Analysis Overview
SHA256
85c26e3f2b78fb7d4ddfba93247f5ad3543e16182380953bda0f44ed2ddec858
Threat Level: Known bad
The file Oneclick-V6.1.bat was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies security service
Disables service(s)
UAC bypass
Modifies boot configuration data using bcdedit
Stops running service(s)
Possible privilege escalation attempt
Modifies Installed Components in the registry
Registers COM server for autorun
Modifies file permissions
Enumerates connected drives
Adds Run key to start application
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Disables Windows logging functionality
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Modifies registry key
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Modifies registry class
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-25 08:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-25 08:30
Reported
2024-05-25 08:34
Platform
win10-20240404-en
Max time kernel
223s
Max time network
198s
Command Line
Signatures
Disables service(s)
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Stops running service(s)
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\System32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\System32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\30zlj_ | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Windows\system32\reg.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-4106386276-4127174233-3637007343-1000_StartupInfo1.xml | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4106386276-4127174233-3637007343-1000_UserData.bin | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.jfm | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{8bdab5d0-a6c2-4366-adb2-8013df88ce48}\snapshot.etl | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{8bdab5d0-a6c2-4366-adb2-8013df88ce48}\snapshot.etl | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRU.chk | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRU.log | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.dat | \??\c:\windows\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\Taskmgr.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\rescache\_merged\2717123927\1590785016.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| File created | C:\Windows\rescache\_merged\4032412167\4002656488.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\Taskmgr.exe | N/A |
Launches sc.exe
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\windows\system32\svchost.exe | N/A |
Delays execution with timeout.exe
Disables Windows logging functionality
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Kills process with taskkill
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\tcpip.sys,-10100 = "Internet Protocol Version 4 (TCP/IPv4)" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\tcpip.sys,-10108 = "Microsoft RDMA - NDK" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\System32\drivers\ndiscap.sys,-5000 = "Microsoft NDIS Capture" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%systemroot%\system32\srvsvc.dll,-109 = "File and Printer Sharing for Microsoft Networks" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\tcpip.sys,-10102 = "Internet Protocol Version 6 (TCP/IPv6)" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\mslldp.sys,-211 = "Microsoft LLDP Protocol Driver" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\mprmsg.dll,-32015 = "Point to Point Protocol Over Ethernet" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\drivers\ndisuio.sys,-501 = "NDIS Usermode I/O Protocol" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%systemroot%\system32\wkssvc.dll,-1010 = "Client for Microsoft Networks" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\System32\drivers\wfplwfs.sys,-6006 = "WFP Native MAC Layer LightWeight Filter" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\System32\drivers\wfplwfs.sys,-6005 = "WFP 802.3 MAC Layer LightWeight Filter" | \??\c:\windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\drivers\netbios.sys,-501 = "NetBIOS Interface" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\drivers\netbt.sys,-3 = "WINS Client(TCP/IP) Protocol" | \??\c:\windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e80705004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000ed7800317eaeda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80705004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000006066ed307eaeda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000021f776218a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065728993929" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.1.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
C:\Windows\system32\powercfg.exe
powercfg.exe /hibernate off
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc config HomeGroupListener start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupProvider start=demand
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\sc.exe
sc config AJRouter start=disabled
C:\Windows\system32\sc.exe
sc config ALG start=demand
C:\Windows\system32\sc.exe
sc config AppIDSvc start=demand
C:\Windows\system32\sc.exe
sc config AppMgmt start=demand
C:\Windows\system32\sc.exe
sc config AppReadiness start=demand
C:\Windows\system32\sc.exe
sc config AppVClient start=disabled
C:\Windows\system32\sc.exe
sc config AppXSvc start=demand
C:\Windows\system32\sc.exe
sc config Appinfo start=demand
C:\Windows\system32\sc.exe
sc config AssignedAccessManagerSvc start=disabled
C:\Windows\system32\sc.exe
sc config AudioEndpointBuilder start=auto
C:\Windows\system32\sc.exe
sc config AudioSrv start=auto
C:\Windows\system32\sc.exe
sc config Audiosrv start=auto
C:\Windows\system32\sc.exe
sc config AxInstSV start=demand
C:\Windows\system32\sc.exe
sc config BDESVC start=demand
C:\Windows\system32\sc.exe
sc config BFE start=auto
C:\Windows\system32\sc.exe
sc config BITS start=delayed-auto
C:\Windows\system32\sc.exe
sc config BTAGService start=demand
C:\Windows\system32\sc.exe
sc config BcastDVRUserService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config BluetoothUserService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config BrokerInfrastructure start=auto
C:\Windows\system32\sc.exe
sc config Browser start=demand
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start=auto
C:\Windows\system32\sc.exe
sc config BthHFSrv start=auto
C:\Windows\system32\sc.exe
sc config CDPSvc start=demand
C:\Windows\system32\sc.exe
sc config CDPUserSvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config COMSysApp start=demand
C:\Windows\system32\sc.exe
sc config CaptureService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CertPropSvc start=demand
C:\Windows\system32\sc.exe
sc config ClipSVC start=demand
C:\Windows\system32\sc.exe
sc config ConsentUxUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CoreMessagingRegistrar start=auto
C:\Windows\system32\sc.exe
sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CryptSvc start=auto
C:\Windows\system32\sc.exe
sc config CscService start=demand
C:\Windows\system32\sc.exe
sc config DPS start=auto
C:\Windows\system32\sc.exe
sc config DcomLaunch start=auto
C:\Windows\system32\sc.exe
sc config DcpSvc start=demand
C:\Windows\system32\sc.exe
sc config DevQueryBroker start=demand
C:\Windows\system32\sc.exe
sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config DeviceAssociationService start=demand
C:\Windows\system32\sc.exe
sc config DeviceInstall start=demand
C:\Windows\system32\sc.exe
sc config DevicePickerUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config Dhcp start=auto
C:\Windows\system32\sc.exe
sc config DiagTrack start=disabled
C:\Windows\system32\sc.exe
sc config DialogBlockingService start=disabled
C:\Windows\system32\sc.exe
sc config DispBrokerDesktopSvc start=auto
C:\Windows\system32\sc.exe
sc config DisplayEnhancementService start=demand
C:\Windows\system32\sc.exe
sc config DmEnrollmentSvc start=demand
C:\Windows\system32\sc.exe
sc config Dnscache start=auto
C:\Windows\system32\sc.exe
sc config DoSvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config DsSvc start=demand
C:\Windows\system32\sc.exe
sc config DsmSvc start=demand
C:\Windows\system32\sc.exe
sc config DusmSvc start=auto
C:\Windows\system32\sc.exe
sc config EFS start=demand
C:\Windows\system32\sc.exe
sc config EapHost start=demand
C:\Windows\system32\sc.exe
sc config EntAppSvc start=demand
C:\Windows\system32\sc.exe
sc config EventLog start=auto
C:\Windows\system32\sc.exe
sc config EventSystem start=auto
C:\Windows\system32\sc.exe
sc config FDResPub start=demand
C:\Windows\system32\sc.exe
sc config Fax start=demand
C:\Windows\system32\sc.exe
sc config FontCache start=auto
C:\Windows\system32\sc.exe
