67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c

Resubmissions

27/03/2025, 09:39

250327-lm3m5sslv4 10

27/03/2025, 07:44

250327-jkzscsyxgx 10

27/03/2025, 04:15

250327-evp9fsyrx2 10

Analysis

max time kernel
97s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 09:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V7.0.bat
Size

201KB
MD5

c8e2a0c12285b709fc839a4c7cbd6e1a
SHA1

cae0726adbd932745e4e4db37c82c5839f632efa
SHA256

67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c
SHA512

a99ca57c12ab00bd160747812ef71518cff0db5b8962b6b21694f0e9d7682830642290c8cbef7a83368ea7b302730e3d0930761edae15fca51247ee8f14bdc18
SSDEEP

1536:8PSPKdigMQgPTjIV4QJ8STaggyjH/nvfHH4pXfCWOBEzCLiD15ToSmcj/DB:MfjvvfeTTmcTDB

Score

10^/10

defense_evasion discovery evasion execution persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3796	bcdedit.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4736	powershell.exe
632	powershell.exe
2856	powershell.exe
3844	powershell.exe
3348	powershell.exe
388	powershell.exe
1460	powershell.exe
116	powershell.exe
1320	powershell.exe
2984	powershell.exe
3932	powershell.exe
5860	powershell.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 3 IoCs

pid	Process
4396	OOSU10.exe
3844	NSudoLG.exe
2700	NSudoLG.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1320	icacls.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
37	raw.githubusercontent.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4656	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-308834014-1004923324-1191300197-1000.dat	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontSet-S-1-5-21-308834014-1004923324-1191300197-1000.dat	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\	svchost.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1460	powershell.exe
2952	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3620	sc.exe
2396	sc.exe
4676	sc.exe
5536	sc.exe
3892	sc.exe
2208	sc.exe
2812	sc.exe
4804	sc.exe
5072	sc.exe
4412	sc.exe
3504	sc.exe
3916	sc.exe
5784	sc.exe
1604	sc.exe
4620	sc.exe
2132	sc.exe
6080	sc.exe
2076	sc.exe
4184	sc.exe
3608	sc.exe
4688	sc.exe
5912	sc.exe
1176	sc.exe
3452	sc.exe
2984	sc.exe
628	sc.exe
1568	sc.exe
6136	sc.exe
3892	sc.exe
2236	sc.exe
2072	sc.exe
4184	sc.exe
4456	sc.exe
3908	sc.exe
5284	sc.exe
4976	sc.exe
3516	sc.exe
3344	sc.exe
3312	sc.exe
3256	sc.exe
3872	sc.exe
1656	sc.exe
2836	sc.exe
5052	sc.exe
2804	sc.exe
1176	sc.exe
3848	sc.exe
5864	sc.exe
4896	sc.exe
3832	sc.exe
4076	sc.exe
4396	sc.exe
6020	sc.exe
4280	sc.exe
1944	sc.exe
1412	sc.exe
2100	sc.exe
4196	sc.exe
6020	sc.exe
5112	sc.exe
2836	sc.exe
744	sc.exe
4972	sc.exe
4404	sc.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005c00d8281e7515450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005c00d8280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005c00d828000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5c00d828000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005c00d82800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 49 IoCs

defense_evasion

pid	Process
2884	timeout.exe
5144	timeout.exe
3632	timeout.exe
3844	timeout.exe
4776	timeout.exe
2396	timeout.exe
5452	timeout.exe
464	timeout.exe
3796	timeout.exe
2796	timeout.exe
2392	timeout.exe
5404	timeout.exe
5980	timeout.exe
344	timeout.exe
2768	timeout.exe
3196	timeout.exe
1912	timeout.exe
3848	timeout.exe
5240	timeout.exe
5236	timeout.exe
3088	timeout.exe
5600	timeout.exe
4184	timeout.exe
4604	timeout.exe
212	timeout.exe
3828	timeout.exe
3400	timeout.exe
212	timeout.exe
3620	timeout.exe
4720	timeout.exe
3628	timeout.exe
3584	timeout.exe
5540	timeout.exe
6004	timeout.exe
2216	timeout.exe
2916	timeout.exe
4720	timeout.exe
3828	timeout.exe
5356	timeout.exe
5544	timeout.exe
684	timeout.exe
2276	timeout.exe
1656	timeout.exe
5632	timeout.exe
312	timeout.exe
4708	timeout.exe
2052	timeout.exe
640	timeout.exe
3412	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
6076	taskkill.exe

