Analysis Overview
SHA256
5a23e31df8a552f29c44e23a37e19616080d46c75eb2d7db462eb01441106742
Threat Level: Known bad
The file Oneclick-V6.7.bat was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Disables service(s)
UAC bypass
Modifies security service
Modifies boot configuration data using bcdedit
Boot or Logon Autostart Execution: Active Setup
Stops running service(s)
Possible privilege escalation attempt
Command and Scripting Interpreter: PowerShell
Modifies file permissions
Event Triggered Execution: Component Object Model Hijacking
Power Settings
Adds Run key to start application
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Hide Artifacts: Ignore Process Interrupts
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Kills process with taskkill
Runs net.exe
Uses Volume Shadow Copy service COM API
Disables Windows logging functionality
Modifies registry class
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Checks processor information in registry
Modifies registry key
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 12:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 12:53
Reported
2024-06-21 13:23
Platform
win10-20240404-en
Max time kernel
1777s
Max time network
1744s
Command Line
Signatures
Disables service(s)
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Event Triggered Execution: Component Object Model Hijacking
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4iuzc | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\SRU\SRU.log | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.jfm | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{08730fd8-c151-403b-b7bb-7644479b9f8d}\snapshot.etl | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-160447019-1232603106-4168707212-1000_UserData.bin | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRU.chk | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.dat | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{08730fd8-c151-403b-b7bb-7644479b9f8d}\snapshot.etl | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-160447019-1232603106-4168707212-1000_StartupInfo1.xml | \??\c:\windows\system32\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| File created | C:\Windows\rescache\_merged\4032412167\4002656488.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\Taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\Taskmgr.exe | N/A |
| File opened for modification | C:\Windows\Debug\ESE.TXT | \??\c:\windows\system32\svchost.exe | N/A |
| File created | C:\Windows\rescache\_merged\2717123927\1590785016.pri | C:\Windows\explorer.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\Taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\svchost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | \??\c:\windows\system32\svchost.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Windows logging functionality
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\drivers\ndisuio.sys,-501 = "NDIS Usermode I/O Protocol" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\System32\drivers\ndiscap.sys,-5000 = "Microsoft NDIS Capture" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%systemroot%\system32\wkssvc.dll,-1010 = "Client for Microsoft Networks" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\System32\drivers\wfplwfs.sys,-6005 = "WFP 802.3 MAC Layer LightWeight Filter" | \??\c:\windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\tcpip.sys,-10100 = "Internet Protocol Version 4 (TCP/IPv4)" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\System32\drivers\wfplwfs.sys,-6006 = "WFP Native MAC Layer LightWeight Filter" | \??\c:\windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\tcpip.sys,-10108 = "Microsoft RDMA - NDK" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\mslldp.sys,-211 = "Microsoft LLDP Protocol Driver" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\mprmsg.dll,-32015 = "Point to Point Protocol Over Ethernet" | \??\c:\windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%systemroot%\system32\srvsvc.dll,-109 = "File and Printer Sharing for Microsoft Networks" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\drivers\netbios.sys,-501 = "NetBIOS Interface" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%windir%\system32\drivers\netbt.sys,-3 = "WINS Client(TCP/IP) Protocol" | \??\c:\windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\drivers\tcpip.sys,-10102 = "Internet Protocol Version 6 (TCP/IPv6)" | \??\c:\windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e80706004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000000bc92036dac3da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80706004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000005e1af135dac3da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000003631b1288a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133567065867241975" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"
C:\Windows\system32\fltMC.exe
fltmc
C:\Windows\system32\sc.exe
sc query "WinDefend"
C:\Windows\system32\find.exe
find "STATE"
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc qc "TrustedInstaller"
C:\Windows\system32\find.exe
find "START_TYPE"
C:\Windows\system32\find.exe
find "DISABLED"
C:\Windows\system32\sc.exe
sc config TrustedInstaller start=auto
C:\Windows\system32\net.exe
net start TrustedInstaller
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TrustedInstaller
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Checkpoint-Computer -Description 'OneClick V6.7 Restore Point'"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
C:\Windows\system32\powercfg.exe
powercfg.exe /hibernate off
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config HomeGroupListener start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupProvider start=demand
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config AJRouter start=disabled
C:\Windows\system32\sc.exe
sc config ALG start=demand
C:\Windows\system32\sc.exe
sc config AppIDSvc start=demand
C:\Windows\system32\sc.exe
sc config AppMgmt start=demand
C:\Windows\system32\sc.exe
sc config AppReadiness start=demand
C:\Windows\system32\sc.exe
sc config AppVClient start=disabled
C:\Windows\system32\sc.exe
sc config AppXSvc start=demand
C:\Windows\system32\sc.exe
sc config Appinfo start=demand
C:\Windows\system32\sc.exe
sc config AssignedAccessManagerSvc start=disabled
C:\Windows\system32\sc.exe
sc config AudioEndpointBuilder start=auto
C:\Windows\system32\sc.exe
sc config AudioSrv start=auto
C:\Windows\system32\sc.exe
sc config Audiosrv start=auto
C:\Windows\system32\sc.exe
sc config AxInstSV start=demand
C:\Windows\system32\sc.exe
sc config BDESVC start=demand
C:\Windows\system32\sc.exe
sc config BFE start=auto
C:\Windows\system32\sc.exe
sc config BITS start=delayed-auto
C:\Windows\system32\sc.exe
sc config BTAGService start=demand
C:\Windows\system32\sc.exe
sc config BcastDVRUserService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config BluetoothUserService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config BrokerInfrastructure start=auto
C:\Windows\system32\sc.exe
sc config Browser start=demand
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start=auto
C:\Windows\system32\sc.exe
sc config BthHFSrv start=auto
C:\Windows\system32\sc.exe
sc config CDPSvc start=demand
C:\Windows\system32\sc.exe
sc config CDPUserSvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config COMSysApp start=demand
C:\Windows\system32\sc.exe
sc config CaptureService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CertPropSvc start=demand
C:\Windows\system32\sc.exe
sc config ClipSVC start=demand
C:\Windows\system32\sc.exe