sc config FrameServer start=demand
C:\Windows\system32\sc.exe
sc config FrameServerMonitor start=demand
C:\Windows\system32\sc.exe
sc config GraphicsPerfSvc start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupListener start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupProvider start=demand
C:\Windows\system32\sc.exe
sc config HvHost start=demand
C:\Windows\system32\sc.exe
sc config IEEtwCollectorService start=demand
C:\Windows\system32\sc.exe
sc config IKEEXT start=demand
C:\Windows\system32\sc.exe
sc config InstallService start=demand
C:\Windows\system32\sc.exe
sc config InventorySvc start=demand
C:\Windows\system32\sc.exe
sc config IpxlatCfgSvc start=demand
C:\Windows\system32\sc.exe
sc config KeyIso start=auto
C:\Windows\system32\sc.exe
sc config KtmRm start=demand
C:\Windows\system32\sc.exe
sc config LSM start=auto
C:\Windows\system32\sc.exe
sc config LanmanServer start=auto
C:\Windows\system32\sc.exe
sc config LanmanWorkstation start=auto
C:\Windows\system32\sc.exe
sc config LicenseManager start=demand
C:\Windows\system32\sc.exe
sc config LxpSvc start=demand
C:\Windows\system32\sc.exe
sc config MSDTC start=demand
C:\Windows\system32\sc.exe
sc config MSiSCSI start=demand
C:\Windows\system32\sc.exe
sc config MapsBroker start=delayed-auto
C:\Windows\system32\sc.exe
sc config McpManagementService start=demand
C:\Windows\system32\sc.exe
sc config MessagingService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config MicrosoftEdgeElevationService start=demand
C:\Windows\system32\sc.exe
sc config MixedRealityOpenXRSvc start=demand
C:\Windows\system32\sc.exe
sc config MpsSvc start=auto
C:\Windows\system32\sc.exe
sc config MsKeyboardFilter start=demand
C:\Windows\system32\sc.exe
sc config NPSMSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config NaturalAuthentication start=demand
C:\Windows\system32\sc.exe
sc config NcaSvc start=demand
C:\Windows\system32\sc.exe
sc config NcbService start=demand
C:\Windows\system32\sc.exe
sc config NcdAutoSetup start=demand
C:\Windows\system32\sc.exe
sc config NetSetupSvc start=demand
C:\Windows\system32\sc.exe
sc config NetTcpPortSharing start=disabled
C:\Windows\system32\sc.exe
sc config Netlogon start=demand
C:\Windows\system32\sc.exe
sc config Netman start=demand
C:\Windows\system32\sc.exe
sc config NgcCtnrSvc start=demand
C:\Windows\system32\sc.exe
sc config NgcSvc start=demand
C:\Windows\system32\sc.exe
sc config NlaSvc start=demand
C:\Windows\system32\sc.exe
sc config OneSyncSvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config P9RdrService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PNRPAutoReg start=demand
C:\Windows\system32\sc.exe
sc config PNRPsvc start=demand
C:\Windows\system32\sc.exe
sc config PcaSvc start=demand
C:\Windows\system32\sc.exe
sc config PeerDistSvc start=demand
C:\Windows\system32\sc.exe
sc config PenService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PerfHost start=demand
C:\Windows\system32\sc.exe
sc config PhoneSvc start=demand
C:\Windows\system32\sc.exe
sc config PimIndexMaintenanceSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PlugPlay start=demand
C:\Windows\system32\sc.exe
sc config PolicyAgent start=demand
C:\Windows\system32\sc.exe
sc config Power start=auto
C:\Windows\system32\sc.exe
sc config PrintNotify start=demand
C:\Windows\system32\sc.exe
sc config PrintWorkflowUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config ProfSvc start=auto
C:\Windows\system32\sc.exe
sc config PushToInstall start=demand
C:\Windows\system32\sc.exe
sc config QWAVE start=demand
C:\Windows\system32\sc.exe
sc config RasAuto start=demand
C:\Windows\system32\sc.exe
sc config RasMan start=demand
C:\Windows\system32\sc.exe
sc config RemoteAccess start=disabled
C:\Windows\system32\sc.exe
sc config RemoteRegistry start=disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=demand
C:\Windows\system32\sc.exe
sc config RmSvc start=demand
C:\Windows\system32\sc.exe
sc config RpcEptMapper start=auto
C:\Windows\system32\sc.exe
sc config RpcLocator start=demand
C:\Windows\system32\sc.exe
sc config RpcSs start=auto
C:\Windows\system32\sc.exe
sc config SCPolicySvc start=demand
C:\Windows\system32\sc.exe
sc config SCardSvr start=demand
C:\Windows\system32\sc.exe
sc config SDRSVC start=demand
C:\Windows\system32\sc.exe
sc config SEMgrSvc start=demand
C:\Windows\system32\sc.exe
sc config SENS start=auto
C:\Windows\system32\sc.exe
sc config SNMPTRAP start=demand
C:\Windows\system32\sc.exe
sc config SNMPTrap start=demand
C:\Windows\system32\sc.exe
sc config SSDPSRV start=demand
C:\Windows\system32\sc.exe
sc config SamSs start=auto
C:\Windows\system32\sc.exe
sc config ScDeviceEnum start=demand
C:\Windows\system32\sc.exe
sc config Schedule start=auto
C:\Windows\system32\sc.exe
sc config SecurityHealthService start=demand
C:\Windows\system32\sc.exe
sc config Sense start=demand
C:\Windows\system32\sc.exe
sc config SensorDataService start=demand
C:\Windows\system32\sc.exe
sc config SensorService start=demand
C:\Windows\system32\sc.exe
sc config SensrSvc start=demand
C:\Windows\system32\sc.exe
sc config SessionEnv start=demand
C:\Windows\system32\sc.exe
sc config SgrmBroker start=auto
C:\Windows\system32\sc.exe
sc config SharedAccess start=demand
C:\Windows\system32\sc.exe
sc config SharedRealitySvc start=demand
C:\Windows\system32\sc.exe
sc config ShellHWDetection start=auto
C:\Windows\system32\sc.exe
sc config SmsRouter start=demand
C:\Windows\system32\sc.exe
sc config Spooler start=auto
C:\Windows\system32\sc.exe
sc config SstpSvc start=demand
C:\Windows\system32\sc.exe
sc config StateRepository start=demand
C:\Windows\system32\sc.exe
sc config StiSvc start=demand
C:\Windows\system32\sc.exe
sc config StorSvc start=demand
C:\Windows\system32\sc.exe
sc config SysMain start=auto
C:\Windows\system32\sc.exe
sc config SystemEventsBroker start=auto
C:\Windows\system32\sc.exe
sc config TabletInputService start=demand
C:\Windows\system32\sc.exe
sc config TapiSrv start=demand
C:\Windows\system32\sc.exe
sc config TermService start=auto
C:\Windows\system32\sc.exe
sc config TextInputManagementService start=demand
C:\Windows\system32\sc.exe
sc config Themes start=auto
C:\Windows\system32\sc.exe
sc config TieringEngineService start=demand
C:\Windows\system32\sc.exe
sc config TimeBroker start=demand
C:\Windows\system32\sc.exe
sc config TimeBrokerSvc start=demand
C:\Windows\system32\sc.exe
sc config TokenBroker start=demand
C:\Windows\system32\sc.exe
sc config TrkWks start=auto
C:\Windows\system32\sc.exe
sc config TroubleshootingSvc start=demand
C:\Windows\system32\sc.exe
sc config TrustedInstaller start=demand
C:\Windows\system32\sc.exe
sc config UI0Detect start=demand
C:\Windows\system32\sc.exe
sc config UdkUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UevAgentService start=disabled
C:\Windows\system32\sc.exe
sc config UmRdpService start=demand
C:\Windows\system32\sc.exe
sc config UnistoreSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UserDataSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UserManager start=auto
C:\Windows\system32\sc.exe
sc config UsoSvc start=demand
C:\Windows\system32\sc.exe
sc config VGAuthService start=auto
C:\Windows\system32\sc.exe
sc config VMTools start=auto
C:\Windows\system32\sc.exe
sc config VSS start=demand
C:\Windows\system32\sc.exe
sc config VacSvc start=demand
C:\Windows\system32\sc.exe
sc config VaultSvc start=auto
C:\Windows\system32\sc.exe
sc config W32Time start=demand
C:\Windows\system32\sc.exe
sc config WEPHOSTSVC start=demand
C:\Windows\system32\sc.exe
sc config WFDSConMgrSvc start=demand
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start=demand
C:\Windows\system32\sc.exe
sc config WManSvc start=demand
C:\Windows\system32\sc.exe
sc config WPDBusEnum start=demand
C:\Windows\system32\sc.exe
sc config WSService start=demand
C:\Windows\system32\sc.exe
sc config WSearch start=delayed-auto
C:\Windows\system32\sc.exe
sc config WaaSMedicSvc start=demand
C:\Windows\system32\sc.exe
sc config WalletService start=demand
C:\Windows\system32\sc.exe
sc config WarpJITSvc start=demand
C:\Windows\system32\sc.exe
sc config WbioSrvc start=demand
C:\Windows\system32\sc.exe
sc config Wcmsvc start=auto
C:\Windows\system32\sc.exe
sc config WcsPlugInService start=demand
C:\Windows\system32\sc.exe
sc config WdNisSvc start=demand
C:\Windows\system32\sc.exe
sc config WdiServiceHost start=demand
C:\Windows\system32\sc.exe
sc config WdiSystemHost start=demand
C:\Windows\system32\sc.exe
sc config WebClient start=demand
C:\Windows\system32\sc.exe
sc config Wecsvc start=demand
C:\Windows\system32\sc.exe
sc config WerSvc start=demand
C:\Windows\system32\sc.exe
sc config WiaRpc start=demand
C:\Windows\system32\sc.exe
sc config WinDefend start=auto