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	OOSU10.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\BaseUri = "https://fs.microsoft.com/fs/windows/fonts"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\ConfigExpiration = "133881468939363499"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\CachedFontSetName = "fontset-2017-04.json"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\FontSetGeneration = "2"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\LocalFontSetName = "fontset-2017-04.json"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\FontSetGeneration = "3"	svchost.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\CLSID	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ShowSearchSuggestionsGlobal = "0"	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory\ = "0"	OOSU10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no"	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0"	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\EnableCortana = "0"	OOSU10.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	OOSU10.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1"	OOSU10.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2372	reg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3844	powershell.exe
3844	powershell.exe
3348	powershell.exe
3348	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
632	powershell.exe
632	powershell.exe
632	powershell.exe
1460	powershell.exe
1460	powershell.exe
1460	powershell.exe
116	powershell.exe
116	powershell.exe
116	powershell.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
3932	powershell.exe
3932	powershell.exe
3932	powershell.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe
5860	powershell.exe
5860	powershell.exe
5860	powershell.exe
2984	powershell.exe
2984	powershell.exe
2984	powershell.exe
428	svchost.exe
428	svchost.exe
3844	NSudoLG.exe
3844	NSudoLG.exe
2700	NSudoLG.exe
2700	NSudoLG.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeBackupPrivilege	2036	vssvc.exe
Token: SeRestorePrivilege	2036	vssvc.exe
Token: SeAuditPrivilege	2036	vssvc.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	116	powershell.exe
Token: SeBackupPrivilege	4280	srtasks.exe
Token: SeRestorePrivilege	4280	srtasks.exe
Token: SeSecurityPrivilege	4280	srtasks.exe
Token: SeTakeOwnershipPrivilege	4280	srtasks.exe
Token: SeBackupPrivilege	4280	srtasks.exe
Token: SeRestorePrivilege	4280	srtasks.exe
Token: SeSecurityPrivilege	4280	srtasks.exe
Token: SeTakeOwnershipPrivilege	4280	srtasks.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeShutdownPrivilege	4656	powercfg.exe
Token: SeCreatePagefilePrivilege	4656	powercfg.exe
Token: SeShutdownPrivilege	4656	powercfg.exe
Token: SeCreatePagefilePrivilege	4656	powercfg.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeIncreaseQuotaPrivilege	2856	powershell.exe
Token: SeSecurityPrivilege	2856	powershell.exe
Token: SeTakeOwnershipPrivilege	2856	powershell.exe
Token: SeLoadDriverPrivilege	2856	powershell.exe
Token: SeSystemProfilePrivilege	2856	powershell.exe
Token: SeSystemtimePrivilege	2856	powershell.exe
Token: SeProfSingleProcessPrivilege	2856	powershell.exe
Token: SeIncBasePriorityPrivilege	2856	powershell.exe
Token: SeCreatePagefilePrivilege	2856	powershell.exe
Token: SeBackupPrivilege	2856	powershell.exe
Token: SeRestorePrivilege	2856	powershell.exe
Token: SeShutdownPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeSystemEnvironmentPrivilege	2856	powershell.exe
Token: SeRemoteShutdownPrivilege	2856	powershell.exe
Token: SeUndockPrivilege	2856	powershell.exe
Token: SeManageVolumePrivilege	2856	powershell.exe
Token: 33	2856	powershell.exe
Token: 34	2856	powershell.exe
Token: 35	2856	powershell.exe
Token: 36	2856	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	4668	Taskmgr.exe
Token: SeSystemProfilePrivilege	4668	Taskmgr.exe
Token: SeCreateGlobalPrivilege	4668	Taskmgr.exe