sc config ConsentUxUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CoreMessagingRegistrar start=auto
C:\Windows\system32\sc.exe
sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CryptSvc start=auto
C:\Windows\system32\sc.exe
sc config CscService start=demand
C:\Windows\system32\sc.exe
sc config DPS start=auto
C:\Windows\system32\sc.exe
sc config DcomLaunch start=auto
C:\Windows\system32\sc.exe
sc config DcpSvc start=demand
C:\Windows\system32\sc.exe
sc config DevQueryBroker start=demand
C:\Windows\system32\sc.exe
sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config DeviceAssociationService start=demand
C:\Windows\system32\sc.exe
sc config DeviceInstall start=demand
C:\Windows\system32\sc.exe
sc config DevicePickerUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config Dhcp start=auto
C:\Windows\system32\sc.exe
sc config DiagTrack start=disabled
C:\Windows\system32\sc.exe
sc config DialogBlockingService start=disabled
C:\Windows\system32\sc.exe
sc config DispBrokerDesktopSvc start=auto
C:\Windows\system32\sc.exe
sc config DisplayEnhancementService start=demand
C:\Windows\system32\sc.exe
sc config DmEnrollmentSvc start=demand
C:\Windows\system32\sc.exe
sc config Dnscache start=auto
C:\Windows\system32\sc.exe
sc config DoSvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config DsSvc start=demand
C:\Windows\system32\sc.exe
sc config DsmSvc start=demand
C:\Windows\system32\sc.exe
sc config DusmSvc start=auto
C:\Windows\system32\sc.exe
sc config EFS start=demand
C:\Windows\system32\sc.exe
sc config EapHost start=demand
C:\Windows\system32\sc.exe
sc config EntAppSvc start=demand
C:\Windows\system32\sc.exe
sc config EventLog start=auto
C:\Windows\system32\sc.exe
sc config EventSystem start=auto
C:\Windows\system32\sc.exe
sc config FDResPub start=demand
C:\Windows\system32\sc.exe
sc config Fax start=demand
C:\Windows\system32\sc.exe
sc config FontCache start=auto
C:\Windows\system32\sc.exe
sc config FrameServer start=demand
C:\Windows\system32\sc.exe
sc config FrameServerMonitor start=demand
C:\Windows\system32\sc.exe
sc config GraphicsPerfSvc start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupListener start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupProvider start=demand
C:\Windows\system32\sc.exe
sc config HvHost start=demand
C:\Windows\system32\sc.exe
sc config IEEtwCollectorService start=demand
C:\Windows\system32\sc.exe
sc config IKEEXT start=demand
C:\Windows\system32\sc.exe
sc config InstallService start=demand
C:\Windows\system32\sc.exe
sc config InventorySvc start=demand
C:\Windows\system32\sc.exe
sc config IpxlatCfgSvc start=demand
C:\Windows\system32\sc.exe
sc config KeyIso start=auto
C:\Windows\system32\sc.exe
sc config KtmRm start=demand
C:\Windows\system32\sc.exe
sc config LSM start=auto
C:\Windows\system32\sc.exe
sc config LanmanServer start=auto
C:\Windows\system32\sc.exe
sc config LanmanWorkstation start=auto
C:\Windows\system32\sc.exe
sc config LicenseManager start=demand
C:\Windows\system32\sc.exe
sc config LxpSvc start=demand
C:\Windows\system32\sc.exe
sc config MSDTC start=demand
C:\Windows\system32\sc.exe
sc config MSiSCSI start=demand
C:\Windows\system32\sc.exe
sc config MapsBroker start=delayed-auto
C:\Windows\system32\sc.exe
sc config McpManagementService start=demand
C:\Windows\system32\sc.exe
sc config MessagingService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config MicrosoftEdgeElevationService start=demand
C:\Windows\system32\sc.exe
sc config MixedRealityOpenXRSvc start=demand
C:\Windows\system32\sc.exe
sc config MpsSvc start=auto
C:\Windows\system32\sc.exe
sc config MsKeyboardFilter start=demand
C:\Windows\system32\sc.exe
sc config NPSMSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config NaturalAuthentication start=demand
C:\Windows\system32\sc.exe
sc config NcaSvc start=demand
C:\Windows\system32\sc.exe
sc config NcbService start=demand
C:\Windows\system32\sc.exe
sc config NcdAutoSetup start=demand
C:\Windows\system32\sc.exe
sc config NetSetupSvc start=demand
C:\Windows\system32\sc.exe
sc config NetTcpPortSharing start=disabled
C:\Windows\system32\sc.exe
sc config Netlogon start=demand
C:\Windows\system32\sc.exe
sc config Netman start=demand
C:\Windows\system32\sc.exe
sc config NgcCtnrSvc start=demand
C:\Windows\system32\sc.exe
sc config NgcSvc start=demand
C:\Windows\system32\sc.exe
sc config NlaSvc start=demand
C:\Windows\system32\sc.exe
sc config OneSyncSvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config P9RdrService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PNRPAutoReg start=demand
C:\Windows\system32\sc.exe
sc config PNRPsvc start=demand
C:\Windows\system32\sc.exe
sc config PcaSvc start=demand
C:\Windows\system32\sc.exe
sc config PeerDistSvc start=demand
C:\Windows\system32\sc.exe
sc config PenService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PerfHost start=demand
C:\Windows\system32\sc.exe
sc config PhoneSvc start=demand
C:\Windows\system32\sc.exe
sc config PimIndexMaintenanceSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PlugPlay start=demand
C:\Windows\system32\sc.exe
sc config PolicyAgent start=demand
C:\Windows\system32\sc.exe
sc config Power start=auto
C:\Windows\system32\sc.exe
sc config PrintNotify start=demand
C:\Windows\system32\sc.exe
sc config PrintWorkflowUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config ProfSvc start=auto
C:\Windows\system32\sc.exe
sc config PushToInstall start=demand
C:\Windows\system32\sc.exe
sc config QWAVE start=demand
C:\Windows\system32\sc.exe
sc config RasAuto start=demand
C:\Windows\system32\sc.exe
sc config RasMan start=demand
C:\Windows\system32\sc.exe
sc config RemoteAccess start=disabled
C:\Windows\system32\sc.exe
sc config RemoteRegistry start=disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=demand
C:\Windows\system32\sc.exe
sc config RmSvc start=demand
C:\Windows\system32\sc.exe
sc config RpcEptMapper start=auto
C:\Windows\system32\sc.exe
sc config RpcLocator start=demand
C:\Windows\system32\sc.exe
sc config RpcSs start=auto
C:\Windows\system32\sc.exe
sc config SCPolicySvc start=demand
C:\Windows\system32\sc.exe
sc config SCardSvr start=demand
C:\Windows\system32\sc.exe
sc config SDRSVC start=demand
C:\Windows\system32\sc.exe
sc config SEMgrSvc start=demand
C:\Windows\system32\sc.exe
sc config SENS start=auto
C:\Windows\system32\sc.exe
sc config SNMPTRAP start=demand
C:\Windows\system32\sc.exe
sc config SNMPTrap start=demand
C:\Windows\system32\sc.exe
sc config SSDPSRV start=demand
C:\Windows\system32\sc.exe
sc config SamSs start=auto
C:\Windows\system32\sc.exe
sc config ScDeviceEnum start=demand
C:\Windows\system32\sc.exe
sc config Schedule start=auto
C:\Windows\system32\sc.exe
sc config SecurityHealthService start=demand
C:\Windows\system32\sc.exe
sc config Sense start=demand
C:\Windows\system32\sc.exe
sc config SensorDataService start=demand
C:\Windows\system32\sc.exe
sc config SensorService start=demand
C:\Windows\system32\sc.exe
sc config SensrSvc start=demand
C:\Windows\system32\sc.exe
sc config SessionEnv start=demand
C:\Windows\system32\sc.exe
sc config SgrmBroker start=auto
C:\Windows\system32\sc.exe
sc config SharedAccess start=demand
C:\Windows\system32\sc.exe
sc config SharedRealitySvc start=demand
C:\Windows\system32\sc.exe
sc config ShellHWDetection start=auto
C:\Windows\system32\sc.exe
sc config SmsRouter start=demand
C:\Windows\system32\sc.exe
sc config Spooler start=auto
C:\Windows\system32\sc.exe
sc config SstpSvc start=demand
C:\Windows\system32\sc.exe
sc config StateRepository start=demand
C:\Windows\system32\sc.exe
sc config StiSvc start=demand
C:\Windows\system32\sc.exe