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start=demand
C:\Windows\system32\sc.exe
sc config WinRM start=demand
C:\Windows\system32\sc.exe
sc config Winmgmt start=auto
C:\Windows\system32\sc.exe
sc config WlanSvc start=auto
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=demand
C:\Windows\system32\sc.exe
sc config WpnService start=demand
C:\Windows\system32\sc.exe
sc config WpnUserService_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config WwanSvc start=demand
C:\Windows\system32\sc.exe
sc config XblAuthManager start=demand
C:\Windows\system32\sc.exe
sc config XblGameSave start=demand
C:\Windows\system32\sc.exe
sc config XboxGipSvc start=demand
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start=demand
C:\Windows\system32\sc.exe
sc config autotimesvc start=demand
C:\Windows\system32\sc.exe
sc config bthserv start=demand
C:\Windows\system32\sc.exe
sc config camsvc start=demand
C:\Windows\system32\sc.exe
sc config cbdhsvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config cloudidsvc start=demand
C:\Windows\system32\sc.exe
sc config dcsvc start=demand
C:\Windows\system32\sc.exe
sc config defragsvc start=demand
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start=demand
C:\Windows\system32\sc.exe
sc config diagsvc start=demand
C:\Windows\system32\sc.exe
sc config dmwappushservice start=demand
C:\Windows\system32\sc.exe
sc config dot3svc start=demand
C:\Windows\system32\sc.exe
sc config edgeupdate start=demand
C:\Windows\system32\sc.exe
sc config edgeupdatem start=demand
C:\Windows\system32\sc.exe
sc config embeddedmode start=demand
C:\Windows\system32\sc.exe
sc config fdPHost start=demand
C:\Windows\system32\sc.exe
sc config fhsvc start=demand
C:\Windows\system32\sc.exe
sc config gpsvc start=auto
C:\Windows\system32\sc.exe
sc config hidserv start=demand
C:\Windows\system32\sc.exe
sc config icssvc start=demand
C:\Windows\system32\sc.exe
sc config iphlpsvc start=auto
C:\Windows\system32\sc.exe
sc config lfsvc start=demand
C:\Windows\system32\sc.exe
sc config lltdsvc start=demand
C:\Windows\system32\sc.exe
sc config lmhosts start=demand
C:\Windows\system32\sc.exe
sc config mpssvc start=auto
C:\Windows\system32\sc.exe
sc config msiserver start=demand
C:\Windows\system32\sc.exe
sc config netprofm start=demand
C:\Windows\system32\sc.exe
sc config nsi start=auto
C:\Windows\system32\sc.exe
sc config p2pimsvc start=demand
C:\Windows\system32\sc.exe
sc config p2psvc start=demand
C:\Windows\system32\sc.exe
sc config perceptionsimulation start=demand
C:\Windows\system32\sc.exe
sc config pla start=demand
C:\Windows\system32\sc.exe
sc config seclogon start=demand
C:\Windows\system32\sc.exe
sc config shpamsvc start=disabled
C:\Windows\system32\sc.exe
sc config smphost start=demand
C:\Windows\system32\sc.exe
sc config spectrum start=demand
C:\Windows\system32\sc.exe
sc config sppsvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config ssh-agent start=disabled
C:\Windows\system32\sc.exe
sc config svsvc start=demand
C:\Windows\system32\sc.exe
sc config swprv start=demand
C:\Windows\system32\sc.exe
sc config tiledatamodelsvc start=auto
C:\Windows\system32\sc.exe
sc config tzautoupdate start=disabled
C:\Windows\system32\sc.exe
sc config uhssvc start=disabled
C:\Windows\system32\sc.exe
sc config upnphost start=demand
C:\Windows\system32\sc.exe
sc config vds start=demand
C:\Windows\system32\sc.exe
sc config vm3dservice start=demand
C:\Windows\system32\sc.exe
sc config vmicguestinterface start=demand
C:\Windows\system32\sc.exe
sc config vmicheartbeat start=demand
C:\Windows\system32\sc.exe
sc config vmickvpexchange start=demand
C:\Windows\system32\sc.exe
sc config vmicrdv start=demand
C:\Windows\system32\sc.exe
sc config vmicshutdown start=demand
C:\Windows\system32\sc.exe
sc config vmictimesync start=demand
C:\Windows\system32\sc.exe
sc config vmicvmsession start=demand
C:\Windows\system32\sc.exe
sc config vmicvss start=demand
C:\Windows\system32\sc.exe
sc config vmvss start=demand
C:\Windows\system32\sc.exe
sc config wbengine start=demand
C:\Windows\system32\sc.exe
sc config wcncsvc start=demand
C:\Windows\system32\sc.exe
sc config webthreatdefsvc start=demand
C:\Windows\system32\sc.exe
sc config webthreatdefusersvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config wercplsupport start=demand
C:\Windows\system32\sc.exe
sc config wisvc start=demand
C:\Windows\system32\sc.exe
sc config wlidsvc start=demand
C:\Windows\system32\sc.exe
sc config wlpasvc start=demand
C:\Windows\system32\sc.exe
sc config wmiApSrv start=demand
C:\Windows\system32\sc.exe
sc config workfolderssvc start=demand
C:\Windows\system32\sc.exe
sc config wscsvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config wuauserv start=demand
C:\Windows\system32\sc.exe
sc config wudfsvc start=demand
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootmenupolicy Legacy
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
C:\Windows\system32\findstr.exe
findstr /r /c:"CurrentBuild"
C:\Windows\system32\Taskmgr.exe
taskmgr.exe
C:\Windows\system32\timeout.exe
timeout /t 2
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenonetwork -s DPS
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s WdiServiceHost
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic OS get TotalVisibleMemorySize | findstr /r /v "^$"
C:\Windows\System32\Wbem\WMIC.exe
wmic OS get TotalVisibleMemorySize
C:\Windows\system32\findstr.exe
findstr /r /v "^$"
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v SvcHostSplitThresholdInKB /t REG_DWORD /d 0 /f
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\sc.exe
sc config ALG start=disabled
C:\Windows\system32\sc.exe
sc config AJRouter start=disabled
C:\Windows\system32\sc.exe
sc config XblAuthManager start=disabled
C:\Windows\system32\sc.exe
sc config XblGameSave start=disabled
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start=disabled
C:\Windows\system32\sc.exe
sc config WSearch start=disabled
C:\Windows\system32\sc.exe
sc config lfsvc start=disabled
C:\Windows\system32\sc.exe
sc config RemoteRegistry start=disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=disabled
C:\Windows\system32\sc.exe
sc config SEMgrSvc start=disabled
C:\Windows\system32\sc.exe
sc config SCardSvr start=disabled
C:\Windows\system32\sc.exe
sc config Netlogon start=disabled
C:\Windows\system32\sc.exe
sc config CscService start=disabled
C:\Windows\system32\sc.exe
sc config icssvc start=disabled
C:\Windows\system32\sc.exe
sc config wisvc start=disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=disabled
C:\Windows\system32\sc.exe
sc config WalletService start=disabled
C:\Windows\system32\sc.exe
sc config Fax start=disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start=disabled
C:\Windows\system32\sc.exe
sc config iphlpsvc start=disabled
C:\Windows\system32\sc.exe
sc config wcncsvc start=disabled
C:\Windows\system32\sc.exe
sc config fhsvc start=disabled
C:\Windows\system32\sc.exe
sc config PhoneSvc start=disabled
C:\Windows\system32\sc.exe
sc config seclogon start=disabled
C:\Windows\system32\sc.exe
sc config FrameServer start=disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start=disabled
C:\Windows\system32\sc.exe
sc config StiSvc start=disabled
C:\Windows\system32\sc.exe
sc config PcaSvc start=disabled
C:\Windows\system32\sc.exe
sc config DPS start=disabled
C:\Windows\system32\sc.exe
sc config MapsBroker start=disabled
C:\Windows\system32\sc.exe
sc config bthserv start=disabled
C:\Windows\system32\sc.exe
sc config BDESVC start=disabled
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start=disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=disabled
C:\Windows\system32\sc.exe
sc config DiagTrack start=disabled
C:\Windows\system32\sc.exe
sc config CertPropSvc start=disabled
C:\Windows\system32\sc.exe
sc config WdiServiceHost start=disabled
C:\Windows\system32\sc.exe
sc config lmhosts start=disabled
C:\Windows\system32\sc.exe
sc config WdiSystemHost start=disabled
C:\Windows\system32\sc.exe
sc config TrkWks start=disabled
C:\Windows\system32\sc.exe
sc config WerSvc start=disabled
C:\Windows\system32\sc.exe
sc config TabletInputService start=disabled
C:\Windows\system32\sc.exe
sc config EntAppSvc start=disabled
C:\Windows\system32\sc.exe
sc config Spooler start=disabled
C:\Windows\system32\sc.exe
sc config BcastDVRUserService start=disabled
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start=disabled
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start=disabled
C:\Windows\system32\sc.exe
sc config DmEnrollmentSvc start=disabled
C:\Windows\system32\sc.exe
sc config PNRPAutoReg start=disabled
C:\Windows\system32\sc.exe
sc config wlidsvc start=disabled
C:\Windows\system32\sc.exe
sc config AXInstSV start=disabled
