ac15a0eb8c6a0d3d7e0be6fbe0a04644c062ccb75a94bf8834fd408ddaf28cfd

Analysis

max time kernel
24s
max time network
25s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
27/03/2025, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Conker Free V6/Conker Free V6.bat
Size

52KB
MD5

a537c8161217658e89e33e65b10013c3
SHA1

4db5ff98a4dd5e204e62c931abe4d6e93216056d
SHA256

81f573be0965af9805a28f8058e3f97585dde42243dd86516a124feba33ab0fe
SHA512

076172cf30a61b7277c931a720138aafb5f7fa765b4df8bd5e0fccb40b0ce83e69626dbfac7334ee0e002bce7a27727a80fe68d7cb075573fb3e6cbdc803e539
SSDEEP

1536:etgaG0N4EpmYqIkYQMTkQdb0MQwikweKQThSuVG:etgaG0N4imYqIkYQMTkQd0MQwikweKQu

Score

10^/10

defense_evasion discovery execution exploit

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
1236	takeown.exe
4760	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4760	icacls.exe
1236	takeown.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5692	powershell.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2440	sc.exe
2428	sc.exe
1544	sc.exe
3220	sc.exe
1484	sc.exe
3276	sc.exe
796	sc.exe
3716	sc.exe
332	sc.exe
4636	sc.exe
1564	sc.exe
4928	sc.exe
2008	sc.exe
4164	sc.exe
4692	sc.exe
5056	sc.exe
4340	sc.exe
2512	sc.exe
2052	sc.exe
4924	sc.exe
4020	sc.exe
4540	sc.exe
2340	sc.exe
2832	sc.exe
1676	sc.exe
2292	sc.exe
5320	sc.exe
3580	sc.exe
1548	sc.exe
3620	sc.exe
5384	sc.exe
788	sc.exe
336	sc.exe
1080	sc.exe
4216	sc.exe
2212	sc.exe
6004	sc.exe
3592	sc.exe
1804	sc.exe
4316	sc.exe
3872	sc.exe
2720	sc.exe
5148	sc.exe
2228	sc.exe
1568	sc.exe
1652	sc.exe
3684	sc.exe
4268	sc.exe
944	sc.exe
3664	sc.exe
2728	sc.exe
4952	sc.exe
4296	sc.exe
3584	sc.exe
1628	sc.exe
1560	sc.exe
3164	sc.exe
5616	sc.exe
2868	sc.exe
5828	sc.exe
2576	sc.exe
3256	sc.exe
1748	sc.exe
1168	sc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000059a4098a21d1e3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000059a4098a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090059a4098a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d59a4098a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000059a4098a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5692	powershell.exe
5692	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	5692	powershell.exe
Token: SeBackupPrivilege	2224	vssvc.exe
Token: SeRestorePrivilege	2224	vssvc.exe
Token: SeAuditPrivilege	2224	vssvc.exe
Token: SeBackupPrivilege	696	srtasks.exe
Token: SeRestorePrivilege	696	srtasks.exe
Token: SeSecurityPrivilege	696	srtasks.exe
Token: SeTakeOwnershipPrivilege	696	srtasks.exe
Token: SeBackupPrivilege	696	srtasks.exe
Token: SeRestorePrivilege	696	srtasks.exe
Token: SeSecurityPrivilege	696	srtasks.exe
Token: SeTakeOwnershipPrivilege	696	srtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5884 wrote to memory of 2292	5884	cmd.exe	79
PID 5884 wrote to memory of 2292	5884	cmd.exe	79
PID 5884 wrote to memory of 5692	5884	cmd.exe	80
PID 5884 wrote to memory of 5692	5884	cmd.exe	80
PID 5884 wrote to memory of 2440	5884	cmd.exe	88
PID 5884 wrote to memory of 2440	5884	cmd.exe	88
PID 5884 wrote to memory of 5236	5884	cmd.exe	89
PID 5884 wrote to memory of 5236	5884	cmd.exe	89
PID 5884 wrote to memory of 5216	5884	cmd.exe	90
PID 5884 wrote to memory of 5216	5884	cmd.exe	90
PID 5884 wrote to memory of 5148	5884	cmd.exe	91
PID 5884 wrote to memory of 5148	5884	cmd.exe	91
PID 5884 wrote to memory of 5156	5884	cmd.exe	92
PID 5884 wrote to memory of 5156	5884	cmd.exe	92
PID 5884 wrote to memory of 4544	5884	cmd.exe	93
PID 5884 wrote to memory of 4544	5884	cmd.exe	93
PID 5884 wrote to memory of 1396	5884	cmd.exe	94
PID 5884 wrote to memory of 1396	5884	cmd.exe	94
PID 5884 wrote to memory of 1744	5884	cmd.exe	95
PID 5884 wrote to memory of 1744	5884	cmd.exe	95
PID 5884 wrote to memory of 4020	5884	cmd.exe	96
PID 5884 wrote to memory of 4020	5884	cmd.exe	96
PID 5884 wrote to memory of 5740	5884	cmd.exe	97
PID 5884 wrote to memory of 5740	5884	cmd.exe	97
PID 5884 wrote to memory of 4268	5884	cmd.exe	98
PID 5884 wrote to memory of 4268	5884	cmd.exe	98
PID 5884 wrote to memory of 2472	5884	cmd.exe	99
PID 5884 wrote to memory of 2472	5884	cmd.exe	99
PID 5884 wrote to memory of 5332	5884	cmd.exe	100
PID 5884 wrote to memory of 5332	5884	cmd.exe	100
PID 5884 wrote to memory of 6104	5884	cmd.exe	101
PID 5884 wrote to memory of 6104	5884	cmd.exe	101
PID 5884 wrote to memory of 4652	5884	cmd.exe	102
PID 5884 wrote to memory of 4652	5884	cmd.exe	102
PID 5884 wrote to memory of 3584	5884	cmd.exe	103
PID 5884 wrote to memory of 3584	5884	cmd.exe	103
PID 5884 wrote to memory of 3256	5884	cmd.exe	104
PID 5884 wrote to memory of 3256	5884	cmd.exe	104
PID 5884 wrote to memory of 2496	5884	cmd.exe	105
PID 5884 wrote to memory of 2496	5884	cmd.exe	105
PID 5884 wrote to memory of 4540	5884	cmd.exe	106
PID 5884 wrote to memory of 4540	5884	cmd.exe	106
PID 5884 wrote to memory of 2744	5884	cmd.exe	107
PID 5884 wrote to memory of 2744	5884	cmd.exe	107
PID 5884 wrote to memory of 1976	5884	cmd.exe	108
PID 5884 wrote to memory of 1976	5884	cmd.exe	108
PID 5884 wrote to memory of 2416	5884	cmd.exe	109
PID 5884 wrote to memory of 2416	5884	cmd.exe	109
PID 5884 wrote to memory of 2408	5884	cmd.exe	110
PID 5884 wrote to memory of 2408	5884	cmd.exe	110
PID 5884 wrote to memory of 6080	5884	cmd.exe	111
PID 5884 wrote to memory of 6080	5884	cmd.exe	111
PID 5884 wrote to memory of 2428	5884	cmd.exe	112
PID 5884 wrote to memory of 2428	5884	cmd.exe	112
PID 5884 wrote to memory of 5088	5884	cmd.exe	113
PID 5884 wrote to memory of 5088	5884	cmd.exe	113
PID 5884 wrote to memory of 2720	5884	cmd.exe	114
PID 5884 wrote to memory of 2720	5884	cmd.exe	114
PID 5884 wrote to memory of 2484	5884	cmd.exe	115
PID 5884 wrote to memory of 2484	5884	cmd.exe	115
PID 5884 wrote to memory of 5384	5884	cmd.exe	116
PID 5884 wrote to memory of 5384	5884	cmd.exe	116
PID 5884 wrote to memory of 2228	5884	cmd.exe	117
PID 5884 wrote to memory of 2228	5884	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Conker Free V6\Conker Free V6.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5884
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Checkpoint-Computer -Description 'Conker Restore' -RestorePointType 'MODIFY_SETTINGS'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5692
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  - Launches sc.exe
  PID:2440
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:5236
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:5216
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:5148
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:5156
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:4544
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:1396
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:1744
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4020
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:5740
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  - Launches sc.exe
  PID:4268
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:2472
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:5332
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:6104
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:4652
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  - Launches sc.exe
  PID:3584
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  - Launches sc.exe
  PID:3256
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:2496
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4540
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:2744
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  PID:1976
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:2416
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:2408
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:6080
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:5088
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:2484
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  - Launches sc.exe
  PID:5384
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  - Launches sc.exe
  PID:2228
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:5352
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  PID:1076
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:5892
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:4956
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:3796
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3716
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:5400
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:4080
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:4128
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  - Launches sc.exe
  PID:788
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:2900
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  - Launches sc.exe
  PID:944
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:3956