sc config StorSvc start=demand
C:\Windows\system32\sc.exe
sc config SysMain start=auto
C:\Windows\system32\sc.exe
sc config SystemEventsBroker start=auto
C:\Windows\system32\sc.exe
sc config TabletInputService start=demand
C:\Windows\system32\sc.exe
sc config TapiSrv start=demand
C:\Windows\system32\sc.exe
sc config TermService start=auto
C:\Windows\system32\sc.exe
sc config TextInputManagementService start=demand
C:\Windows\system32\sc.exe
sc config Themes start=auto
C:\Windows\system32\sc.exe
sc config TieringEngineService start=demand
C:\Windows\system32\sc.exe
sc config TimeBroker start=demand
C:\Windows\system32\sc.exe
sc config TimeBrokerSvc start=demand
C:\Windows\system32\sc.exe
sc config TokenBroker start=demand
C:\Windows\system32\sc.exe
sc config TrkWks start=auto
C:\Windows\system32\sc.exe
sc config TroubleshootingSvc start=demand
C:\Windows\system32\sc.exe
sc config TrustedInstaller start=demand
C:\Windows\system32\sc.exe
sc config UI0Detect start=demand
C:\Windows\system32\sc.exe
sc config UdkUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UevAgentService start=disabled
C:\Windows\system32\sc.exe
sc config UmRdpService start=demand
C:\Windows\system32\sc.exe
sc config UnistoreSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UserDataSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UserManager start=auto
C:\Windows\system32\sc.exe
sc config UsoSvc start=demand
C:\Windows\system32\sc.exe
sc config VGAuthService start=auto
C:\Windows\system32\sc.exe
sc config VMTools start=auto
C:\Windows\system32\sc.exe
sc config VSS start=demand
C:\Windows\system32\sc.exe
sc config VacSvc start=demand
C:\Windows\system32\sc.exe
sc config VaultSvc start=auto
C:\Windows\system32\sc.exe
sc config W32Time start=demand
C:\Windows\system32\sc.exe
sc config WEPHOSTSVC start=demand
C:\Windows\system32\sc.exe
sc config WFDSConMgrSvc start=demand
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start=demand
C:\Windows\system32\sc.exe
sc config WManSvc start=demand
C:\Windows\system32\sc.exe
sc config WPDBusEnum start=demand
C:\Windows\system32\sc.exe
sc config WSService start=demand
C:\Windows\system32\sc.exe
sc config WSearch start=delayed-auto
C:\Windows\system32\sc.exe
sc config WaaSMedicSvc start=demand
C:\Windows\system32\sc.exe
sc config WalletService start=demand
C:\Windows\system32\sc.exe
sc config WarpJITSvc start=demand
C:\Windows\system32\sc.exe
sc config WbioSrvc start=demand
C:\Windows\system32\sc.exe
sc config Wcmsvc start=auto
C:\Windows\system32\sc.exe
sc config WcsPlugInService start=demand
C:\Windows\system32\sc.exe
sc config WdNisSvc start=demand
C:\Windows\system32\sc.exe
sc config WdiServiceHost start=demand
C:\Windows\system32\sc.exe
sc config WdiSystemHost start=demand
C:\Windows\system32\sc.exe
sc config WebClient start=demand
C:\Windows\system32\sc.exe
sc config Wecsvc start=demand
C:\Windows\system32\sc.exe
sc config WerSvc start=demand
C:\Windows\system32\sc.exe
sc config WiaRpc start=demand
C:\Windows\system32\sc.exe
sc config WinDefend start=auto
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start=demand
C:\Windows\system32\sc.exe
sc config WinRM start=demand
C:\Windows\system32\sc.exe
sc config Winmgmt start=auto
C:\Windows\system32\sc.exe
sc config WlanSvc start=auto
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=demand
C:\Windows\system32\sc.exe
sc config WpnService start=demand
C:\Windows\system32\sc.exe
sc config WpnUserService_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config WwanSvc start=demand
C:\Windows\system32\sc.exe
sc config XblAuthManager start=demand
C:\Windows\system32\sc.exe
sc config XblGameSave start=demand
C:\Windows\system32\sc.exe
sc config XboxGipSvc start=demand
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start=demand
C:\Windows\system32\sc.exe
sc config autotimesvc start=demand
C:\Windows\system32\sc.exe
sc config bthserv start=demand
C:\Windows\system32\sc.exe
sc config camsvc start=demand
C:\Windows\system32\sc.exe
sc config cbdhsvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config cloudidsvc start=demand
C:\Windows\system32\sc.exe
sc config dcsvc start=demand
C:\Windows\system32\sc.exe
sc config defragsvc start=demand
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start=demand
C:\Windows\system32\sc.exe
sc config diagsvc start=demand
C:\Windows\system32\sc.exe
sc config dmwappushservice start=demand
C:\Windows\system32\sc.exe
sc config dot3svc start=demand
C:\Windows\system32\sc.exe
sc config edgeupdate start=demand
C:\Windows\system32\sc.exe
sc config edgeupdatem start=demand
C:\Windows\system32\sc.exe
sc config embeddedmode start=demand
C:\Windows\system32\sc.exe
sc config fdPHost start=demand
C:\Windows\system32\sc.exe
sc config fhsvc start=demand
C:\Windows\system32\sc.exe
sc config gpsvc start=auto
C:\Windows\system32\sc.exe
sc config hidserv start=demand
C:\Windows\system32\sc.exe
sc config icssvc start=demand
C:\Windows\system32\sc.exe
sc config iphlpsvc start=auto
C:\Windows\system32\sc.exe
sc config lfsvc start=demand
C:\Windows\system32\sc.exe
sc config lltdsvc start=demand
C:\Windows\system32\sc.exe
sc config lmhosts start=demand
C:\Windows\system32\sc.exe
sc config mpssvc start=auto
C:\Windows\system32\sc.exe
sc config msiserver start=demand
C:\Windows\system32\sc.exe
sc config netprofm start=demand
C:\Windows\system32\sc.exe
sc config nsi start=auto
C:\Windows\system32\sc.exe
sc config p2pimsvc start=demand
C:\Windows\system32\sc.exe
sc config p2psvc start=demand
C:\Windows\system32\sc.exe
sc config perceptionsimulation start=demand
C:\Windows\system32\sc.exe
sc config pla start=demand
C:\Windows\system32\sc.exe
sc config seclogon start=demand
C:\Windows\system32\sc.exe
sc config shpamsvc start=disabled
C:\Windows\system32\sc.exe
sc config smphost start=demand
C:\Windows\system32\sc.exe
sc config spectrum start=demand
C:\Windows\system32\sc.exe
sc config sppsvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config ssh-agent start=disabled
C:\Windows\system32\sc.exe
sc config svsvc start=demand
C:\Windows\system32\sc.exe
sc config swprv start=demand
C:\Windows\system32\sc.exe
sc config tiledatamodelsvc start=auto
C:\Windows\system32\sc.exe
sc config tzautoupdate start=disabled
C:\Windows\system32\sc.exe
sc config uhssvc start=disabled
C:\Windows\system32\sc.exe
sc config upnphost start=demand
C:\Windows\system32\sc.exe
sc config vds start=demand
C:\Windows\system32\sc.exe
sc config vm3dservice start=demand
C:\Windows\system32\sc.exe
sc config vmicguestinterface start=demand
C:\Windows\system32\sc.exe
sc config vmicheartbeat start=demand
C:\Windows\system32\sc.exe
sc config vmickvpexchange start=demand
C:\Windows\system32\sc.exe
sc config vmicrdv start=demand
C:\Windows\system32\sc.exe
sc config vmicshutdown start=demand
C:\Windows\system32\sc.exe
sc config vmictimesync start=demand
C:\Windows\system32\sc.exe
sc config vmicvmsession start=demand
C:\Windows\system32\sc.exe
sc config vmicvss start=demand
C:\Windows\system32\sc.exe
sc config vmvss start=demand
C:\Windows\system32\sc.exe
sc config wbengine start=demand
C:\Windows\system32\sc.exe
sc config wcncsvc start=demand
C:\Windows\system32\sc.exe
sc config webthreatdefsvc start=demand
C:\Windows\system32\sc.exe
sc config webthreatdefusersvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config wercplsupport start=demand
C:\Windows\system32\sc.exe
sc config wisvc start=demand
C:\Windows\system32\sc.exe
sc config wlidsvc start=demand
C:\Windows\system32\sc.exe
sc config wlpasvc start=demand
C:\Windows\system32\sc.exe
sc config wmiApSrv start=demand
C:\Windows\system32\sc.exe
sc config workfolderssvc start=demand