C:\Windows\system32\sc.exe
sc config lfsvc start=disabled
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /fd
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\sc.exe
sc config wlidsvc start= disabled
C:\Windows\system32\sc.exe
sc config DisplayEnhancementService start= disabled
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\system32\sc.exe
sc config DusmSvc start= disabled
C:\Windows\system32\sc.exe
sc config TabletInputService start= disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start= disabled
C:\Windows\system32\sc.exe
sc config Fax start= disabled
C:\Windows\system32\sc.exe
sc config SharedAccess start= disabled
C:\Windows\system32\sc.exe
sc config lfsvc start= disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start= disabled
C:\Windows\system32\sc.exe
sc config SessionEnv start= disabled
C:\Windows\system32\sc.exe
sc config MicrosoftEdgeElevationService start= disabled
C:\Windows\system32\sc.exe
sc config edgeupdate start= disabled
C:\Windows\system32\sc.exe
sc config edgeupdatem start= disabled
C:\Windows\system32\sc.exe
sc config autotimesvc start= disabled
C:\Windows\system32\sc.exe
sc config CscService start= disabled
C:\Windows\system32\sc.exe
sc config TermService start= disabled
C:\Windows\system32\sc.exe
sc config SensorDataService start= disabled
C:\Windows\system32\sc.exe
sc config SensorService start= disabled
C:\Windows\system32\sc.exe
sc config SensrSvc start= disabled
C:\Windows\system32\sc.exe
sc config shpamsvc start= disabled
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start= disabled
C:\Windows\system32\sc.exe
sc config PhoneSvc start= disabled
C:\Windows\system32\sc.exe
sc config TapiSrv start= disabled
C:\Windows\system32\sc.exe
sc config UevAgentService start= disabled
C:\Windows\system32\sc.exe
sc config WalletService start= disabled
C:\Windows\system32\sc.exe
sc config TokenBroker start= disabled
C:\Windows\system32\sc.exe
sc config WebClient start= disabled
C:\Windows\system32\sc.exe
sc config MixedRealityOpenXRSvc start= disabled
C:\Windows\system32\sc.exe
sc config stisvc start= disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start= disabled
C:\Windows\system32\sc.exe
sc config icssvc start= disabled
C:\Windows\system32\sc.exe
sc config Wecsvc start= disabled
C:\Windows\system32\sc.exe
sc config XboxGipSvc start= disabled
C:\Windows\system32\sc.exe
sc config XblAuthManager start= disabled
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start= disabled
C:\Windows\system32\sc.exe
sc config XblGameSave start= disabled
C:\Windows\system32\sc.exe
sc config SEMgrSvc start= disabled
C:\Windows\system32\sc.exe
sc config iphlpsvc start= disabled
C:\Windows\system32\sc.exe
sc config Backupper Service" start= disabled
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start= disabled
C:\Windows\system32\sc.exe
sc config BDESVC start= disabled
C:\Windows\system32\sc.exe
sc config cbdhsvc start= disabled
C:\Windows\system32\sc.exe
sc config CDPSvc start= disabled
C:\Windows\system32\sc.exe
sc config CDPUserSvc start= disabled
C:\Windows\system32\sc.exe
sc config DevQueryBroker start= disabled
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc start= disabled
C:\Windows\system32\sc.exe
sc config dmwappushservice start= disabled
C:\Windows\system32\sc.exe
sc config DispBrokerDesktopSvc start= disabled
C:\Windows\system32\sc.exe
sc config TrkWks start= disabled
C:\Windows\system32\sc.exe
sc config dLauncherLoopback start= disabled
C:\Windows\system32\sc.exe
sc config EFS start= disabled
C:\Windows\system32\sc.exe
sc config fdPHost start= disabled
C:\Windows\system32\sc.exe
sc config FDResPub start= disabled
C:\Windows\system32\sc.exe
sc config IKEEXT start= disabled
C:\Windows\system32\sc.exe
sc config NPSMSvc start= disabled
C:\Windows\system32\sc.exe
sc config WPDBusEnum start= disabled
C:\Windows\system32\sc.exe
sc config PcaSvc start= disabled
C:\Windows\system32\sc.exe
sc config RasMan start= disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=disabled
C:\Windows\system32\sc.exe
sc config SstpSvc start=disabled
C:\Windows\system32\sc.exe
sc config ShellHWDetection start= disabled
C:\Windows\system32\sc.exe
sc config SSDPSRV start= disabled
C:\Windows\system32\sc.exe
sc config SysMain start= disabled
C:\Windows\system32\sc.exe
sc config OneSyncSvc start= disabled
C:\Windows\system32\sc.exe
sc config lmhosts start= disabled
C:\Windows\system32\sc.exe
sc config UserDataSvc start= disabled
C:\Windows\system32\sc.exe
sc config UnistoreSvc start= disabled
C:\Windows\system32\sc.exe
sc config Wcmsvc start= disabled
C:\Windows\system32\sc.exe
sc config FontCache start= disabled
C:\Windows\system32\sc.exe
sc config W32Time start= disabled
C:\Windows\system32\sc.exe
sc config tzautoupdate start= disabled
C:\Windows\system32\sc.exe
sc config DsSvc start= disabled
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config diagsvc start= disabled
C:\Windows\system32\sc.exe
sc config DialogBlockingService start= disabled
C:\Windows\system32\sc.exe
sc config PimIndexMaintenanceSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config MessagingService_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config AppVClient start= disabled
C:\Windows\system32\sc.exe
sc config MsKeyboardFilter start= disabled
C:\Windows\system32\sc.exe
sc config NetTcpPortSharing start= disabled
C:\Windows\system32\sc.exe
sc config ssh-agent start= disabled
C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
C:\Windows\system32\sc.exe
sc config OneSyncSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config wercplsupport start= disabled
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start= disabled
C:\Windows\system32\sc.exe
sc config WerSvc start= disabled
C:\Windows\system32\sc.exe
sc config WpnUserService_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start= disabled
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDInstallLauncher" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "ModifyLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "SoftMakerUpdater" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "StartCN" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "StartDVR" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc stop uhssvc
C:\Windows\system32\sc.exe
sc stop upfc
C:\Windows\system32\sc.exe
sc stop PushToInstall
C:\Windows\system32\sc.exe
sc stop BITS
C:\Windows\system32\sc.exe
sc stop InstallService
C:\Windows\system32\sc.exe
sc stop uhssvc
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop LanmanServer
C:\Windows\system32\sc.exe
sc config BITS start= disabled
C:\Windows\system32\sc.exe
sc config InstallService start= disabled
C:\Windows\system32\sc.exe
sc config uhssvc start= disabled
C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc config LanmanServer start= disabled
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc config RemoteRegistry start= disabled
C:\Windows\system32\sc.exe
sc config RemoteAccess start= disabled
C:\Windows\system32\sc.exe
sc config WinRM start= disabled
C:\Windows\system32\sc.exe
sc config RmSvc start= disabled
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc config PrintNotify start= disabled
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc config PrintNotify start= disabled
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc config NlaSvc start= disabled
C:\Windows\system32\sc.exe
sc config LanmanWorkstation start= disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
C:\Windows\system32\sc.exe
sc config BFE start= demand
C:\Windows\system32\sc.exe
sc config Dnscache start= demand
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start= demand
C:\Windows\system32\sc.exe
sc config Dhcp start= auto
C:\Windows\system32\sc.exe
sc config DPS start= auto
C:\Windows\system32\sc.exe
sc config lmhosts start= disabled
C:\Windows\system32\sc.exe
sc config nsi start= auto
C:\Windows\system32\sc.exe
sc config Wcmsvc start= disabled
C:\Windows\system32\sc.exe
sc config Winmgmt start= auto
C:\Windows\system32\sc.exe
sc config WlanSvc start= demand
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\sc.exe
sc config NcbService start=disabled
C:\Windows\system32\sc.exe
sc config DeviceAssociationService start=disabled
C:\Windows\system32\sc.exe
sc config StorSvc start=disabled
C:\Windows\system32\sc.exe
sc config TieringEngineService start=disabled
C:\Windows\system32\sc.exe
sc config DPS start=disabled
C:\Windows\system32\sc.exe
sc config Themes start=disabled
C:\Windows\system32\sc.exe
sc config edgeupdate start=disabled
C:\Windows\system32\sc.exe
sc config edgeupdatem start=disabled
C:\Windows\system32\sc.exe
sc config GoogleChromeElevationService start=disabled
C:\Windows\system32\sc.exe