Token: SeDebugPrivilege	6076	taskkill.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	5860	powershell.exe
Token: SeIncreaseQuotaPrivilege	5860	powershell.exe
Token: SeSecurityPrivilege	5860	powershell.exe
Token: SeTakeOwnershipPrivilege	5860	powershell.exe
Token: SeLoadDriverPrivilege	5860	powershell.exe
Token: SeSystemProfilePrivilege	5860	powershell.exe
Token: SeSystemtimePrivilege	5860	powershell.exe
Token: SeProfSingleProcessPrivilege	5860	powershell.exe
Token: SeIncBasePriorityPrivilege	5860	powershell.exe
Token: SeCreatePagefilePrivilege	5860	powershell.exe
Token: SeBackupPrivilege	5860	powershell.exe
Token: SeRestorePrivilege	5860	powershell.exe
Token: SeShutdownPrivilege	5860	powershell.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe
4668	Taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 5884	2144	cmd.exe	89
PID 2144 wrote to memory of 5884	2144	cmd.exe	89
PID 2144 wrote to memory of 6056	2144	cmd.exe	90
PID 2144 wrote to memory of 6056	2144	cmd.exe	90
PID 6056 wrote to memory of 2132	6056	cmd.exe	91
PID 6056 wrote to memory of 2132	6056	cmd.exe	91
PID 6056 wrote to memory of 3848	6056	cmd.exe	92
PID 6056 wrote to memory of 3848	6056	cmd.exe	92
PID 2144 wrote to memory of 3844	2144	cmd.exe	93
PID 2144 wrote to memory of 3844	2144	cmd.exe	93
PID 2144 wrote to memory of 3348	2144	cmd.exe	94
PID 2144 wrote to memory of 3348	2144	cmd.exe	94
PID 2144 wrote to memory of 2604	2144	cmd.exe	105
PID 2144 wrote to memory of 2604	2144	cmd.exe	105
PID 2144 wrote to memory of 532	2144	cmd.exe	106
PID 2144 wrote to memory of 532	2144	cmd.exe	106
PID 2144 wrote to memory of 3040	2144	cmd.exe	107
PID 2144 wrote to memory of 3040	2144	cmd.exe	107
PID 2144 wrote to memory of 2052	2144	cmd.exe	108
PID 2144 wrote to memory of 2052	2144	cmd.exe	108
PID 2144 wrote to memory of 3400	2144	cmd.exe	109
PID 2144 wrote to memory of 3400	2144	cmd.exe	109
PID 2144 wrote to memory of 2840	2144	cmd.exe	111
PID 2144 wrote to memory of 2840	2144	cmd.exe	111
PID 2144 wrote to memory of 432	2144	cmd.exe	112
PID 2144 wrote to memory of 432	2144	cmd.exe	112
PID 2144 wrote to memory of 3672	2144	cmd.exe	113
PID 2144 wrote to memory of 3672	2144	cmd.exe	113
PID 2144 wrote to memory of 4612	2144	cmd.exe	114
PID 2144 wrote to memory of 4612	2144	cmd.exe	114
PID 2144 wrote to memory of 5248	2144	cmd.exe	115
PID 2144 wrote to memory of 5248	2144	cmd.exe	115
PID 2144 wrote to memory of 2396	2144	cmd.exe	116
PID 2144 wrote to memory of 2396	2144	cmd.exe	116
PID 2144 wrote to memory of 5608	2144	cmd.exe	117
PID 2144 wrote to memory of 5608	2144	cmd.exe	117
PID 2144 wrote to memory of 5108	2144	cmd.exe	118
PID 2144 wrote to memory of 5108	2144	cmd.exe	118
PID 2144 wrote to memory of 388	2144	cmd.exe	119
PID 2144 wrote to memory of 388	2144	cmd.exe	119
PID 2144 wrote to memory of 4736	2144	cmd.exe	120
PID 2144 wrote to memory of 4736	2144	cmd.exe	120
PID 2144 wrote to memory of 3656	2144	cmd.exe	122
PID 2144 wrote to memory of 3656	2144	cmd.exe	122
PID 2144 wrote to memory of 4972	2144	cmd.exe	123
PID 2144 wrote to memory of 4972	2144	cmd.exe	123
PID 2144 wrote to memory of 2816	2144	cmd.exe	124
PID 2144 wrote to memory of 2816	2144	cmd.exe	124
PID 2144 wrote to memory of 684	2144	cmd.exe	125
PID 2144 wrote to memory of 684	2144	cmd.exe	125
PID 2144 wrote to memory of 632	2144	cmd.exe	126
PID 2144 wrote to memory of 632	2144	cmd.exe	126
PID 2144 wrote to memory of 3632	2144	cmd.exe	133
PID 2144 wrote to memory of 3632	2144	cmd.exe	133
PID 2144 wrote to memory of 2636	2144	cmd.exe	134
PID 2144 wrote to memory of 2636	2144	cmd.exe	134
PID 2144 wrote to memory of 212	2144	cmd.exe	135
PID 2144 wrote to memory of 212	2144	cmd.exe	135
PID 2144 wrote to memory of 3252	2144	cmd.exe	136
PID 2144 wrote to memory of 3252	2144	cmd.exe	136
PID 2144 wrote to memory of 5704	2144	cmd.exe	137
PID 2144 wrote to memory of 5704	2144	cmd.exe	137
PID 2144 wrote to memory of 2960	2144	cmd.exe	138
PID 2144 wrote to memory of 2960	2144	cmd.exe	138