C:\Windows\system32\sc.exe
sc config wscsvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config wuauserv start=demand
C:\Windows\system32\sc.exe
sc config wudfsvc start=demand
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootmenupolicy Legacy
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
C:\Windows\system32\findstr.exe
findstr /r /c:"CurrentBuild"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
C:\Windows\system32\Taskmgr.exe
"C:\Windows\system32\Taskmgr.exe"
C:\Windows\system32\timeout.exe
timeout /t 2
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenonetwork -s DPS
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s WdiServiceHost
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 4194304 -Force"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\sc.exe
sc config wlidsvc start= disabled
C:\Windows\system32\sc.exe
sc config DisplayEnhancementService start= disabled
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\system32\sc.exe
sc config DusmSvc start= disabled
C:\Windows\system32\sc.exe
sc config TabletInputService start= disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start= disabled
C:\Windows\system32\sc.exe
sc config Fax start= disabled
C:\Windows\system32\sc.exe
sc config SharedAccess start= disabled
C:\Windows\system32\sc.exe
sc config lfsvc start= disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start= disabled
C:\Windows\system32\sc.exe
sc config SessionEnv start= disabled
C:\Windows\system32\sc.exe
sc config MicrosoftEdgeElevationService start= disabled
C:\Windows\system32\sc.exe
sc config edgeupdate start= disabled
C:\Windows\system32\sc.exe
sc config edgeupdatem start= disabled
C:\Windows\system32\sc.exe
sc config autotimesvc start= disabled
C:\Windows\system32\sc.exe
sc config CscService start= disabled
C:\Windows\system32\sc.exe
sc config TermService start= disabled
C:\Windows\system32\sc.exe
sc config SensorDataService start= disabled
C:\Windows\system32\sc.exe
sc config SensorService start= disabled
C:\Windows\system32\sc.exe
sc config SensrSvc start= disabled
C:\Windows\system32\sc.exe
sc config shpamsvc start= disabled
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start= disabled
C:\Windows\system32\sc.exe
sc config PhoneSvc start= disabled
C:\Windows\system32\sc.exe
sc config TapiSrv start= disabled
C:\Windows\system32\sc.exe
sc config UevAgentService start= disabled
C:\Windows\system32\sc.exe
sc config WalletService start= disabled
C:\Windows\system32\sc.exe
sc config TokenBroker start= disabled
C:\Windows\system32\sc.exe
sc config WebClient start= disabled
C:\Windows\system32\sc.exe
sc config MixedRealityOpenXRSvc start= disabled
C:\Windows\system32\sc.exe
sc config stisvc start= disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start= disabled
C:\Windows\system32\sc.exe
sc config icssvc start= disabled
C:\Windows\system32\sc.exe
sc config Wecsvc start= disabled
C:\Windows\system32\sc.exe
sc config XboxGipSvc start= disabled
C:\Windows\system32\sc.exe
sc config XblAuthManager start= disabled
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start= disabled
C:\Windows\system32\sc.exe
sc config XblGameSave start= disabled
C:\Windows\system32\sc.exe
sc config SEMgrSvc start= disabled
C:\Windows\system32\sc.exe
sc config iphlpsvc start= disabled
C:\Windows\system32\sc.exe
sc config Backupper Service start= disabled
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start= disabled
C:\Windows\system32\sc.exe
sc config BDESVC start= disabled
C:\Windows\system32\sc.exe
sc config cbdhsvc start= disabled
C:\Windows\system32\sc.exe
sc config CDPSvc start= disabled
C:\Windows\system32\sc.exe
sc config CDPUserSvc start= disabled
C:\Windows\system32\sc.exe
sc config DevQueryBroker start= disabled
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc start= disabled
C:\Windows\system32\sc.exe
sc config dmwappushservice start= disabled
C:\Windows\system32\sc.exe
sc config DispBrokerDesktopSvc start= disabled
C:\Windows\system32\sc.exe
sc config TrkWks start= disabled
C:\Windows\system32\sc.exe
sc config dLauncherLoopback start= disabled
C:\Windows\system32\sc.exe
sc config EFS start= disabled
C:\Windows\system32\sc.exe
sc config fdPHost start= disabled
C:\Windows\system32\sc.exe
sc config FDResPub start= disabled
C:\Windows\system32\sc.exe
sc config IKEEXT start= disabled
C:\Windows\system32\sc.exe
sc config NPSMSvc start= disabled
C:\Windows\system32\sc.exe
sc config WPDBusEnum start= disabled
C:\Windows\system32\sc.exe
sc config PcaSvc start= disabled
C:\Windows\system32\sc.exe
sc config RasMan start= disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=disabled
C:\Windows\system32\sc.exe
sc config SstpSvc start=disabled
C:\Windows\system32\sc.exe
sc config ShellHWDetection start= disabled
C:\Windows\system32\sc.exe
sc config SSDPSRV start= disabled
C:\Windows\system32\sc.exe
sc config SysMain start= disabled
C:\Windows\system32\sc.exe
sc config OneSyncSvc start= disabled
C:\Windows\system32\sc.exe
sc config lmhosts start= disabled
C:\Windows\system32\sc.exe
sc config UserDataSvc start= disabled
C:\Windows\system32\sc.exe
sc config UnistoreSvc start= disabled
C:\Windows\system32\sc.exe
sc config Wcmsvc start= disabled
C:\Windows\system32\sc.exe
sc config FontCache start= disabled
C:\Windows\system32\sc.exe
sc config W32Time start= disabled
C:\Windows\system32\sc.exe
sc config tzautoupdate start= disabled
C:\Windows\system32\sc.exe
sc config DsSvc start= disabled
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config diagsvc start= disabled
C:\Windows\system32\sc.exe
sc config DialogBlockingService start= disabled
C:\Windows\system32\sc.exe
sc config PimIndexMaintenanceSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config MessagingService_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config AppVClient start= disabled
C:\Windows\system32\sc.exe
sc config MsKeyboardFilter start= disabled
C:\Windows\system32\sc.exe
sc config NetTcpPortSharing start= disabled
C:\Windows\system32\sc.exe
sc config ssh-agent start= disabled
C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
C:\Windows\system32\sc.exe
sc config OneSyncSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config wercplsupport start= disabled
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start= disabled
C:\Windows\system32\sc.exe
sc config WerSvc start= disabled
C:\Windows\system32\sc.exe
sc config WpnUserService_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start= disabled
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDInstallLauncher" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "ModifyLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "SoftMakerUpdater" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "StartCN" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "StartDVR" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc stop uhssvc
C:\Windows\system32\sc.exe
sc stop upfc
C:\Windows\system32\sc.exe
sc stop PushToInstall
C:\Windows\system32\sc.exe
sc stop BITS
C:\Windows\system32\sc.exe
sc stop InstallService
C:\Windows\system32\sc.exe
sc stop uhssvc
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop LanmanServer
C:\Windows\system32\sc.exe
sc config BITS start= disabled
C:\Windows\system32\sc.exe
sc config InstallService start= disabled
C:\Windows\system32\sc.exe
sc config uhssvc start= disabled
C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc config LanmanServer start= disabled
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config RemoteRegistry start= disabled
C:\Windows\system32\sc.exe
sc config RemoteAccess start= disabled
C:\Windows\system32\sc.exe