sc config gupdate start=disabled
C:\Windows\system32\sc.exe
sc config gupdatem start=disabled
C:\Windows\system32\sc.exe
sc config logi_lamparray_service start=disabled
C:\Windows\system32\sc.exe
sc config LGHUBUpdaterService start=disabled
C:\Windows\system32\sc.exe
sc config SteelSeriesGGUpdateServiceProxy start=disabled
C:\Windows\system32\sc.exe
sc config RzActionSvc start=disabled
C:\Windows\system32\sc.exe
sc config RazerElevationService start=disabled
C:\Windows\system32\sc.exe
sc config RazerGameManagerService start=disabled
C:\Windows\system32\sc.exe
sc config RazerGameManagerService3 start=disabled
C:\Windows\system32\sc.exe
sc config RazerSynapseService start=disabled
C:\Windows\system32\sc.exe
sc config BraveElevationService start=disabled
C:\Windows\system32\sc.exe
sc config brave start=disabled
C:\Windows\system32\sc.exe
sc config bravem start=disabled
C:\Windows\system32\sc.exe
sc config GigabyteUpdateService start=disabled
C:\Windows\system32\sc.exe
sc config CCleanerBrowserElevationService start=disabled
C:\Windows\system32\sc.exe
sc config ccleaner start=disabled
C:\Windows\system32\sc.exe
sc config ccleanerm start=disabled
C:\Windows\system32\sc.exe
sc config CCleanerPerformanceOptimizerService start=disabled
C:\Windows\system32\sc.exe
sc config HvHost start=disabled
C:\Windows\system32\sc.exe
sc config vmickvpexchange start=disabled
C:\Windows\system32\sc.exe
sc config vmicguestinterface start=disabled
C:\Windows\system32\sc.exe
sc config vmicshutdown start=disabled
C:\Windows\system32\sc.exe
sc config vmicheartbeat start=disabled
C:\Windows\system32\sc.exe
sc config vmicvmsession start=disabled
C:\Windows\system32\sc.exe
sc config vmicrdv start=disabled
C:\Windows\system32\sc.exe
sc config vmictimesync start=disabled
C:\Windows\system32\sc.exe
sc config vmicvss start=disabled
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc config NcbService start=disabled
C:\Windows\system32\sc.exe
sc config jhi_service start=disabled
C:\Windows\system32\sc.exe
sc config WMIRegistrationService start=disabled
C:\Windows\system32\sc.exe
sc config "Intel(R) TPM Provisioning Service" start=disabled
C:\Windows\system32\sc.exe
sc config ipfsvc start=disabled
C:\Windows\system32\sc.exe
sc config igccservice start=disabled
C:\Windows\system32\sc.exe
sc config cplspcon start=disabled
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\sc.exe
sc config AMD Crash Defender Service start=disabled
C:\Windows\system32\sc.exe
sc config AMD External Events Utility start=disabled
C:\Windows\system32\sc.exe
sc config AUEPLauncher start=disabled
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleaner Update" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleanerCrashReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleaner Update" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleanerCrashReporting" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption /format:list
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "30zlj_ " /t REG_SZ /d "" /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\taskkill.exe
taskkill.exe /F /IM "OneDrive.exe"
C:\Windows\system32\taskkill.exe
taskkill.exe /F /IM "explorer.exe"
C:\Windows\system32\reg.exe
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"
C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
C:\Windows\system32\reg.exe
reg unload "hku\Default"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "OneDrive*" /f
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.RemoteDesktop_10.2.1810.0_x64__8wekyb3d8bbwe* | Remove-AppxPackage"
C:\Windows\System32\takeown.exe
takeown /F "C:\Windows\System32\mstsc.exe"
C:\Windows\System32\icacls.exe
icacls "C:\Windows\System32\mstsc.exe" /grant administrators:F
C:\Windows\System32\timeout.exe
timeout 2
C:\Windows\System32\taskkill.exe
taskkill /F /IM WidgetService.exe
C:\Windows\System32\taskkill.exe
taskkill /F /IM Widgets.exe
C:\Windows\System32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
C:\Windows\System32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
C:\Windows\System32\timeout.exe
timeout 2
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\smartscreen.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\taskhostw.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\taskhostw.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\taskkill.exe
taskkill /f /im lghub.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im lghub_agent.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im lghub_updater.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im lghub_system_tray.exe
C:\Windows\system32\net.exe
net stop "LGHUBUpdaterService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "LGHUBUpdaterService"
C:\Windows\system32\sc.exe
sc config LGHUBUpdaterService start=disabled
C:\Windows\system32\taskkill.exe
taskkill /f /im CefSharp.BrowserSubprocess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CortexLauncherService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Razer Central.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerCentralService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerCortex.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerAppEngine.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RzEngineMon.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerAxon.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerAxon.Player.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerAxon.Reporter.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im GameManagerService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im GameManagerServiceStartup.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CrashReporter.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im GameManagerService3.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im GMSServiceRegister.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerCentral.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerUpdater.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerCentralService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im "Razer Synapse 3.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "Razer Synapse Service UI Start.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "Razer Synapse Service.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im "Razer Synapse Service Process.exe"
C:\Windows\system32\net.exe
net stop "RzActionSvc"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "RzActionSvc"
C:\Windows\system32\net.exe
net stop "Razer Elevation Service"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Razer Elevation Service"
C:\Windows\system32\net.exe
net stop "Razer Game Manager Service"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Razer Game Manager Service"
C:\Windows\system32\net.exe
net stop "Razer Game Manager Service 3"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Razer Game Manager Service 3"
C:\Windows\system32\net.exe
net stop "Razer Synapse Service"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Razer Synapse Service"
C:\Windows\system32\sc.exe
sc config RzActionSvc start=disabled
C:\Windows\system32\sc.exe
sc config Razer Elevation Service start=disabled
C:\Windows\system32\sc.exe
sc config Razer Game Manager Service start=disabled
C:\Windows\system32\sc.exe
sc config Razer Game Manager Service 3 start=disabled
C:\Windows\system32\sc.exe
sc config Razer Synapse Service start=disabled
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerCortex.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CefSharp.BrowserSubprocess.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Razer Central.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im RazerCentralService.exe
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\taskkill.exe
taskkill /f /im Aac3572DramHal_x86.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im AacKingstonDramHal_x86.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im AcPowerNotification.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ArmouryCrate.Service.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ArmouryCrate.UserSessionHelper.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ArmourySwAgent.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im AsusCertService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im extensionCardHal_x86.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im atkexComSvc.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ROGLiveService.exe
C:\Windows\system32\net.exe
net stop "ArmouryCrateService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ArmouryCrateService"
C:\Windows\system32\net.exe
net stop "LightingService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "LightingService"