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	OOSU10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6056
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
    3⤵
    PID:2132
- - C:\Windows\system32\findstr.exe
    findstr "REG_SZ"
    3⤵
    PID:3848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3348
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:2604
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:532
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:3040
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Oneclick/raw/refs/heads/main/Downloads/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
  2⤵
  PID:2052
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3400
- C:\Windows\system32\tar.exe
  tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
  2⤵
  PID:2840
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  PID:432
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:3672
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:4612
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5248
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2396
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5608
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:4972
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:2816
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Checkpoint-Computer -Description 'OneClick V7.0 Restore Point'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3632
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2636
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:212
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3252
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:5704
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:2960
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:1204
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:312
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:2352
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:4416
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:5400
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4424
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:344
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:4564
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3372
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2768
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:1100
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2216
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:1912
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3196
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1604
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5144
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:2156
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5452
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:924
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2916
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:5920
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:5536
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:3480
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:4268
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:5756
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:812
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:1132
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:4456
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:464
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:3848
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:408
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:5556
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5396
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3620
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4404
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4196
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1656
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:4412
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3796
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:2372
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3844
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:1816
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:2324
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4184
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2100
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:3760
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4708
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:3256
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4720
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:2208
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2052
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:4728
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1912
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3628
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:5864
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2796
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1224
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2392
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:1124
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  PID:6076
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:3608
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  PID:5336
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  - Launches sc.exe
  PID:1176
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  - Launches sc.exe
  PID:4896
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:4464
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  PID:5180
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  - Launches sc.exe
  PID:4280
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  PID:2916
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:5920
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  - Launches sc.exe
  PID:5536
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  PID:1800
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  PID:2092
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:4292
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  PID:4020
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:812
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:6028
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  PID:5868
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:948
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:6000
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  - Launches sc.exe
  PID:4620
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:672
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:3228
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  PID:5832
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  PID:1412
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:5284
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:5524
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  PID:632
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  PID:3968
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:3952
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:4120
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  PID:3848
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  PID:2636
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:4396
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:4512
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:212
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:5500
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:2188
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:2280
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  PID:1456
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  PID:4016
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  - Launches sc.exe
  PID:6080
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:4196
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:5856
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:2940
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:4932
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:4948
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  PID:4416
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:3916
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:5256
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  PID:2552
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:1552
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  PID:1816
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  - Launches sc.exe
  PID:3832
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  - Launches sc.exe
  PID:2804
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  PID:1636
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  - Launches sc.exe
  PID:2100
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:3760
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:5016
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  PID:5664
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  - Launches sc.exe
  PID:2076
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  - Launches sc.exe
  PID:3256
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:4748
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:2760
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  PID:5680
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  PID:428
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  PID:736
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  PID:5248
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  PID:2276
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  PID:5608
- C:\Windows\system32\sc.exe
  sc config MSDTC start=disabled
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:4820
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:4360
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  PID:5192
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  PID:1508
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  PID:1664
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  - Launches sc.exe
  PID:744
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:2920
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:2232
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:2448
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3452
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:3808
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  PID:2004
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:2684
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:5144
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  PID:2156
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:2176
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  - Launches sc.exe
  PID:1176
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:924
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:4488
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:5240
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:3500
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:4800
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:684
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  PID:2916
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  PID:5920
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:3648
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:2712
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:2632
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:2092
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:4292
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:812
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:5868
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:948
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:3872
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  PID:2912
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  PID:4576
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  PID:2488
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  PID:2556
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  PID:3988
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  PID:1216
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  PID:4516
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:3632
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:3848
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  - Launches sc.exe
  PID:5784
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  PID:640
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:628
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:5556
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:2960
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:1744
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  - Launches sc.exe
  PID:3620
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  PID:5316
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:3136
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  - Launches sc.exe
  PID:4196
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:5856
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  - Launches sc.exe
  PID:4412
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:4956
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:3444
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  PID:668
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  PID:3796
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:2372
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  PID:3844
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  PID:1700
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:3308
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  PID:4152
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  - Launches sc.exe
  PID:4184
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  PID:3400
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:2672
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  PID:3760
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:5016
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  PID:5664
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:3404
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  PID:4780
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:4976
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:2208
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:2072
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:5268
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  PID:3860
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  - Launches sc.exe
  PID:2396
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:2988
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  PID:5140
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  PID:5308
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:5392
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:1920
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  PID:5080
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  PID:5788
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:1664
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  PID:744
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:2920