sc config WinRM start= disabled
C:\Windows\system32\sc.exe
sc config RmSvc start= disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config PrintNotify start= disabled
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config PrintNotify start= disabled
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config NlaSvc start= disabled
C:\Windows\system32\sc.exe
sc config LanmanWorkstation start= disabled
C:\Windows\system32\sc.exe
sc config BFE start= demand
C:\Windows\system32\sc.exe
sc config Dnscache start= demand
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start= demand
C:\Windows\system32\sc.exe
sc config Dhcp start= auto
C:\Windows\system32\sc.exe
sc config DPS start= auto
C:\Windows\system32\sc.exe
sc config lmhosts start= disabled
C:\Windows\system32\sc.exe
sc config nsi start= auto
C:\Windows\system32\sc.exe
sc config Wcmsvc start= disabled
C:\Windows\system32\sc.exe
sc config Winmgmt start= auto
C:\Windows\system32\sc.exe
sc config WlanSvc start= demand
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config ALG start=disabled
C:\Windows\system32\sc.exe
sc config AJRouter start=disabled
C:\Windows\system32\sc.exe
sc config XblAuthManager start=disabled
C:\Windows\system32\sc.exe
sc config XblGameSave start=disabled
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start=disabled
C:\Windows\system32\sc.exe
sc config WSearch start=disabled
C:\Windows\system32\sc.exe
sc config lfsvc start=disabled
C:\Windows\system32\sc.exe
sc config RemoteRegistry start=disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=disabled
C:\Windows\system32\sc.exe
sc config SEMgrSvc start=disabled
C:\Windows\system32\sc.exe
sc config SCardSvr start=disabled
C:\Windows\system32\sc.exe
sc config Netlogon start=disabled
C:\Windows\system32\sc.exe
sc config CscService start=disabled
C:\Windows\system32\sc.exe
sc config icssvc start=disabled
C:\Windows\system32\sc.exe
sc config wisvc start=disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=disabled
C:\Windows\system32\sc.exe
sc config WalletService start=disabled
C:\Windows\system32\sc.exe
sc config Fax start=disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start=disabled
C:\Windows\system32\sc.exe
sc config iphlpsvc start=disabled
C:\Windows\system32\sc.exe
sc config wcncsvc start=disabled
C:\Windows\system32\sc.exe
sc config fhsvc start=disabled
C:\Windows\system32\sc.exe
sc config PhoneSvc start=disabled
C:\Windows\system32\sc.exe
sc config seclogon start=disabled
C:\Windows\system32\sc.exe
sc config FrameServer start=disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start=disabled
C:\Windows\system32\sc.exe
sc config StiSvc start=disabled
C:\Windows\system32\sc.exe
sc config PcaSvc start=disabled
C:\Windows\system32\sc.exe
sc config DPS start=disabled
C:\Windows\system32\sc.exe
sc config MapsBroker start=disabled
C:\Windows\system32\sc.exe
sc config bthserv start=disabled
C:\Windows\system32\sc.exe
sc config BDESVC start=disabled
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start=disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=disabled
C:\Windows\system32\sc.exe
sc config DiagTrack start=disabled
C:\Windows\system32\sc.exe
sc config CertPropSvc start=disabled
C:\Windows\system32\sc.exe
sc config WdiServiceHost start=disabled
C:\Windows\system32\sc.exe
sc config lmhosts start=disabled
C:\Windows\system32\sc.exe
sc config WdiSystemHost start=disabled
C:\Windows\system32\sc.exe
sc config TrkWks start=disabled
C:\Windows\system32\sc.exe
sc config WerSvc start=disabled
C:\Windows\system32\sc.exe
sc config TabletInputService start=disabled
C:\Windows\system32\sc.exe
sc config EntAppSvc start=disabled
C:\Windows\system32\sc.exe
sc config Spooler start=disabled
C:\Windows\system32\sc.exe
sc config BcastDVRUserService start=disabled
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start=disabled
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start=disabled
C:\Windows\system32\sc.exe
sc config DmEnrollmentSvc start=disabled
C:\Windows\system32\sc.exe
sc config PNRPAutoReg start=disabled
C:\Windows\system32\sc.exe
sc config wlidsvc start=disabled
C:\Windows\system32\sc.exe
sc config AXInstSV start=disabled
C:\Windows\system32\sc.exe
sc config lfsvc start=disabled
C:\Windows\system32\sc.exe
sc config NcbService start=disabled
C:\Windows\system32\sc.exe
sc config DeviceAssociationService start=disabled
C:\Windows\system32\sc.exe
sc config StorSvc start=disabled
C:\Windows\system32\sc.exe
sc config TieringEngineService start=disabled
C:\Windows\system32\sc.exe
sc config DPS start=disabled
C:\Windows\system32\sc.exe
sc config Themes start=disabled
C:\Windows\system32\sc.exe
sc config AppReadiness start=disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config HvHost start=disabled
C:\Windows\system32\sc.exe
sc config vmickvpexchange start=disabled
C:\Windows\system32\sc.exe
sc config vmicguestinterface start=disabled
C:\Windows\system32\sc.exe
sc config vmicshutdown start=disabled
C:\Windows\system32\sc.exe
sc config vmicheartbeat start=disabled
C:\Windows\system32\sc.exe
sc config vmicvmsession start=disabled
C:\Windows\system32\sc.exe
sc config vmicrdv start=disabled
C:\Windows\system32\sc.exe
sc config vmictimesync start=disabled
C:\Windows\system32\sc.exe
sc config vmicvss start=disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config edgeupdate start=disabled
C:\Windows\system32\sc.exe
sc config edgeupdatem start=disabled
C:\Windows\system32\sc.exe
sc config GoogleChromeElevationService start=disabled
C:\Windows\system32\sc.exe
sc config gupdate start=disabled
C:\Windows\system32\sc.exe
sc config gupdatem start=disabled
C:\Windows\system32\sc.exe
sc config BraveElevationService start=disabled
C:\Windows\system32\sc.exe
sc config brave start=disabled
C:\Windows\system32\sc.exe
sc config bravem start=disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config NcbService start=disabled
C:\Windows\system32\sc.exe
sc config jhi_service start=disabled
C:\Windows\system32\sc.exe
sc config WMIRegistrationService start=disabled
C:\Windows\system32\sc.exe
sc config "Intel(R) TPM Provisioning Service" start=disabled
C:\Windows\system32\sc.exe
sc config ipfsvc start=disabled
C:\Windows\system32\sc.exe
sc config igccservice start=disabled
C:\Windows\system32\sc.exe
sc config cplspcon start=disabled
C:\Windows\system32\sc.exe
sc config esifsvc start=disabled
C:\Windows\system32\sc.exe
sc config LMS start=disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleaner Update" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleanerCrashReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleaner Update" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleanerCrashReporting" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
C:\Windows\system32\taskkill.exe
taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\taskkill.exe
taskkill.exe /F /IM "OneDrive.exe"
C:\Windows\system32\taskkill.exe
taskkill.exe /F /IM "explorer.exe"
C:\Windows\system32\reg.exe
reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"
C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
C:\Windows\system32\reg.exe
reg unload "hku\Default"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn "OneDrive*" /f
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\UsoClient.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\taskkill.exe
taskkill /F /IM WidgetService.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Widgets.exe
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\smartscreen.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" /grant administrators:F