C:\Windows\system32\net.exe
net stop "AsusCertService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AsusCertService"
C:\Windows\system32\net.exe
net stop "asComSvc"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "asComSvc"
C:\Windows\system32\net.exe
net stop "asus"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "asus"
C:\Windows\system32\net.exe
net stop "asusm"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "asusm"
C:\Windows\system32\net.exe
net stop "AsusROGLSLService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AsusROGLSLService"
C:\Windows\system32\net.exe
net stop "ROG Live Service"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ROG Live Service"
C:\Windows\system32\sc.exe
sc config ArmouryCrateService start=disabled
C:\Windows\system32\sc.exe
sc config LightingService start=disabled
C:\Windows\system32\sc.exe
sc config AsusCertService start=disabled
C:\Windows\system32\sc.exe
sc config asComSvc start=disabled
C:\Windows\system32\sc.exe
sc config asus start=disabled
C:\Windows\system32\sc.exe
sc config asusm start=disabled
C:\Windows\system32\sc.exe
sc config AsusROGLSLService start=disabled
C:\Windows\system32\sc.exe
sc config ROG Live Service start=disabled
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\taskkill.exe
taskkill /f /im Corsair.Service.CpuIdRemote64.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Corsair.Service.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CorsairCpuIdService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im CueLLAccessService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im ICEsoundService64.exe
C:\Windows\system32\net.exe
net stop "CorsairCpuIdService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "CorsairCpuIdService"
C:\Windows\system32\net.exe
net stop "CorsairDeviceListerService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "CorsairDeviceListerService"
C:\Windows\system32\net.exe
net stop "iCUEUpdateService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "iCUEUpdateService"
C:\Windows\system32\net.exe
net stop "CorsairLLAService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "CorsairLLAService"
C:\Windows\system32\net.exe
net stop "CorsairService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "CorsairService"
C:\Windows\system32\net.exe
net stop "ICEsoundService"
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ICEsoundService"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
memory/1096-3-0x00007FFA937F3000-0x00007FFA937F4000-memory.dmp
memory/1096-5-0x000001B3CD8E0000-0x000001B3CD902000-memory.dmp
memory/1096-6-0x00007FFA937F0000-0x00007FFA941DC000-memory.dmp
memory/1096-7-0x00007FFA937F0000-0x00007FFA941DC000-memory.dmp
memory/1096-10-0x000001B3CDB10000-0x000001B3CDB86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1km3clsg.x1d.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1096-28-0x00007FFA937F0000-0x00007FFA941DC000-memory.dmp
memory/1096-29-0x00007FFA937F0000-0x00007FFA941DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 42d4b1d78e6e092af15c7aef34e5cf45 |
| SHA1 | 6cf9d0e674430680f67260194d3185667a2bb77b |
| SHA256 | c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0 |
| SHA512 | d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a1a56971cbd05e568e4f2950ad661f6 |
| SHA1 | 81f60548b6b3c79e331c1924c9f9b0607bac4b44 |
| SHA256 | e0d32bc52442950f7f9ff4ac4a62ad5b9366c14bb82e7a0b4f0f7ce7d8668e00 |
| SHA512 | 249b718ef223ce851dcf66968cec60699ce40b841a9936c249ed8a3c64a83c14e5105d969a95abf20dfc15f2f546cf00cd4971b280bcf3b87e415c44b337a184 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8b6484ac0cb24f2511fb49db53b44de4 |
| SHA1 | 502abb7992b003fc5809d2d9928092619a0f4c45 |
| SHA256 | bd013b4319c78fccce536dee167454a0b9c61000cb7f2739dfe1319ec8784e5e |
| SHA512 | babb99d4f99210d6a8ade3f5e7a2144413a1210340d00188a6c8683e1f3f6519145f46a4428674d06c963571b6134c8d93cff7cf659d76dcdfd7ff3ce10f0a1d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4ba92df70872e4c5ea52a0a96dc0706f |
| SHA1 | 152b5ece862dccbf7f3f4932361188a0ed39f5d4 |
| SHA256 | f315ea873bf97cca74d02cf5e1b5157b9f8bd1f02691cd4d651a192bb3a2890b |
| SHA512 | 07164a675345c733d7f5e752b23e3c546fd3538206daa40ff2a273307ae5c4dbb9593f1ed85064cdfc7b20bb7c47985043c04d83c326eefb328de50814128930 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e97bf21d1f6822153370e6a4021148e6 |
| SHA1 | d4284f94cf422c0f401b41d7c7fc306c292c9442 |
| SHA256 | 191b7b296340a8ea3d0a2ee9489e7d6242c5a9e478e0226f118703f575c708be |
| SHA512 | ac0071ee8f0837d6b2575135bacbc322874c3ca391e74c217f81589d0253ba3c6111b7fdf13e68973d381d4e29a4dc7fa9143349bd50e8fec5d41a7dd386db26 |
memory/4736-181-0x0000017CA5360000-0x0000017CA5361000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5a4f1416556f5f1dc2e6a0b6dac93e3 |
| SHA1 | 8cce607edfe3917c540537dec086b0672c373f89 |
| SHA256 | 2fbb5a4867bee11a2fcd5091bd2f3173681a2516b73527e5d6f26069f8511014 |
| SHA512 | 1ff229b2fff0b33573a5cf33a9b52d193f2bae621eba49ca569f95659e6b53f8d5a2d86192b1cf6ee2b04aea80feac84752f6307f8130df818cf25ceb43ef170 |
memory/4736-176-0x0000017CA4FE0000-0x0000017CA4FF0000-memory.dmp
memory/4736-172-0x0000017CA4FA0000-0x0000017CA4FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b3ae8c4c62496a0bacb42c402a0d44 |
| SHA1 | 0685ade96befef75509ab49b450196e4f1880392 |
| SHA256 | 0c9d5d7463e7b274ccf4fb9eae9e5e8079dfaaa559765c5b64c82a24a044a872 |
| SHA512 | 50988d560ea6149516381cfbf3e969a6cdd2580208bcd9728e5f12b4124e0fc670ee09a1fb5529f0d64a21459a5b8d3ed0052f154d06935d157bc6b19b958568 |
memory/4484-296-0x00000178CED80000-0x00000178CED94000-memory.dmp
memory/4484-297-0x00000178CED70000-0x00000178CED7A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | c1593eaebc14a558f90d0a9fd4e4b608 |
| SHA1 | bc72fb1ceb23d599309c1b960a7c34178e976210 |
| SHA256 | 2ab5c8254919cc53e3b0a74056e341946e61f7b5f6b65a5c9c15dbd59a2625e3 |
| SHA512 | d0a68bc7dad39c6bae9f4958fa2f857728693030cd9a9159cb399551977372c3feab8814847753fb24c1b2bbc11a43f25576d595322c55accd68c14feb6ea74b |
memory/656-302-0x0000027812C00000-0x0000027812D00000-memory.dmp
memory/656-307-0x0000027813050000-0x0000027813070000-memory.dmp
memory/656-331-0x0000027813360000-0x0000027813380000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21a2d9b38295fb1ca0c3ddf9a46a92ca |
| SHA1 | a64123c573a2308702e97a958c08a39250a76b1c |
| SHA256 | 4c795dc31e5e261139353dedaf8a148863e39f0e6da4dcb010bbc3e80c78a8ff |
| SHA512 | 83692bb3bb5f5eb8e454b8e3009f22862e8bd8d8689e60044b186d84274dbb0815e3c169279dd4197266670344f73db55ab559ef85782816a5751c1e51e32874 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c21f855cece174a3ddf9224dfe94d046 |
| SHA1 | 3e364bc77b57ca4d3d079f30db9a691724cb62a7 |
| SHA256 | c5f5a5738893bf7f0ef569d899f5feb4f8119446d88e2bb41f6884a520ce9c22 |
| SHA512 | aee844d57bb073120281417f81440b4d9a605787ab84576d5b2e0446aefbbabd76d2e4670edb6b4f3fbc635985b082e0c1f5b2e39f13a7f46292ee2199c9333e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8bb4a1ce176f5423003b3adf3a2a8d7c |
| SHA1 | ff60c4e705039329b39a64d066ac2478df47b1cc |
| SHA256 | 22aeeb98cadeb2ac21bc12979c9491bc956e8a09773f86bc46e0aaa4c58f1a2e |
| SHA512 | a08b5563ca965a863ac16f0e811ee2ab0a81a23ab567ec7d7773b4e1b51d190becb0fc5d0869e514f8a19289afbfb310c23512df97ccdc5e48e8f05247c910f6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 361c426be31920b28ece32a588f725d6 |
| SHA1 | 6fe8d57f6162654d0b32c1275004d62b0f6f680b |
| SHA256 | a23fd819008e8672f6c7c028c6cd7e312dc4678c1ae66a61715ee5128a35a1a9 |
| SHA512 | 3838a1f4c5da821342b59d8224791627d89863dd2667a5f33c26441e0d348711fa88e3ec5edfcaef229571440f11a5115521bc16a5a1858d0854ecefdf7da894 |
memory/4736-556-0x0000017CA9DD0000-0x0000017CA9DD1000-memory.dmp
memory/4736-557-0x0000017CA9DC0000-0x0000017CA9DC1000-memory.dmp
memory/4736-559-0x0000017CA5370000-0x0000017CA5371000-memory.dmp
memory/4736-562-0x0000017CA5360000-0x0000017CA5361000-memory.dmp
memory/4736-565-0x0000017CA50B0000-0x0000017CA50B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6e9c242f5886ee54ca0779a6e5af03f6 |
| SHA1 | 325ef816f5858ff0fffecd612f8af834a8a3f5f2 |
| SHA256 | 2799f5823e7c1fab67d9a650ea1dfafdebf6cb00403fc680b6cec8a5a35dccae |
| SHA512 | 125cd345bd38284ada49422e8ab63c7e61073458b25f096fdfda555a6ed5bf3adf01970169fd8493e5d415d1d511ceea3a5040a0f7b7edc24ee27d1115894530 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 991bcd83eed6b00cb818d5c5123d4bc7 |
| SHA1 | b6becac6da3b8b6e5279cad856288985198d07a5 |
| SHA256 | 622ca8e16081881eb7551dbc20da6ddf6b3099ec10ada046bdafb81f48d87dbe |
| SHA512 | 776b74a4edb6d4a3661ad3bb8b606a23893d1c572f8edddd81e947f77751d18b6c48e28b9ce97e04ef9323173ad3dcb9fa5813ee7b9fd35303fe763e722d9fe1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6ffbcc4e815ebd4683f9ef9587cc32f1 |