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:3044
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  PID:4128
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:396
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  PID:2796
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  PID:4060
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:2288
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  PID:888
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:5368
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  PID:2684
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  - Launches sc.exe
  PID:3608
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  - Launches sc.exe
  PID:4972
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:2176
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:3460
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  PID:5820
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:5240
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:3656
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:2316
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  PID:704
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:2916
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  PID:5536
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:5216
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:3684
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:1804
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:5756
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3892
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:4456
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  PID:6008
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  PID:2416
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:5848
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  - Launches sc.exe
  PID:3872
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  PID:3236
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:2912
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  PID:4576
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:1244
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  PID:5832
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  PID:5272
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:5612
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:2132
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:464
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:3632
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:2636
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  - Launches sc.exe
  PID:3504
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  PID:3056
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  PID:640
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:628
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:5556
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  PID:1204
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:1960
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:5512
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  - Launches sc.exe
  PID:3516
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  - Launches sc.exe
  PID:1656
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:4196
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:2940
- C:\Windows\system32\sc.exe
  sc config smphost start=disabled
  2⤵
  PID:4100
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:232
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:2500
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:4416
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  - Launches sc.exe
  PID:3916
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:5256
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  PID:2552
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:1552
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:2324
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  PID:4152
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  - Launches sc.exe
  PID:4184
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:3400
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:2216
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  PID:3392
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  PID:536
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  PID:5768
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:4668
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:4720
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  PID:5632
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  PID:2760
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  - Launches sc.exe
  PID:2208
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:3172
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:736
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  - Launches sc.exe
  PID:2812
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:2848
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:5608
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  - Launches sc.exe
  PID:4804
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  PID:4908
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:2240
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  - Launches sc.exe
  PID:3344
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:220
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5404
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5980
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:1944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:4212
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:2448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:1220
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:3808
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:2288
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:2856
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:5368
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:2684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:5336
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:3052
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:2176
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:6016
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:4464
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:5820
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5240
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5668
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5836
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5536
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5216
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3684
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5568
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2296
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:1764
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:4456
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:948
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:6020
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:3236
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:3228
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:5488
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:1412
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:3016
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:5272
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:5612
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:2132
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:5912
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:5784
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:4396
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:3056
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:5500
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:2188
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:1744
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:1960
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:5512
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:3516
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:5856
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:4944
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:1608
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3476
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3584
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:3588
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:5256
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- - C:\Windows\system32\Taskmgr.exe
    "C:\Windows\system32\Taskmgr.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4668
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:4720
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:5176
- C:\Windows\system32\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6076
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
  2⤵
  PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
  2⤵
  PID:3648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:1320
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4516
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3848
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2636
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5784
- C:\Oneclick Tools\OOshutup10\OOSU10.exe
  "C:\Oneclick Tools\OOshutup10\OOSU10.exe" "C:\Oneclick Tools\OOshutup10\QuakedOOshutup10.cfg" /quiet
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Modifies Control Panel
  - Modifies registry class
  - System policy modification
  PID:4396
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3828
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1992
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5632
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2816
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5240
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:532
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4488
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3656
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:704
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2360
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4428
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3336
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3312
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1764
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:1908
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5644
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:1640
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5312
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:2632
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  PID:1800
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:5756
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:2764
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  - Launches sc.exe
  PID:4456
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:5536
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:4076
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:1488
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:2488
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  PID:5860
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:6012
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:3872
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:672
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  PID:3236
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:632
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  - Launches sc.exe
  PID:6020
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  PID:3912
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:4516
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:3996
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  - Launches sc.exe
  PID:3848
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:2112
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  PID:5784
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:5396
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:1204
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  PID:4016
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  - Launches sc.exe
  PID:1604
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:5316
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:5500
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4404
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4396
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:4832
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:5428
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:3044
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:5864
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4676
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:4708
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  PID:3376
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:5008
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:3608
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:2284
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:5180
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:2816
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  PID:2916
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  - Launches sc.exe
  PID:2836
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:3460
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:5668
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:4464
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:1436
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:3324
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:3336
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  - Launches sc.exe
  PID:5072
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:2416
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:892
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5112
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  - Launches sc.exe
  PID:3908
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4688
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  PID:5312
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:4020
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:1800
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:5756
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:2764
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:1804
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:5836
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:3648
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:5284
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:1412
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:2556
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:5524
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:2912
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:6012
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:3872
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:5828
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:3236
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:632
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:6020