C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\System32\taskhostw.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\taskhostw.exe" /grant administrators:F
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Needed if you''d like to Search things!' -ForegroundColor White -BackgroundColor Red"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption /format:list
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "a4iuzc " /t REG_SZ /d "" /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *PandoraMediaInc.29680B314EFC2* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *46928bounde.EclipseManager* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ActiproSoftwareLLC.562882FEEB491* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SpotifyAB.SpotifyMusic* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Advertising.Xaml* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.RemoteDesktop* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.NetworkSpeedTest* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Todos* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Search* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Cortana* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowsterminal* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ScreenSketch* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.PowerAutomateDesktop* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.People* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MSPaint* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Outlook* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsNotepad* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneDrive* | Remove-AppxPackage"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ParentalControls* | Remove-AppxPackage"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3900-4-0x000001D9DEA40000-0x000001D9DEA62000-memory.dmp
memory/3900-7-0x000001D9F6E80000-0x000001D9F6EF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dc5zljub.bmd.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 56efdb5a0f10b5eece165de4f8c9d799 |
| SHA1 | fa5de7ca343b018c3bfeab692545eb544c244e16 |
| SHA256 | 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108 |
| SHA512 | 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 55f48b1daab63040ab9394359ff19523 |
| SHA1 | 86b754ca298697a5b753ace66e848b2f19787e08 |
| SHA256 | 432cc3dc77c03244fbc72983d781910b66f258123657c47dd164d61916ed0e06 |
| SHA512 | 8b06b3a6092f03a0b5e5c2a51a427191372053b441c4438316968b85887ab92130dcefa0f2aa80986530e633771fd51e580142627d2b520c73673f6515c0dfef |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8b882d114f8c40a4a788526ba0be7fe3 |
| SHA1 | da164922ccfd270985c934bb1b4c41ea47778d51 |
| SHA256 | 05580a70b2e1549765b64f5fc0f005118a67fe625693155c8bcd38a55c7efcb6 |
| SHA512 | 98cacb785834946ed20be7fcd344574db2484deba991b582c20c792a92d95f7ef115fe5aeb13329c67aaae54911db096a4ebc7a35d5ad10be2b1baa95895e731 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1d702b1d830d89ff8635657c610eef4d |
| SHA1 | 7b3b6b5502a1db2901d40db6ed7bda88f6d401de |
| SHA256 | e64af2ff9088e39d6850331a1dab7ab84744e035689ec77e0701b902d2d5b4ec |
| SHA512 | 240313c2f5f4f1404a051a47b9cfd58f51285df153758ca0e6547f4e925bbaa30aa6063c6cd9fbcc7ed0d3a9bd16938727b10a543b26e4d58bacb6014b32c3b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2c82f3edbd830345b4cd2d73386899e0 |
| SHA1 | abfdcd69e32d6490a6788471c9b03bd599492a57 |
| SHA256 | 6303e267164a526d2ccf172d7c535ca949a9d6ac9401ef28180e497d67931ab8 |
| SHA512 | 3296164d080c2a080223c77d9e837fef6c46d4ff0791b1ae5ad1359e71841d955cb17eb7c84a399cf185ec6a58cfb50f70ce2a73cfc4c380305c6261045520ef |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a25f53cc3d4bdfa4747a552f1ba530a |
| SHA1 | 4542aa6c560bb9adb537b1187afb4884a35b771a |
| SHA256 | bc6294fb300a7c26b8dbe9d6ee88cd3dbbe31e688b26a020159b4b07472e8910 |
| SHA512 | f6273d3b7bfb8fd6246c2c12deb8ee8f4a48d7950f7698a970a2ec5faa6075b856bba2c0ae906d4d2381834900e13daa7391bf8f7599f1460db23b7455dbea7f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3bc6c0873824187ecdbafb2c1e87d0b4 |
| SHA1 | f7a8729d55cccf6679d49c10477295725128db03 |
| SHA256 | 9095095855ca5cb4534ba8327268aaef6e16888f879abf44d0f6780cf10de714 |
| SHA512 | ad1a26ec4fec1802e9a81f09be47f488fda6f6fa3151f90da44f303adbcb8469e479726f73a7db07dca52e599001dfce8da8aec0a55dbc28130f8d6afff29ebb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | edf7af0ac1dac92d6fef3a6680548569 |
| SHA1 | 2b773f2b2e7cb977a50ebfc58f14de96fc19900c |
| SHA256 | c6787ba45153281e7f522cc9e68fb400163a286cc0578d94040b2286ebf04e03 |
| SHA512 | 3882937884ccaa33ed3b3f8c03f744923b7b07ddeaab361e8d131d315bb752d97a22fbe20cbcfaa8a5918b6c67754e30ebcfddd0ab48870716aae59f95f16b58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 25938ecfc7027ea212a4d93ef7cadc55 |
| SHA1 | 6885720eee029d3e2beca25fe3c04baab467fb36 |
| SHA256 | 159ae41813ef1cfb35689ef9c47e9ed770849de854eb7c7521009ef45eebbacc |
| SHA512 | f7ef57200aa9ae1bb044bdfca39baf2ac13e1a151804575fbb1238795d9b685c5b468b46be83a550eaf6f12365051be49ea8d15571e2d0d68120bf0aefeeaca5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1c9a933f015f4b068dd96b0ae46237b9 |
| SHA1 | babbf3761b90717fd06af8f127f7251cc3d47691 |
| SHA256 | 0c895898072724e30cc36ceba0ab999ce7d2b1fe26ac5f33a5c5a850b488ca1d |
| SHA512 | d85faa5153c77b29601b6363fad31b32b2866709dfa829190a18061368da95f44b561006bf9e86727c9c7e637ef3fa15286bea3503c8c6a74b7acc943c532d3a |
memory/2652-283-0x0000020821480000-0x0000020821490000-memory.dmp
memory/2652-279-0x0000020821440000-0x0000020821450000-memory.dmp
memory/2652-321-0x0000020821BF0000-0x0000020821BF1000-memory.dmp
memory/3064-460-0x00000170396C0000-0x00000170396E2000-memory.dmp
memory/3064-441-0x00000170396C0000-0x00000170396EA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2777b12fa9c4267ad658939a2c62e027 |
| SHA1 | fa0d10bd7873507951427615b49b9a73db568f96 |
| SHA256 | 05db6c7a3e80f3cc85c85e7686220911e6d80928b1557d61b7e978d290b618e8 |
| SHA512 | 6f67c1fff9df2b014488580398bee4044d320f06f0d87b00026f1196bcaf551c74777debdcfa9309a74b68baa8af8d869189ae3714a5473633693646a671ad30 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8250f24ed5ddcc5201b02e10f1e3b81 |
| SHA1 | 20d2ef4807e1704506c75e715cda30dd2e65d997 |
| SHA256 | 55adb21aa3cc38b09776b2c3f93590abc936af13576f3f03df9bcdecc6ecc4d5 |
| SHA512 | d12e914598430e927c72e98061a7e515bee7fce37def59f9d2c7792aa01f832ba675934e68adb9292d416a8af3ea03e608be2fdbd23b984a9b26830b4cf46206 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9aa604ac87f6b363d0f9731d17d108ad |
| SHA1 | bbd4205ca4b301b92bd389461f1194b80300c400 |
| SHA256 | afc85542765bce5e2fd17c361cb72ea93df41010af824f659cf09f604e39dd5e |
| SHA512 | 95e5cc097192ea8bc4c38cabac4012aa09d285ae877ea369eb6c3912407f0312952971798e9b4d8b70d0cd6a31443840250757b133b5f3a7ee4a9906461c89a4 |
memory/2196-619-0x000001F84FB10000-0x000001F84FB24000-memory.dmp
memory/2196-620-0x000001F84F620000-0x000001F84F62A000-memory.dmp
memory/4392-625-0x000002076E600000-0x000002076E700000-memory.dmp
memory/4392-629-0x000002076E9C0000-0x000002076E9E0000-memory.dmp
memory/4392-649-0x000002076EB40000-0x000002076EB60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 64c71c0239267cad1ab67ba56aac96f1 |
| SHA1 | 5ffd051c02923eed687e84ce9da90857d2966bd8 |
| SHA256 | 53445447ead6f05aea807ccac84931a26c3bb4d6f2cd91e9b7297c07bc269fa2 |
| SHA512 | 3f9a27e42cc5c15e00110b8428b5d7ac0ed457560bbd3e307dd3015dc06f2e88bfddee06d55e82cc1adb0be02cbc10ac5b7010c5aedbad488200ddb7190930a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 24feb4fc3ee6337099fc290b3976d20a |
| SHA1 | f1ca98954b00ffc6f412957d2e2956ac01a10add |