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:4936
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:396
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:4232
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  - Launches sc.exe
  PID:1628
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:336
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  - Launches sc.exe
  PID:332
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:4992
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  - Launches sc.exe
  PID:1748
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:1208
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1504
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /fd
  2⤵
  PID:388
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:5860
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2756
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1432
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5960
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3524
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:4560
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:5708
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2104
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:2184
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1388
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:3668
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:5588
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  PID:408
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2340
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  - Launches sc.exe
  PID:5320
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:1164
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:3136
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:1176
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:4524
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  - Launches sc.exe
  PID:3664
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  - Launches sc.exe
  PID:3580
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  - Launches sc.exe
  PID:4636
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:3820
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1544
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  PID:1104
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:6072
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:2044
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  - Launches sc.exe
  PID:2728
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:1496
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:1660
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5056
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  PID:5668
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:5304
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  - Launches sc.exe
  PID:2832
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  PID:4344
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  PID:2776
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:5888
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:2256
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:4424
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:1792
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:3324
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4316
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  - Launches sc.exe
  PID:3164
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:5660
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  - Launches sc.exe
  PID:1564
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:700
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5616
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  - Launches sc.exe
  PID:1080
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3592
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  - Launches sc.exe
  PID:2868
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:3148
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4340
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3220
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  - Launches sc.exe
  PID:4928
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:3696
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:4976
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:6120
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:3216
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:3144
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:5560
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  - Launches sc.exe
  PID:2008
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  - Launches sc.exe
  PID:4216
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  - Launches sc.exe
  PID:3872
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1548
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:5568
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  - Launches sc.exe
  PID:2512
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:1428
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:1912
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:2784
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:4612
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:3656
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:4204
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:6068
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  PID:4208
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:708
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:5684
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:3284
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:5300
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5828
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:3620
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:6004
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:3168
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:2752
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  - Launches sc.exe
  PID:2052
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:5656
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  - Launches sc.exe
  PID:1676
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:560
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:4764
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:2136
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1484
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2292
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:5940
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:2644
- C:\Windows\system32\sc.exe
  sc config DsmSvc start= disabled
  2⤵
  PID:4692
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start= disabled
  2⤵
  PID:712
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:4568
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:5876
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:5968
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:420
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:5124
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:5392
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:1184
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:2932
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:3800
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:2748
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:4732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:5184
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:5188
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:988
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:6036
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:392
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:5648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:4148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:5692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:4156
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:3976
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:4668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:2352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:4008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:5528
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:1028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:4556
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:6044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:5284
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:1368
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:4112
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:1684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:3472
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:3772