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  - Launches sc.exe
  PID:2132
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:3632
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:2920
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:4120
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:3848
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:640
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:2192
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:5912
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:4016
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:3136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:3056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:5580
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:4652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:5560
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:2340
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:2392
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:2288
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:2056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:3828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:3376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:3728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:2684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:4604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:5632
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:5180
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:5808
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:4896
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:400
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:924
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:6016
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:3656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:3472
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:4552
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:3700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:3324
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:6028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:1728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:4624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:1908
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:2148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:1640
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:4688
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:2632
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:3112
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:3164
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:5756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:2712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:3648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:5832
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:4180
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:5524
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:4620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:4576
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:3988
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:3236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:3912
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:1320
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:4968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:3996
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:4512
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:5784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:5396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:4680
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:1456
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:2960
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:1744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:1032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:4092
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:1336
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:5356
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:5428
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:3044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:5236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:5864
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:4948
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:5844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:368
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:2288
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:2056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:3828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:3376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:3728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:2684
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4604
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:2316
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:5484
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  - Launches sc.exe
  PID:2836
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:4280
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:6016
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:704
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:3472
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:5568
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:3336
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  PID:3324
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  PID:6076
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:2416
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4624
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1908
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2148
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:1640
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4688
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5756
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:5836
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:5488
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:1412
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:1216
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:768
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:6012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:3872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:3968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:2984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:6020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:2132
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:1124
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:2680
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:1568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:3848
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:640
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:5396
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:5912
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:4016
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:2280
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:212
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:4396
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:4532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:4092
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:1336
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5356
- C:\Windows\system32\sc.exe
  sc config BTAGService start= disabled
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config bthserv start= disabled
  2⤵
  PID:2392
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5236
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5864
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:2384
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:5508
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:4540
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:3392
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:3532
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:2056
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:4908
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:3608
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:2684
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:4604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:5004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:4896
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:552
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3088
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:400
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5540
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4280
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:6004
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3428
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3412
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:3844
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:3656
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  - Launches sc.exe
  PID:6136
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:2896
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:2880
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:2296
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:4984
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  - Launches sc.exe
  PID:3892
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:812
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3312
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:1764
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:2416
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:2788
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:5112
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:5552
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:5312
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:4020
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:2632
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  PID:1800
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:4636
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:1804
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:4076
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  - Launches sc.exe
  PID:5284
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:2556
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1412
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:4180
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:5524
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  PID:5828
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:3952
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:5612
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  - Launches sc.exe
  PID:2984
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:4516
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:3912
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:4968
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:3996
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:3252
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  PID:3848
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:1948
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:5468
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:6068
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:5052
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:6108
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:1952
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:4628
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:4724
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:2016
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:3564
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:5556
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:640
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  PID:2096
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:5912
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  - Launches sc.exe
  PID:628
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=disabled
  2⤵
  PID:2956
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5544
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:212
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:3056
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:4944
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:4832
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:5560
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:2476
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  - Launches sc.exe
  PID:2236
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:5356
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4776
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  PID:888
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  PID:1268
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  PID:2384
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  PID:5508
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:4540
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:3392
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:4360
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3828
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:3376
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:3728
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:5308
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:4564
- C:\Windows\system32\sc.exe
  sc config "Intel(R) Platform License Manager Service" start=disabled
  2⤵
  PID:4800
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:2316
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:4604
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:5004
- C:\Windows\system32\sc.exe
  sc config esifsvc start=disabled
  2⤵
  PID:2836
- C:\Windows\system32\sc.exe
  sc config LMS start=disabled
  2⤵
  PID:868
- C:\Windows\system32\sc.exe
  sc config ibtsiva start=disabled
  2⤵
  PID:4372
- C:\Windows\system32\sc.exe
  sc config IntelAudioService start=disabled
  2⤵
  PID:924
- C:\Windows\system32\sc.exe
  sc config "Intel(R) Capability Licensing Service TCP IP Interface" start=disabled
  2⤵
  PID:388
- C:\Windows\system32\sc.exe
  sc config cphs start=disabled
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc config DSAService start=disabled
  2⤵
  PID:6084
- C:\Windows\system32\sc.exe
  sc config DSAUpdateService start=disabled
  2⤵
  PID:5668
- C:\Windows\system32\sc.exe
  sc config igfxCUIService2.0.0.0 start=disabled
  2⤵
  PID:844
- C:\Windows\system32\sc.exe
  sc config RstMwService start=disabled
  2⤵
  PID:3916
- C:\Windows\system32\sc.exe
  sc config "Intel(R) SUR QC SAM" start=disabled
  2⤵
  PID:2216
- C:\Windows\system32\sc.exe
  sc config SystemUsageReportSvc_QUEENCREEK start=disabled
  2⤵
  PID:4184
- C:\Windows\system32\sc.exe
  sc config iaStorAfsService start=disabled
  2⤵
  PID:3412
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2884
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Sound\Sound.bat"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:2848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Oneclick Tools.zip