| SHA1 | 4ca0475387a32fe75fb35458cd3310eda360d24f |
| SHA256 | e2f2b1b7e6e01eb8525323db2d65f64d6cccbd223635e95e62fa15127f7bbfae |
| SHA512 | 5b1d7ff99d5c91662f86a1e606a082260d7c4027be87d36ad8d78a3b8ba2022d687c00ec6aec4a744c6ed0d5a4656843391c51adfda77c008d5a1ec60c75cdc6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e97a1e4c18d86271e9fc5651c5e81e71 |
| SHA1 | 3c69b6e673e1d40e4f9f392cd430889dd4e9be79 |
| SHA256 | 737cfc2c9bd336fea929857165e76ea18cc28b92cf7da4839e933f137ded4dad |
| SHA512 | 8b623562063fc45082a7fb2c68c7c31cd324314aafb86df1a7e8998438345badce6a6ba30d7fa910e42b43c82faf1b5415941c6d47666f8c13415247806ff73a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57b0d7a78a52a61b0f25e295ff2e7d1c |
| SHA1 | 1ca232996ae3b4613be7e87248c94fdf04bbb028 |
| SHA256 | b642a82574a934b693e77740d2a028ede2d547674af78482a105c267e16d5cc8 |
| SHA512 | 60785c6cc83e3d6fc32f3e6120aed63f9395d5e140b284fea8cc2153c6f037eb5c004f746052a8d85859c249bf6a682b0ca1a903e4d94f8491d18af4b87f52e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8ba6fb9b2d52ad368aa13cbcbe5fd7a0 |
| SHA1 | aae5d8ca30812dadb1ce8d205a0aa89c619b26ce |
| SHA256 | de767c5b32aa69d94a1d095947c09ace592df029c0052df7532032f91bba254c |
| SHA512 | f1f4fc6c2485f17ae4dbcafc4a08f3d0555cb1b60762655b1d0871c6272e3f1f4b2695af99611c5cd73cfed206ee0ac27ad4fc1ad2fd8b0bd073b426d6eee64c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd2b2c19019fa592f0053ec33454f141 |
| SHA1 | af825b3e424934db67da250aeadf8bc6736beab9 |
| SHA256 | 9a5cba9b06075eb6f36c7f1bd7d3be1f5dd303451f33bd87d0740b7efd68e1f8 |
| SHA512 | a83576e69026a74736a3d79aa9e717c046f6d07e9f5d115087675442a10525ceec3e0862e700729b876b2956928fc1f677f288d1e0a957688358cd6e07834380 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 67af171c1aeb76b3ad34696865b83b74 |
| SHA1 | 3dad4832f7e7c10029221a081b9bd811e96158f2 |
| SHA256 | 1e7fc8a10f09e2754be60e8e57feffa87a2ab02aa571b694b4a76e8a103f9d08 |
| SHA512 | 50534d7701f6fba4a203a67797496a89ef5af357c2ff18d957f4c9c14c3ff8f2f5b1fe01ef54fd1fdd6f3ae7e0fed03600ac222789dbfe5ce3a2b5197ac057bc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dfb726a6beafcef3e89981f09dd3652d |
| SHA1 | f2f78cb38c2ce9c803168200501492f3dc371a91 |
| SHA256 | e3a6d9511459f0781731e3b57327922a43e5011250c9ab4b8eb1ec27501e7700 |
| SHA512 | f752e1a5760d8f400d7b4857e083c5253d25b8ae973df649f57eefe82b1bbe52e1d749af2e7eb93d85eabfa4311f79df01537e919c3308be73e85482eb3cfa13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50ee9b3710761e498653f7742f78fbea |
| SHA1 | bffd1751e716a1b878cf2b15411d56abae160c03 |
| SHA256 | 6713ade98241a90286e811bb3fa6100a9bee86e11e950ec37fbb56a89ec94237 |
| SHA512 | 3fe4295b758203d28fe1aa35a99a19c9c1eed390de6bac095712a7e6e66c9d345d3a9045f00e9ef3ce55243725ca8e5905d2c6ba71c81fa5c045afbaa7fc3aa0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5abfae2b171aac1eeefed297a8a54357 |
| SHA1 | 32fd7e16640d057dae3e32a81637b65f473ce64a |
| SHA256 | d4a307e17cbcdf852644d28c4ed17a04a3a19f5f79881a3ff407073391879edb |
| SHA512 | 0ea2c8cc18b4d99f669834cde1646b6fc76db58eea981143d85797fbda4551d342795c7cfc09b94a89f6646bd6a9d53431943d2ee9a31373423ec5953e93759b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 081940a6372d490a127c4d1dca48c611 |
| SHA1 | 3436d21f328795b53386546113567691e313b0d3 |
| SHA256 | a2533789272219d7a2ee175f7b65b27ed12ee45c87aa3becea8fc95741c4d63a |
| SHA512 | 151de07d1e376ce129856cd0eb1fe72c2a3dda257fb8433f33bd4116a5a64a3172b4c781278a0f2bcf509bf184fd12c58ea3f1dda891e0ab0fd387f9dbc2f7f4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1e829b73dc6ffcd45c9b49f9a28ff3d |
| SHA1 | 0dfe7710f7ce6e4d6da94f40e5d4dcd418f7c117 |
| SHA256 | 86f3ada1c4e9f7d24bb4cd1755d4df4d998c88f590c97569aef6a5d513c47e8e |
| SHA512 | 54f1ec383ce40c4555c0b88e807db267ebc71fc8ee70cdc901a4a34a9fae6b25fbf013da1a23e024ef9a84fd657fc8230a7b0ad543b81b68581dec438d1f5634 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5e4988968cdfd7c0aade1b23dba79478 |
| SHA1 | eb1c0c249aeec5ed02f87e2eccab487002f6d4ac |
| SHA256 | c4e65349d5be113539702fce525be7b08f4bc971c2441137465ccdddc1d65759 |
| SHA512 | 349c2cf22b6525d87779ea81561d362c40129dcda5586a37a57513cca7aced70727700410068d13e535acdbef238e2227a3953633055f78858e6e44bc8f2f6b7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e913db12f6f04be23b4af28c0115d22f |
| SHA1 | 1d58083fede634b8bbd77dceec8454cd55ed1d2a |
| SHA256 | 502ac1c7206e9c0b783ecb255d78f62ffbaedd2024f64c6b92ccd0ff8287b200 |
| SHA512 | d2955d99b52029de2f9b55ae518b5975606ee55fd01cbf029ced29707051bee63ae2dbff35e92279545129905c47d54ddc46fe88a1a265b47310655ad9e1a6e1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce5aa007de5d3cba568a6be15c889550 |
| SHA1 | 0e52e780fb874af539b84d58e3d83d9c2ae5aa3c |
| SHA256 | cc0d99c99f4b7eb4813517c44913e6a91a342abf6802ee34750b723d062a7dc7 |
| SHA512 | 8fad3ed7452eabe6fbc6b1501d43cd182763affe43f76dbefc5d9d99be882ada8245d94c70d2c1086c323cabd786028c58b1c440973958bd4a11ed67438e010b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 95352eaa872c4634565c9b8b39ffe7b4 |
| SHA1 | ad445be7629a9a2c6e0b3e9827e5ed6414e85b60 |
| SHA256 | 6483968f16f9cb8328b415e853e2c40f61d59f87ad02f3b03a2decaf50bf658f |
| SHA512 | bc5d7926dfabd7ea25ad013a9a8b8383dfb3369729d632c3479faeedad58613fb4d698e322e1637cd38e9775175c1302bfcf176c7bd38780005bffd7435c8a64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5490d4f6c45db8388730a9af081c8e9c |
| SHA1 | e765a9deb60b34a9a269c18f83e176f8fe9ac65e |
| SHA256 | 0bcdfe4379201d0e39afd7f6b84525509462d108d74071a4eb1164bc35b9c06d |
| SHA512 | 6e69b3fb63f8ff7da5f250603a6fbd3978088fc4f41974f3c3c1545060d25b16192bf78607f15ae6929d0dc14698b0b505760eaa7fe794020b513189bf40694c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ffcfe18a9f548c1eeb4fea1aa26f958a |
| SHA1 | 93c1e27d12e840626cf09c844875eedca60a2ed7 |
| SHA256 | 905140d71326f28e6b7dc039c1fb961f929d33c4b29dc1939922c44922b5ae89 |
| SHA512 | b1f787a6cab3bbb6d6d6037cb3916b4a0d6cce7c645316f40acc99453112e5183fd133f45647b7e6d88326f8c3b275b9d5a62ec8d653d3dd5dc9146af42d9e08 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 50b08af982f56152f5bf550dc5a2ae05 |
| SHA1 | 72d1e4ec303f82f6939c20529ddb40a43daa1f05 |
| SHA256 | db5d75e96c286f4dfb06b6c89d3a66843c1263d85c271c31f3bb6f9e17821916 |
| SHA512 | a76d0e5efbd5fb5c19d09ba3960ca0727c1c3be5821cb09f16df20972fb155bc442349b4c6ad234c307f40339283d270f8138b09105ef8d0f25f88ed6b704547 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f9c594d858e3e191fcfc8690de1c8bfc |
| SHA1 | 3df0682cbace6984c3359ceb62307f4b2b5f3831 |
| SHA256 | baa532daa733534268c14f212c6d3a03debe6f9678de40aa8fcb374777bacdbd |
| SHA512 | 3e3bd49d09475cb49ac2cc806e508be05b07746bdb1809533ef0991e8720fbd8819159710fc9a10a32a919a7c835399139f7df083c869e140ab29a0d5af0c9e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a96926438349347d1a3521b7965124be |
| SHA1 | 7a923082de29f8da10c6fb06c9792d4df5b518fc |
| SHA256 | c68396acbc822af068fc0abd2912acc85949fb462bf911f40d14117bb30c664f |
| SHA512 | f6afa717a279550f9ddb289198ab1766323d8ff834854ddbba7c854fbcb06e38fe270415e722b9734a974d6b0f99d0a0092179ee0fc463f5ae026ff63dda555d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | be61cd8655b240ccf85ac6e222e9efcf |
| SHA1 | eecabf93c3bfeab81526cdf897eb63c2dd796ce2 |
| SHA256 | 78fcc19e114766e2664ff54a351dd4522ee84a0e4d704bb8314d805edd11c2b9 |
| SHA512 | ed4cc4b41ff4e883a8867437cc4544997fb9f1dc51f85b5288036b819ba7e87d8de085703f2d6db99b2e9e6cdd30370084e7ffaa3d6567782a4cb926ccbaa161 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af3fc3ba932a8a6846fb232492261552 |
| SHA1 | 5a6f6315799fafc47a4bb069ab573f6741eb5423 |
| SHA256 | 51f06bddc76f831cac733aaa011c10eb7f1a02f77e5136eb2d6ba6dfee407958 |
| SHA512 | 086e1f6708c5c9a6e71c4852d19184e70b0d063412bf034222547127e246a31d6f4adb3db47ba6c2a199d5778fb123bdd15518274b4d057a7c4067226267fb03 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 28fff107d1ee10345f9daeba92ee6eea |
| SHA1 | f0037748b9711bf145736591a79e5f24d379d715 |
| SHA256 | c5f3ad123b8786a7ba4d13780c59c3105bef1979ecb0c2318235ff416e5221ea |
| SHA512 | e26239024303ad4ce09f30b0f9d3b6471619db8bf15d069860f0e598d1386f9fa74daf8ca4d3b868af6bd30b5b8b00ad4314048bbf31d15a10c5ef46abbddc8e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5d513429ac070b40c2c3ecc0cc57b39f |
| SHA1 | 5ec7960eefdcfd97ba5eadadeb49c98ca9c93744 |
| SHA256 | 8727fc7a4997154ee0c2a73005989d491a2181b2da02aaee82b7b08cecbee43b |
| SHA512 | 6a7796798a14286a4730177e6d26236a8807175e2278e26ab7be9b20a2753f0e5236b9e3e2ff03074d15b31006c2917624395799659249094e2e529bc3ab28e6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b47234b51159016ef45ffe80731fa016 |
| SHA1 | eb05c361e6608f0a58adb166d6be5f36734b78d5 |
| SHA256 | 8a4618248ac5384c05ccba78dcdca90137f9c932d8954babaeda2e8405682f67 |