| SHA256 | 35829c76be7cf70d0c06447e3445b225f593c3a557ef69244c35c8a9f9c32523 |
| SHA512 | 368e5054463c1920e4c5ac403b8830c0f2b76017377e8c9f162605871310faad932c677a691e4344374c9a6387ec69996444616e9b6e98714a7c0116ada5ace3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 233725506b91436f631f5b227e592363 |
| SHA1 | 144764f081175eb3a4022559891d90d8264c8848 |
| SHA256 | 25954a82a2a4ef62d3cf220061bd842a95c33ae36877586080f162475f856f9e |
| SHA512 | e34a6c971aed2231557c1f032aca880e1e03b4f3a41169e23a09861d97b07060d9d34c226c2ba38c1daa1ca07629ff6fb2645af5eaee5ddc2ef4349acd67e5c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a199d96da664bb3184bdd6a9ff8d1190 |
| SHA1 | cf0d38650bd6fb45138752e47640e045c0ccaa49 |
| SHA256 | 92166266a36eccfcea1332e07c139956dabf973b0702888c575ba553fadf384a |
| SHA512 | f82ab081c83403fd517fc62d27040a8e9131b53910b3f08be1ee879dee24390dcf8461f3de1178975b064ca464cf0e9ca1c6fcfd081f5077a80001bdb48448f8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 600d7a7bbf6ee3dc2da59b10601d8f3c |
| SHA1 | d6705cf95604d98585af50bbff23db075d25bad4 |
| SHA256 | 072194413f675646740d0fa22cebe1df5db7c2966c0b718f57d1c20b2260589c |
| SHA512 | 52ebe4b8987d265dbb647647aaa0a14ee6a72d9f9ef8d5b9d0f631cf338caf1777b7dcf6c757039751923db7875e6f45ec1dc4a6ba4325f50c5af42ad31662ad |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cfd1d040a8fa64af9846b1c4ef7940e8 |
| SHA1 | c9e1a8c4a5740dc3ca321df8df998e41971e028e |
| SHA256 | dcc822fedc8ef4f226fce76845e3317546d75666a6485a1959c39a16f311918f |
| SHA512 | 0c7a90bf83fadd08b9911ce8fe83e09dbde08626e05209ec7d7ad81049fc988229b28a50b9dc36fe97958bfc9380e9d6e6ed76235a83a780426256e730108061 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1d3c9db0f1c0b41190dabf885c1351f7 |
| SHA1 | 37bb6dd35f063060c43c27b5ac40339dd492d821 |
| SHA256 | 037e2b9bc0e8058c1604689e79f1a255ce35901eff137f858c677b6bc2f2a7e4 |
| SHA512 | 8ed00499dde94a0053f0a94bee9228e706765b4e666cefd8072ab067a2131631490bf9bd957876a239e144cfd81ef979f89fc2c87d42e786395a832404b0d4b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f0ecf765904fa7a543cc83dd530e707f |
| SHA1 | c12da70d9ca016a21628f6c822440e841d51b0c6 |
| SHA256 | 943de4c599c3650c2f9b5c569dcfa7a6c446bae43b14a1a0ca53d04134a2970f |
| SHA512 | 9b2ada3bc0ad4caa19462cd88478226465d4c3bad62113a32bfd52518760be811aa7e0ed15c7de98185e88f07b94e3ce9c6a39a3a8de981e81224b822f9c0c22 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 95d43e6732f75d060144e47e38a5f969 |
| SHA1 | 21ead1ae30a0b0348adb273176561fbba4e2e481 |
| SHA256 | 9155f358d1576a3e4a8819d12a8ed9396743e58d3ffc1a0adaa2e057ca40b7c0 |
| SHA512 | b24b02cec49cb195b3453474a66d890459199d9596b0a84e3995a5577d9f78e4d463f6091e88af4d0735f174f4381086303e571b9a2a29303b8674174edf703d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 36ad8d062031e10e1737782300249634 |
| SHA1 | b246456e279a9919b52d5949222719bff7f4b5a7 |
| SHA256 | 52501deac6be3597ddc2b0e372a9ea91f870dc8c467fcaf0e8a5caa5ec21e83d |
| SHA512 | 6718b6030e5e985b7345dc75d5ed2421b9cf3e7301c7e68fe282d277ed26045a4a78237eee95a61aadcd4222809f59a86a939f40618a058eb5c86bed0211b63d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cd7f72fdf0ccd4b7e233735bfcfb34e5 |
| SHA1 | eaf93d1da40c71671fe662b1d21770f01cd6cfbf |
| SHA256 | 542dcab4160dbb565c1684fd77a102b2dc5a9c62a1773d849e15448b2f8a030c |
| SHA512 | 40802f769bab00f2dfb7937e3a2a23013b8ba1e3aa8f901ce1f492417bede1133a7fa563aafa5235fea215545546ba59bbd0f5a1d208e71d21940963fe0ba3c4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c38b86316002dc2a565a17760fb19efc |
| SHA1 | 1aabfbbd0f8ac268b09822ebeaa65b1402e03bd2 |
| SHA256 | fe65c291284e5caf3f1bbb74a80488e188c121ad7e166008f4cfc1948cfcd8f1 |
| SHA512 | 817493b73d6af558de25e8d59a4b4821e18f9b5c2df1ace199aaa98a5506ad161a29057e32f5d47973d0cd4dc6f0d1bfb7e683336a362ed8064d31467fdb5d0d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a03719f0f1eea144e6abfa7497dd4e83 |
| SHA1 | 18bc7bfb890ca3484048baf1139b8f47dfa2a2e8 |
| SHA256 | 7ac0babe450b79c71e333bb0ecb5b1a74ead4eedfb5f1385dba9d015bfa55e0a |
| SHA512 | 46e4ff06f01a0cf024453081717a0003ea5b50ea372cfebcfe92919e6f12c6883240e81f9d4d21e44a4fb8b2e732a33244c74abcad50c31865a18724f39611d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9bb8301a1449e25f9b8a6dfd52d02d67 |
| SHA1 | 5cd2fe57aa6d4e2ad5ece26d137dbbdafa860654 |
| SHA256 | 3f28d25afc048d72986640d8c8bddfaab10dc63ea3052497a954ad67639a3511 |
| SHA512 | 686109b5ab5ceb65f80e2834a87301cd3657a87345624d1e6cdaac87739f8a3b5a1ee289d7c003e48599fa0cb2126628e8ca65d131685a309c32005b15da6e2c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21322f1bf1090595302c7a6877e66fc1 |
| SHA1 | 1ef40f62102ab04ba119e6b56678f0961d0e3cb0 |
| SHA256 | a3db9a8afb073d183df871af4c7f84d687b3707234e0f87890fa98b5a6543e08 |
| SHA512 | bd4c83363e78f65b65b6e3006d8bc7019d24c1ebdbeb27d624de4a171f059b3bba97550326049777a4c571bc98725dec04b604461c76e068bd6d241fe3f62c74 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 06dac1c321514bdb40788c26ac3ea0c6 |
| SHA1 | b61b545b5da051ef24d8ffd7f7fa913ba81955bb |
| SHA256 | 05b1eac9ac6a0c60c81a7f82d0d0ef6950daecd9d9a610cfd3d37166758a21e8 |
| SHA512 | 1f49950dfcac02ed89c451328381ba97b1136818f6dcf0c4eced3f5fd7c809db643f3dacb07f70dc97d0c5979d155e17c6328560fa5dc0486694c3abcd1b4681 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3da7ba1375e5ab3927bb81686db3f6c1 |
| SHA1 | bb4549b557f5232d28d685136f405710bf5d5137 |
| SHA256 | d2a87be2e2629b077bab4a82de0bc7713a4311a9755d2f980c46946900c1ef5f |
| SHA512 | 5c6e75bbb43d83968a1b47caaffffefdabe919bb00f1ad7b68b3f5a521ccf5287774fff036b5c3bae6eb388c2874b71a4b402125b09dacf5bd6d9b616a299b56 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da1321e8fc7d305a1c1c05e3560b24d0 |
| SHA1 | e04c755d7c766e6a55a7085db6ba5ffc885ee370 |
| SHA256 | 1fbdbd91b3faa900568dc8916732c45d18d7b0cce38a8cf2249b3d644c0b0883 |
| SHA512 | 74897f29528370ce99bc60ac214f970d3604f3dfdaf24037ac898ad250ca61fa42556f30ca9f4443007607e713ae4e8edd067f8fd119c46a4d9c1b8ff82208d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ddd9d93241a4e97e30c3b3b6f324f27e |
| SHA1 | 99f1c32563384c522a027378aafa4fc8e3a98d9b |
| SHA256 | abca0702de5b0062ad3380007af1e9f7ed8bbec4f853889c532f8a5fe71603ce |
| SHA512 | b1303d4172dc08048417a64eec0fc5c8bf747a7592e319dfe5ff1db9e85c455390ebc1be4f7c864e3892e1dd5beb10a3f1a850bbea2392ff5093a8293d161299 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e87368702b8f6c378e92946a20aaf45d |
| SHA1 | 06974833d2ea6b5b0455a256a8c47431bb5e2aae |
| SHA256 | 6d3aa90f1b28dd6bb2bb7ca35a0b6c1b1b8818dc5236e91a156f115cb5551940 |
| SHA512 | ffb674bc6e9b33a54f2994f0b9737ebeb31365e9977a6e2803db25ebd4e7ab16c9c2571d298a0842a3bd8b8c4a3bdbae762f7a2e40bb3dcb27eb1c9d43021b9c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2c69df285d883a8b3432b317b61bc01a |
| SHA1 | f7766e534f7298903aa4892c0cb76a114d971a0d |
| SHA256 | 04f87380991ba689f62e127473aaee162789d30e247ee6c11dfaa0253b7fd8ee |
| SHA512 | cdf66038254f7a1572d8cde6effa571f0b79c7a732f877cf48ad2879672e70626249d26114c1af0d5c3a1eccb6f920aa35cd3873329facff97fce43f82578fcd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 79a747b2da39a85524272be07cc918c5 |
| SHA1 | 2022a4cf94e289c6db4fe7f4dae44c4e11a75284 |
| SHA256 | 77759a277ead7f3caa10b6728c11116543dbcb971cf830159dbe3afb34f733b5 |
| SHA512 | 8a71cae1a5483d32d0bf1efef0334607c78dec2a1086acefa480b38be2ddfbd4e6f5c8c8733620323574486958d4837c0225e6203f63523835e0f88353e7a5e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ee1316b62c24bbb35a5704bb9b024f17 |
| SHA1 | 4918e3859e65a6e76b0d9d599d246efc053e6f23 |
| SHA256 | 8a5fc00c9ecdd2ec692709723d6a7fb81cc1d015c5a9fb0c25adaab22444c64d |