Filesize
1.7MB

MD5
517b76cba1c1b12ec146a60a2745b28e

SHA1
0a867eac3a9fe1cba33542fd1184fc08ac8ca609

SHA256
c0f0d33d18d79c58d0956a5057ec26407d50bebb8960514ceb88d7fb7fb2502b

SHA512
be3215579c6330225640bbae1fa1569f836ba04aad9f4e85b7449de01b076940a9a45abd14b2783a143b51d393f52784894a7fae4a9d527431f804e15635bcb6

Download Submit
C:\Oneclick Tools\NSudo\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Oneclick Tools\OOshutup10\OOSU10.exe

Filesize
1.9MB

MD5
4803e06db91fdb8b6d1b65c0010d2f87

SHA1
f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c

SHA256
beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b

SHA512
f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

Download Submit
C:\Oneclick Tools\OOshutup10\QuakedOOshutup10.cfg

Filesize
2KB

MD5
109f47ced5da3f92362c49069fc4624e

SHA1
79b611073aa0006f1bb4058a6ecb6f3cc97391d6

SHA256
2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b

SHA512
55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ad081b7830221ecc8e1c0e4500a0d7d

SHA1
255fa66a9cbca38f52939c0e7fc6ac73630224c5

SHA256
240019dd73fd6eeabc8ec488afa8ad119615e27112c1db273426512e847441a7

SHA512
1a5e5c25894c97e6af8468d7785148229e00d60a2be94b2b4a3a1d92ff47f52173cc968a12d586beb76df4e2ae5cf699297dd8aa7fb9ab94851b2afc8a1347c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d99413249b71ee2ef1c49f81cc8313dc

SHA1
4c2c6cfe223bb3ec87ce28278975ac39d28dfaf6

SHA256
d4e5a6ad3f490cc02760beb14d9050cafc5bc2f9da93d35909e49fd2674c907f

SHA512
69dfed07fa0d31a7524821320a51e4842716ddec52c0f2db7c360658d0f0cf71fc5695129e819958da3717e2b57aac2f1bbd7936971d597539f1ef08bec281c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74bf150c6cd6428750ca51cae773465c

SHA1
ce58ffa3cfdbc55208dd790b445c976180b0c9a1

SHA256
90f99570f6fdf26e6d67470a06e2cef75acdda1be27d949a288733b48e8b3ca1

SHA512
42ddb923999851b4a030d3d261e01121657cb73673c69732f116f155053a0ad6392c42925ce7010e6a66f00a9b2e73e2aaa965c32c9dfcaee7b2246d891bbbb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a1b56b20f83d2f965bbf9bd3df1d292e

SHA1
64807ec883c3749eac8d3d35c1102cee51efeb81

SHA256
72fbb95768e0515a0fe75eb5adebcc3f2bbeb3830bafeeec25853cdcdc16ba3c

SHA512
42e92ceff40c6fdca553b80daed612a6832920ade9e714cdd06e9c0c50fafd1ccb8d6e69c20382117c3524ab79efe93a4f1884ee4915e4494510c298359eb4df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64279fe9334e41a53c2c2f7d8d54e74c

