504
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:2432
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:1904
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  PID:1736
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:2100
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  - Launches sc.exe
  PID:2088
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  PID:2332
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  - Launches sc.exe
  PID:2172
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:2492
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:2256
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  PID:1516
- C:\Windows\system32\sc.exe
  sc config MSDTC start=disabled
  2⤵
  PID:3068
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  PID:2824
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  - Launches sc.exe
  PID:2712
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  PID:2816
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  - Launches sc.exe
  PID:2268
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:3008
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:880
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  PID:2084
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:2612
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:2640
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:2884
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2740
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:2800
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  PID:2876
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2660
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:2620
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  PID:2676
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  PID:2192
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:2668
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:1780
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:2656
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:2648
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:768
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1860
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:536
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:1900
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  PID:1292
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:992
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:1396
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:584
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:1612
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:2900
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  PID:3004
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  - Launches sc.exe
  PID:2052
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:2988
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:2644
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:1312
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  PID:2488
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  - Launches sc.exe
  PID:620
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:2436
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:2584
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2124
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  PID:1788
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  - Launches sc.exe
  PID:1148
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  PID:604
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:484
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:784
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  PID:376
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  PID:2040
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:1164
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:2072
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  - Launches sc.exe
  PID:1772
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:2212
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  - Launches sc.exe
  PID:1188
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:1892
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  - Launches sc.exe
  PID:1816
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:2352
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  - Launches sc.exe
  PID:2176
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:2996
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:2964
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  - Launches sc.exe
  PID:864
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  PID:2744
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  - Launches sc.exe
  PID:924
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  - Launches sc.exe
  PID:1528
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  PID:288
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  PID:2360
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:2116
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  - Launches sc.exe
  PID:716
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:2424
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:2980
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  - Launches sc.exe
  PID:1152
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:1808
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  - Launches sc.exe
  PID:2264
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:896
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  - Launches sc.exe
  PID:892
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:1080
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:1948
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:1512
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  - Launches sc.exe
  PID:2552
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  PID:2432
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:1752
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:1904
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  PID:1736
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:2100
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2088
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  PID:2332
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  - Launches sc.exe
  PID:2492
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:2256
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:1516
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3068
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  - Launches sc.exe
  PID:2824
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  PID:2712
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2816
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  PID:3008
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  PID:880
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:2084
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  PID:2612
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  - Launches sc.exe
  PID:2640
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:2884
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  - Launches sc.exe
  PID:2740
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:2800
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:2876
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  PID:2660
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2676
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:2192
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2668
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  PID:1780
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:2656
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  - Launches sc.exe
  PID:2648
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:768
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  PID:1860
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  PID:536
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:1900
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  PID:1292
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  PID:992
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  - Launches sc.exe
  PID:1316
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:1396
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  - Launches sc.exe
  PID:584
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  - Launches sc.exe
  PID:1612
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  - Launches sc.exe
  PID:2900
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:3004
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  - Launches sc.exe
  PID:2988
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:2644
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:1312
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  PID:2488
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  - Launches sc.exe
  PID:620
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  - Launches sc.exe
  PID:2436
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:2584
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  - Launches sc.exe
  PID:2124
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  - Launches sc.exe
  PID:1788
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:1148
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  PID:604
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  - Launches sc.exe
  PID:484
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:784
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:376
- C:\Windows\system32\sc.exe
  sc config smphost start=disabled
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:2040
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:1164
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  PID:2072
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  PID:2212
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:1188
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:1892
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  PID:1816
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  PID:2352
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:2176
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:2996
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  PID:2964
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  PID:2152
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:2744
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:924
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  PID:1528
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:288
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:2360
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:2116
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  PID:716
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:2424
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:2980
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:1152
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:1808
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  PID:2264
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:896
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  PID:892
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:1080
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:1948
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:1652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:2528
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:2028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:1600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:1604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:1720
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:1608
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:2328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:3012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:2160
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:2324
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:1956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:1880
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:2696
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:1516
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2804
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2824
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2820
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2880
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:1572
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:2868
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:2268
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:2720
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:880
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2136
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:2184
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:2628
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:2884
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:1800
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:2716
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:2800
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:2828
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:2780
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:2600
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:2608
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:2652
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:2680
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:2676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:2624
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:2180
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:2192
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:1008
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1780
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:2648
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- - C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1756
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:2692
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2080
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2548
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2052
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:1244
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2976
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2644
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:712
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3052
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:3040
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2584
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1236
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1248
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2124
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:1548
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1484
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:352
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:604
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:972
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:484
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:784
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1924
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:996
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1620
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:3000
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2032
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1164
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1940
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1928
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2212
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2260
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:940
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1188
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:380
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2956
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1816
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2844
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2928
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2176
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2404
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:276
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1324
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2996
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1896
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1976
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:864
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:924
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:1592
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:288
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:1708
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:824
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2116
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:716
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2252
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1812
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1808
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2684
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2044
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:896
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1964
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1508
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1080
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1948
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3032
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1652
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2564
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1576
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1600
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2512
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1864
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1720
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2356
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2852
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2328
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2316
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1524
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2160
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2240
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2092
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:1956
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2172
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2848
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2696
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2708
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  PID:3068
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2832
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2888
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2520
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2748
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2824
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2820
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2880
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2712
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:1572
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2868
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:3008
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2736
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2908
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2084
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2872
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2860
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2632
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2628
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2884
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1800
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2716
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2800
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2140
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2828
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2780
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2600
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2608
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000005D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
234a1fddb41cd66f7f2e611c34558fca

SHA1
10ec2c900f82b5ff2961a7ea93c266453cfe483f

SHA256
88930335f831116800827bf4a5ca239ae65c16595ca9338592a418f9e6d02d37

SHA512
31fef34e6eecba5acebeb02da26d323c1ac2066bf7ba472f2edac187b74bf80d493d37b69041217b8aa5830caee034c43368ecfcb2ba62bcd93ae96c6402b760

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4692379df705f6adc91ac4b00e489c80

SHA1
6ac7128e208285aef9119bec0d5805791c5ea35a

SHA256
fde9cd0be58f2e2b6512677418b28e8c84c010a9c13902c7bd2b7f2221c43aed

SHA512
fc7b7624aff3861f0c3917422cb530f79bbac9dfe22c5644d745731417b9b984bc13533a7c771c792e210a1ba6f891da07e46adcd846b8a6a0a947f5ca014abd

Download Submit
memory/1756-59-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1756-60-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1756-61-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2476-15-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2476-16-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/3068-6-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/3068-8-0x000000000283B000-0x00000000028A2000-memory.dmp

Filesize
412KB

Download
memory/3068-7-0x0000000002834000-0x0000000002837000-memory.dmp

Filesize
12KB

Download
memory/3068-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/3068-5-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/3068-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

Filesize
4KB

Download