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:1348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:2440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:5228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:5308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:5204
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:5744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:3544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:1744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:5032
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:2996
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:2472
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:5332
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:3816
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:2972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:3256
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:2496
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:2468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:5500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:2416
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:2464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:2492
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:4680
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:3228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:2892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:2140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:2228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:5444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:5096
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:2060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:3796
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:3716
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:5400
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:4080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:4128
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:3968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:4792
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:4788
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:3208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:240
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:5316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:3156
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:4300
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:1748
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:3296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:3972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:2992
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:3676
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:1752
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:1308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:3516
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:4084
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:5428
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:5920
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:5868
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:2104
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:2808
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:4004
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:2168
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:6116
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:3096
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\system32\sc.exe
  sc stop ClipSVC
  2⤵
  PID:3576
- C:\Windows\system32\sc.exe
  sc config ClipSVC start= disabled
  2⤵
  PID:1164
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:6100
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:4524
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  PID:5856
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  PID:4116
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:1168
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:940
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1672
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5952
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5652
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1496
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1384
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5668
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5304
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:2024
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:1472
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:436
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:2256
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:4316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:3164
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:5660
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:4036
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:4016
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:3040
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:5344
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:2944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:3148
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:4988
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:4932
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:4924
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  - Launches sc.exe
  PID:4952
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:6020
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  - Launches sc.exe
  PID:4296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:1756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:4672
- C:\Windows\system32\sc.exe
  sc config BTAGService start= disabled
  2⤵
  - Launches sc.exe
  PID:4164
- C:\Windows\system32\sc.exe
  sc config bthserv start= disabled
  2⤵
  PID:3128
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:5432
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:1588
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:1548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:2460
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:1864
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:912
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:2784
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:3652
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  - Launches sc.exe
  PID:3276
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:6024
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:4208
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:4996
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:4336
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:1680
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:2212
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  - Launches sc.exe
  PID:1804
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  - Launches sc.exe
  PID:3620
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  - Launches sc.exe
  PID:6004
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:3168
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:2752
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  - Launches sc.exe
  PID:796
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:560
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1236
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4760
- C:\Windows\system32\sc.exe
  sc stop AJRouter
  2⤵
  PID:1484
- C:\Windows\system32\sc.exe
  sc config AJRouter start= disabled
  2⤵
  PID:2292
- C:\Windows\system32\sc.exe
  sc stop AppXSvc
  2⤵
  PID:3548
- C:\Windows\system32\sc.exe
  sc config AppXSvc start= disabled
  2⤵
  PID:760
- C:\Windows\system32\sc.exe
  sc stop ALG
  2⤵
  - Launches sc.exe
  PID:4692
- C:\Windows\system32\sc.exe
  sc config ALG start= disabled
  2⤵
  PID:3348
- C:\Windows\system32\sc.exe
  sc stop AppMgmt
  2⤵
  PID:4568
- C:\Windows\system32\sc.exe
  sc config AppMgmt start= disabled
  2⤵
  - Launches sc.exe
  PID:3684
- C:\Windows\system32\sc.exe
  sc stop tzautoupdate
  2⤵
  PID:3408
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:3492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjufsr52.jlx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/5692-0-0x00007FFD9EFF3000-0x00007FFD9EFF5000-memory.dmp

Filesize
8KB

Download
memory/5692-9-0x000001B935D50000-0x000001B935D72000-memory.dmp

Filesize
136KB

Download
memory/5692-10-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download
memory/5692-11-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download
memory/5692-12-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download
memory/5692-13-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download
memory/5692-14-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download
memory/5692-17-0x00007FFD9EFF0000-0x00007FFD9FAB2000-memory.dmp

Filesize
10.8MB

Download