SHA1
b34c6930f724c1b97be5c6260b3096b616906fd2

SHA256
8bfb5fab88fe830d8afccad0f21429872152c99db9558fbae836585cf35e18ab

SHA512
315f0974b7ba4067ae14df88fc5cb53778910d6956e30565122770593e9c0e163873c44dd975404d1dd3767da5693ad51c99da8b68fdfe34a069519d59040e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9771fc25c7a329c2540f34dca03d23cb

SHA1
02c5b763e771f40480b242fd7dd394bef49b81aa

SHA256
d8a88cbc03aff0c0b61ddabbcf6d17cb4d4a0909c8694dedaaeeaee284bc20c6

SHA512
96d8be4d139720fb4456581ab509bca09e29d8cc3ba99836dee780bed64a9f736a17d2fa4409dbe8a751d579eebb9382e93b34fb3134177d541e6d8a7ac61871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59583cecd69c4401d92a7a17a16f194b

SHA1
6134e6c5ec66c755f1537dd984c66b293a207a46

SHA256
b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6

SHA512
084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2419d068e09423d5e7edec9bb8010870

SHA1
445b4a6ebefa37ee91ff5a18a3b8e6ae6af40fba

SHA256
d308e6cb382517e03b6773d345b2e68e57fe80ce636901ab95da87ba29d6c0ac

SHA512
053cb92ad73f842f22200dd39082a22474277816b1de63a722b881225218849e1d5038fe3caec8f2067c5e6ab593917d1ad7278038c154077e7e2b14d72f3264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7f00a84a68ed7ecf5254fcc7756506bf

SHA1
4b09561a6632adab087f79952fced1c720e55aef

SHA256
cd78071274be660a438a727b731ef9f7478ba29acc428ee1fd96547fdafeb2ef

SHA512
d679fb072cf204f67332795c623bbafe6f2c9378116b24224b95c7b942dbcaa282e517d38a7d73dc6e84773bd9d0ba3860258b124989635199165825b9f7d1e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svys0d5f.caf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/428-202-0x000001D40AF60000-0x000001D40AF70000-memory.dmp

Filesize
64KB

Download
memory/428-199-0x000001D40AF30000-0x000001D40AF40000-memory.dmp

Filesize
64KB

Download
memory/428-206-0x000001D410420000-0x000001D410421000-memory.dmp

Filesize
4KB

Download
memory/3348-17-0x00007FFC453C0000-0x00007FFC45E81000-memory.dmp

Filesize
10.8MB

Download
memory/3348-29-0x00007FFC453C0000-0x00007FFC45E81000-memory.dmp

Filesize
10.8MB

Download
memory/3844-12-0x00007FFC453C0000-0x00007FFC45E81000-memory.dmp

Filesize
10.8MB

Download
memory/3844-15-0x00007FFC453C0000-0x00007FFC45E81000-memory.dmp

Filesize
10.8MB

Download
memory/3844-0-0x00007FFC453C3000-0x00007FFC453C5000-memory.dmp

Filesize
8KB

Download
memory/3844-11-0x000001D9EEC50000-0x000001D9EEC72000-memory.dmp

Filesize
136KB

Download
memory/3844-6-0x00007FFC453C0000-0x00007FFC45E81000-memory.dmp

Filesize
10.8MB

Download
memory/4396-195-0x000001DB6D940000-0x000001DB6D9FA000-memory.dmp

Filesize
744KB

Download
memory/4396-194-0x000001DB6CF40000-0x000001DB6CF5A000-memory.dmp

Filesize
104KB

Download
memory/4396-193-0x000001DB6D7B0000-0x000001DB6D856000-memory.dmp

Filesize
664KB

Download
memory/4396-192-0x000001DB6B5C0000-0x000001DB6B5EC000-memory.dmp

Filesize
176KB

Download
memory/4396-191-0x000001DB6B040000-0x000001DB6B230000-memory.dmp

Filesize
1.9MB

Download
memory/4668-140-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-147-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-148-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-150-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-151-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-152-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-149-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-146-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-141-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/4668-142-0x000001D057DE0000-0x000001D057DE1000-memory.dmp

Filesize
4KB

Download
memory/5860-175-0x000001DD6BD30000-0x000001DD6BD54000-memory.dmp

Filesize
144KB

Download
memory/5860-174-0x000001DD6BD30000-0x000001DD6BD5A000-memory.dmp

Filesize
168KB

Download