| SHA512 | 6acd8c1e3fb00d054fcb4e925f27b47d4199c6da617c8d617d397fb4d1b15f588705fad741465952f97cdef356ce515790c7e6146e84e2294096b4ef8d6bf285 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef504a0b8a7919d74305c9663400d0e1 |
| SHA1 | 22f6214d836e9c93c35567e1e8b08477a8e9bf74 |
| SHA256 | fe1327ba4413b0164c4781e2f713297ce4a08ce34932e01108ec0231349b6fee |
| SHA512 | fddd4b9052985700ecb5c04172a8f35e666e1bdb1faa8db10fa5801a092a5dcd19fed7c0127adda11aedcbd7002c729799bc20e2450e7d5e2057359931f0e81d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 58360e6bfdd548e1eb1982673908f630 |
| SHA1 | 9c4d4fe66ee436753e6eb26a8344363d949b11fd |
| SHA256 | fb1bd9db1a1f28d264642f8e9bc4dad407327596e1874aa9df5f66dca1472c12 |
| SHA512 | 7fc2d63af0cba80a2a85c76ca99060a108709e5818fdc9dd76ff9ec32a83cf9985d548720e63d797243bd2f639a7e71f038dec75e3388d357ee78289321e112f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a2459b69253c02e2c585594b6152bedf |
| SHA1 | 3a77843c894195168922880e8e6a806151e8ff0e |
| SHA256 | ae7ffa5554b28c00fcfe55762bd0bfdd3fbfec7b1b6348342c5dee09e608343d |
| SHA512 | 4de3230035469f31436009e6a638b03351acda7d341eb952fddcb13d11a03a92c0d118c0fc810f9cf2ae48e2ba67f8641b011cb09341659144768407ce62e577 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 486ddebcca1f659fa7a7f17b47ff482f |
| SHA1 | 3568d88ea90fd4a784c82710b73acddee36420bd |
| SHA256 | fe1a6995ba557dfbdffd69c17f1da48efb4787e7287178f6ebca493ab7ec3480 |
| SHA512 | 0eb6077a84abc1cd84d6c1dc298d963547a4904641bd2b934cf873d000fed952f4b8bf390e6f32d70ec825d6a4f9dd329e848898b3a0d3e44546c81307d6b2c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 82f0afe8bddecd4cd6fe291f98c794e0 |
| SHA1 | d050e9721c0b7acff943d06d9d9cc9b4e93ef049 |
| SHA256 | d668660238c8becf8d2f07b971fd8a4fe1800edde2d6e88f77426e129ab51acd |
| SHA512 | 2030d52cd4bc37055414fb0c0eb0d65f12cc336abe41881b66a5cf6295d6f7008a2352ebb2d4809e4fa5bbc239646b94ace5edd4f660855503e63f7d525392c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | abe8aec125c864c247d1a1616514c22b |
| SHA1 | e49af6c5a8da0c45e97e50a48da2436764b26657 |
| SHA256 | 7a9497aa75a15381c2eb8787b4c2e7009f680053aaa0e03d7e1ac4c99d1e95df |
| SHA512 | 64f51d829fc7e11adb27a526e44fb502a2c26ab07fcdba03c86a362f56b33dae68dd0349d015bda606661c13b1d14746f7200225fe16be6ab2a3e10f0e6ffb8a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 26c6bd9e25ca23f8efda7ae8055a8a0c |
| SHA1 | 869b20371140044a82952079bbe2af631506e396 |
| SHA256 | 127b5d7a2cb4ce7d8ed8658452bcdbbecd4025a7197553d123c7cce345f8a0ea |
| SHA512 | d3a73932afa1b394b77ba601fdba1cc97831300f21bb80f43dde4361e341d0bba951da0131055a5631b6243e9e890f2db3bb1ef9f76c968463d26f3e4dbb5bf4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 61a28e6063f3d7219f07cab5ef0485f2 |
| SHA1 | 938c1a2230af814ad6bebf5822f1a6a84439020f |
| SHA256 | 45fb4b8b74ff76750fcc83cca3b2b4a9d005e949a3b38ac60e18fc48b8594001 |
| SHA512 | 8394ec9bc0f707b5ff20f16460f082510ca0fe9fdbcc8897add97c06785fc2cda931eefa44c3dcf15538afd0a9988111b41a27493bcf3989d8779b9975f05404 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da705a47a08f8dfef9f425bfba179a4f |
| SHA1 | 818b7eb1a5ce4fae00d2d8f4946f9974e66d1d33 |
| SHA256 | 5c2e026deb01d199a5a26b534d98decf10d2313aac140a0a4183b6147d4ccbfc |
| SHA512 | e489fc5bbe3dfb4b3b452af6324e6632f9db9cff66c12e70b3c19be6679a8a723fa60705010ced4b17b8628ed1adba55d7c09681c47c52b5b77720e60b7b7cdb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7f3bb8b2e6b8a0520ccb4876775d2dcc |
| SHA1 | 93700dd08708a15881a0b6b8ab93e6069abe9393 |
| SHA256 | eea8b9a8fa4f41b3546ae3686c4e1d20113c38f0cd3c087a849dbab5bdc0d140 |
| SHA512 | c5e59ad3c7557334ac107231b88bd8463a9651debcc3a30de95dcd797bd6f1d76b7746549f28573cbe7cd0f9ee24e3897c739659cf5225c9214b05c2118f0eb9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8f42446b0fac91af4bbf7606086060b |
| SHA1 | 5c678114c5496ab182d74794e73b7d6861e0825a |
| SHA256 | 58d83f77286bd26fe1f9b8923034b977cfafa4416b88c507da91d233ac7928c5 |
| SHA512 | caeed0a7d33ec2b952e0d963882f16ada27792f0bb71d614e046bc1acb82effb3cb0b1720c76adbd04eed50576dadcad905b7c51265bb3434300faa02aacaf9a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 620d5feadab8145e132726b9e270a911 |
| SHA1 | c72e9b737d18942633207749e028dcb0a094d063 |
| SHA256 | 36b7e9a6085bba464bb4648de206e804ef30c0233b3da5d5f9b2dfe290284c58 |
| SHA512 | 311e335e18277af4bed89439a38c67f6e40c81d90bd83caa82d000b5d8de90899f58c4a4e606d141ab5056db0f954798b833b380b85c61bb7e52888a67b5a1fa |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 986f6c19d14db6361d953eaa5032498a |
| SHA1 | 472166b061b3702c0a94154c498fada313b015f7 |
| SHA256 | a03078bd4118dbe9e6517bd43f04bec879d951912fe6ba9aa64f6064743002df |
| SHA512 | e79a7cfdbfa7cbef57c609884fdd3b8c858d6d64d34ba6a19506a73a435d6d60aefe81f52d68c33b98631cbe79a3f0400c2f5eca7c2c76d2375557f48e91ed97 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c4bda35d027d67c194fe1bdd97c5ad7a |
| SHA1 | 154a311fa2c2c3f9b0bcfce4bd4f7b87908fec71 |
| SHA256 | 0dd42ebf091c1dac94d0c9ebf63764c93d9e226a8fdfb85a0cb2f53d83e32613 |
| SHA512 | 2b286f6ccf28653c0b2d022be84a8f697ea40e37457442ab1bfb27a46e077d30d6fca0042a9b6160f4a328f9b8cce2e141708532f6b1325c9aab4860f5522f96 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ee06fc33e98e965c749e9b10d4bd6221 |
| SHA1 | 8489cfbcd0b30ed49761887df765c9d377c0990f |
| SHA256 | abf843c42f712d633afe2b77905d15b06cb1c0c04960d2e9f5c47d88fbb1ebb7 |
| SHA512 | e6fabae5f62265bb05d05df2ee7864433f5d2c10e46000f1ce0a7fdb3260f850d015790869e7c5ab51befdb3929b3222c68222ae057a4e35268a43e72b1ddacd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7a5c4825170bee88c8ebc22cf950a968 |
| SHA1 | 4d60f013f2872a97a6e9fc5968d03c96cd96a686 |
| SHA256 | 631b6f0ba298472502ec8960887bc75a077162c0ab2e284dae323a7c1277e3fb |
| SHA512 | 8319866623d6b47de6c24dc74b38ffad66162ee313ba229fe72b949dccd401ecc43b9483bcf57ef6489742a4abf1125893bb0bde0466e3facc8c771969af5408 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 12051ecc6c95c362cd10c169fc767729 |
| SHA1 | b4241d8dc56a7a8d0d8781002fd5ec4168424ab3 |
| SHA256 | 3a034f9d389e2c8a3d16368c522f02dab2f1d1de2084d3c72634a8a299859bcd |
| SHA512 | 8fd14f64bbc4c57a79fbc0f526ea658b33fad61166a096ff18a1642e492432c6f18ce8c120b950366f1738301909a2405f0300250758e7f2858b0b0c5db6b40d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5109db162b3e9d8dfcc56fab4a475c46 |
| SHA1 | dae3ae04e4dab8a3133cdd24297ccf6e8faa21b6 |
| SHA256 | ca9e907db3663d2b3e48f24634d9f7163ca44c64426b995266ef778c322e4753 |
| SHA512 | cb50f69ef549b82502532840060b880e9f4d98db15c8b8d8bc99e1212e7b625569dd99e489e9fb0fc4287ec619eb0c9788e41b21f23bf63bc7266191ee1b265e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 53995a67c811e8d58e05aa387d04859f |
| SHA1 | 7646a8bc64f50d988149eb1b6aa4986d4f0022e8 |
| SHA256 | bec2a613cb39ba04a00d8c30257eaa120644926a42bc5f0867f08f4a2a5c76ed |
| SHA512 | 885b97f85a27167b1937d288e9c84b8c09a246266decff4475f278103d584531a32f951add6a23df5d23269a224005f3b338d92b9d1a9a863e5bc4f083758db0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7e5ec9d54376a1e866658d8e5cdf2a74 |
| SHA1 | 5db362095e4085ea1ff46a69319aa2dca99ec54e |
| SHA256 | 3da7704ac5b318dc9279864c476246d5aa981e6716d376cbd3be3833b71ed474 |
| SHA512 | 8023e12fc0b6a19ac2e3732be70898453305df8cd87ecdeee574dc9ad89028901974ff7e7f6abc43bfc89ebb39d893f6a83c5790948bf8a5dbfeafc3f042c579 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2465840b41f4cb2f352afe526a729f4c |
| SHA1 | 6375556983a8aa47bc66679f9170a4bcb1d009e2 |
| SHA256 | d29b75f826d04f1169c40f352046ad717d31efac9503ef6e14dc0c04da6f5511 |
| SHA512 | 2319c597e25ef35b1b0386e415255622a55339f98efa38e0849109a3537b234a94cd497e5d36ec73723863d05001238e79af5cc00c0d30fa539a33258c6f8821 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0afc78710722959adbbf22e73c52c01f |
| SHA1 | 51094d957a8a1dc0352d315132006ed7ba67c8ee |
| SHA256 | 6b4a83d485ac096728b614358b937f89616d988f51479356a48af27066d2c7fe |
| SHA512 | b5927e01df50a2e52db4e03223531f638e32baa6ffbbb9e1a0653767f7f6a03dba2e1baeffb5ac682d8132fe0650728b0ff11060459c07229e6a91059b6cebb4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ad01f2ceb8d821e0ddbb6755ca40fb8b |
| SHA1 | a8a921cd957a78eebfd411a3444fca8d9e26cfdc |
| SHA256 | 84d531c631902857cf6c85a0794cccb558eec5bcd8e2a9f2ded9b96dbb3c13ed |
| SHA512 | 6734f957bd774e51dc3d5694c35c1e809ba6a14c062127732defcb9da1398c5a14861dedad7fe9e719b020fdd0d5a5e193adeb4d8e2f35110b23193533791cd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b0ae3389c1d4f7ab4e9d8bdf0075f890 |
| SHA1 | 5653c1d478d6b44d659fd9e40d7ea5d6bb55be40 |
| SHA256 | 78d0be607c810872228ec624ff331203b117b3e1063f079f2e55d01aec5935dc |
| SHA512 | 3a0890c97dab3e1592ecde94f119745ed3e483349a5c1c1840907a9c915781789a751acc1946187a2d2804e3c588a5279a04e3bfd483ca1338966df8e0354aaa |