| SHA512 | 13e7c1edc584772061397a26bf563f23866c41abd64504b64f08a3b2f8cb961cfbd9d99ebfa0bb1dd2c77b70dbf7c43242d44682ade1c4d2ae36c64ab402474b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c468a0c259cf4e4a3dfce93478406576 |
| SHA1 | 6772cc61a4f579015cba4ac290547f3bc88ff376 |
| SHA256 | 7f47d2b34cc6d1fab5078541837164ad49fa439768d599ba7483668034609c33 |
| SHA512 | a2418c631394c5b660a852a8ef8bc34d2a2ebdce33d4ec09f4c0076e2cad0668b345a64329c2bda70a46da34c37f8dd9b0db0cc7a52c4d1568a7f4741e4a767e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 263918256bc06c0079e79b9ef3e910e0 |
| SHA1 | 4356a7b3f34a68e75e135c9804c2ca88407313b2 |
| SHA256 | faba44b09020204a81d09109a5514501524e0ebf1e418acb94a6fc8be6cd209c |
| SHA512 | ee2e28c115d8b5a21ef618d11ec4c156e76942e8ee0fe9e7d30f65c2bd60946b4394e8056a86b485fac88686a81abe344fb9bb7d3ca6fe26134beb573ef10ae1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8d21be97b9bf584247606d97b27f061c |
| SHA1 | 99acdd3ee95c8ec1d7cc7a41dd1febafb457027c |
| SHA256 | 24427c9374cf378c775677552866b94390574d0c718e71560066af2916dec8d5 |
| SHA512 | 63711565555df3bd1f6e3f6ef43b8f79504c9835786d468f3678cf689fa047f0a4743683b587b635e60e07fd1ad7e284afaf9a39c65b038731d03ca8a8568e64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81aeb4141f61d4074c9fbbcec1c3d731 |
| SHA1 | 0b27d536f5f973e200dc68cfd73748eee6494af5 |
| SHA256 | 806e8ae6a82a8f9590af9688acac766458e0ef5c83ae8bb86a02fa8497947441 |
| SHA512 | 55cb13a7e69abe8110edb06f68672c1b97243790d563b98e63208be6001d6010f01a915f7293cdeb9b348d676097356019d3b20dd135e4a5836a5c7ecc4c89cf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5d842df56c7bc1272a18c3801827dae7 |
| SHA1 | aa9e97c9f8649f395938bb7e4c269c1306fd1b5d |
| SHA256 | 5b4e3dd705ee275e0840d7cc24f565adeed2ac7cb3b9000d34cde738d99b8630 |
| SHA512 | 9bc09b3115ec539e5b8c9bd43f9fe0747376e010faf63283d90f700181fa21ab8b7ca520dfc054ea78cd9de8bf0964db26dabe714302a86813bf83b34c821ef3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e8be0b764a4b6cc4ffc3e89d22612285 |
| SHA1 | c93fdee0d8da288b3b83a318f2498e2bc8ebd1ea |
| SHA256 | f8651a0013362ca9c85b92d89710b41b82ce4064411811aafe4667f7969c6312 |
| SHA512 | c6629638a379dad4449dd1de50ee18e77487fb140f3849f07bf5e68fe217ffd038dea6079242d4a980ed213ac91ea462efc6986119ea83d89acb6f726941848b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 076d376329a271550db5edf954b07f3b |
| SHA1 | f511512f07e0abbab9a009dbd92c359bf147d926 |
| SHA256 | 3188c8d6297c764e5b320983d386187ad7be4340a016812816241676e17a307b |
| SHA512 | e97d5182fd54b3eb56743aaf0dfc2e7497e5a921430bacf6c8d1f926d93ed28df2294421810c441285ec7071f50065e28bfe9d11e756362a608e5e80ebd1b579 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 626cf3bc2f93b1f5d9d22decb143bfbd |
| SHA1 | 9086f8136acbe8f5d02f7e413129fa3023673ce6 |
| SHA256 | 52dd801900ab9c90b661c363d777aa9303f8c0b35a4a5dae909545db39f0e383 |
| SHA512 | 556012fe45b042e5adec1e4a65f77337478a5abc8652c6b05a28eb23863c085204e319adb21688fd113148d3bf661bf05df5b589a30c0abffcfe2d03a5f44eca |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 480b55cfd0eb7f12adc53365404ad8be |
| SHA1 | 91b7b495d8e1dffa31676a0026f709d5c371bec9 |
| SHA256 | bdbeb0f06c8e521380a0613c15a5a2502c26447da5f02e3e6f3af2b0308693be |
| SHA512 | 6fbda7210857bd379b5bc945ac105d534043780c66ce1b7a5518096574ad64502324fc138c93ecaa8bf4e685ebc0e7b8f45b325a9f4fc74f93fbf04ef855aeda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0cff922be1c2fa3013dab0633dc21aeb |
| SHA1 | 930a2ec0ecba8661b06a2412ffe0ed7c02c3543c |
| SHA256 | b44ac225b9481f7fcb03bd1b8bd55fe70e5e256a9bf9c442e0580f0520f8350c |
| SHA512 | da094c8bf7c7e7431d4a1f349f45922e5a3fbc8d1d1cf0933af04d0a5e794cf90adbdc261c10aa82a4ecacadf47a1807afd66d026ca13379f2aeb6366dab6083 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 09450ba8cfc16ff4cd88229ac7504049 |
| SHA1 | 0bec25eaeaf243f41d6357949031a4af5634eb53 |
| SHA256 | 46ea11d9461b86d4e51529fbce122f14990e5525355f1ea1437c972a62cccff6 |
| SHA512 | f4b2078475ff1c3d4a2f8e00ddf88f9dca1268a14fff855e2f38a3c285bdbc91778eb6a5bc1433cffff2e9e00f5d357c53460edd346bd0380b51bf7b412bb221 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3218b81d1f8198a8e2cf63bed2325e3c |
| SHA1 | 28c4ccc00dcc6ebfff9cd0743b5e94717d95be17 |
| SHA256 | d78016a304a2965877b910b31973f9b6e006084bcb8731c5631707226fea2f1b |
| SHA512 | cdea7550442e19556bbbbe773e4c28afaa5fbafb43f36b1160fdb01ca8da78996f7eb47cf2e7a88db98d915691e1961d323e15f0ee2f9234164112376ff28a97 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21bc1a911b8df19625d3ff85f2631e22 |
| SHA1 | 7bc45d20438a0766a97695853f19332828f6de2f |
| SHA256 | 0aaa96dd8b9e0ab44e617df658bc15d1898ba0185c57a0c36126dc54f87fe814 |
| SHA512 | 2f12bf6af709f8d720c9586b7009c08a979d4aa7fb207560f6c86e3f46b7f56913c4b5a521d7c1791e32552cbedb1c83d642b17e41a854f47b939f444bf9f108 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4d7f43f238662c36fc0696104b08956f |
| SHA1 | 96f6393f99e1b4b72cb5e08d96a1aa373546a100 |
| SHA256 | 71d30188215e45eccfe88e489360a898eed286739a615c992c1379026dbd1f11 |
| SHA512 | d2656c4e8bf1f9391c2092659b5235a45a149a53f9deb6ae5e120dcaa131ca11a5b659e72f7c66cffac186142d60ca49d4cead354f284688173c28eecf64c5fd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 589e8410d003a7577ecbabc51cd7bf6b |
| SHA1 | 604d878017b9b84455d4893d45e3b12b8e7ecdb4 |
| SHA256 | 5e8ed297ce11063689c922bcc082044019a1b3d9c6480c501f62440dd4525aa6 |
| SHA512 | 0776ccee9d8588ad8a96083177601a1df4f5a00445a459fe1cb63512ec4f951b909894e605b5a7fe0d3370d912d90e1ae02bd314e38a055f94ebec96e2dd65e1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c8d6502e7b11afcfc9576c06e7678e8e |
| SHA1 | 310aec83b80ed1ebbfb78e5af6576bd025c31580 |
| SHA256 | 96b72bfa61a9ba9993f25a84e07cf8267c3bdb5c2114cc5ea95b56a2dc4ced16 |
| SHA512 | 2a4dd1e46fe23f3659e0cbdfc3717fff5646c4181072327db75dff9d1bf0921252a5eaf7c8fc7d856164fdb613d47e239112c4f175ff6cd5b3a1279ddccfda59 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9ee2d3f02333b2a24504489e170459ba |
| SHA1 | fcecda1ddc50a3b1c5219c6a6d73d6b2d1870396 |
| SHA256 | 05ce51cbba9ee84e7d5ff82328d21bbb1eaf1a64448389a58cc7bb2179afc469 |
| SHA512 | 74b0334b038091ead3b7599cfc6cf156baa7c5fa516e5df00f29e3a09f1a111c0fc93c43088a6406745fd950ca20843ec7b7b564a47846589715f9628a4627a0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | acfc2d75351a997b2e4225d9a633bde9 |
| SHA1 | c0d35dfc7747a29e48ee9a099d419539a09105d8 |
| SHA256 | 2be92c7720b3c1fa72174aec76885e3b59cf3f7cb14166dce0e409557246f4a6 |
| SHA512 | a16cf9828720e04cd348acfd51ab95e286678610246aec0f52dd08fd8872868bceae30d0db2480ebf7b00e8bf474910bcb5d96c10c66fa7afdda73b5c04f6c60 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce16df31196484a5866bd3fbac12c131 |
| SHA1 | a16ffce8bced71afa01f671da856e7a08ffc0111 |
| SHA256 | eda207162557dc31033f7450534ae1b8bf908d15eae444ecbc230944521953b9 |
| SHA512 | 448f8e715f2102fa5c99648bdcc03e421fe1113a6a31d0c0635f0a7df31f553f53e90ea98a3b7c264758c269d2814075818dbe02e3db302275677a1f82b01fbf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 18603d57e590e1ee5e4d10d6955528f3 |
| SHA1 | 5f08426c83ce0f6d7fe8c5b8ed243a964da30706 |
| SHA256 | cbfbf8fac1579b805559132e0feed05510369aaa5c8744b450780fa64c8b23f6 |
| SHA512 | e25f95c2c1eae49a8572ae5e1f993228111a452f0f1d2d2e1e20ac40e828a2ed7ce4ccbba184bb4b7971ef53c76d17d28cc75e8db23c6e05e4095d26310bfa40 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96103a5dfad96256e5cfc1a9be8b2498 |
| SHA1 | f0a78c8346ec1aaec5dbaee37ada4a1df0ec1b85 |
| SHA256 | ea3383ece4153b28a6b9dec83ab30b4b6b0da870645c8b6042e272bde0bc51f8 |
| SHA512 | 9115b5502ff99b236ae512c3d9d1b54e347d4215ce712c94092a6a1430fc9a0b10dfa063d7b06ce3dd85df2a326f9cdc924b445d02ececddb885b858de928e6a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 82dc1dc8a5fdef420fb88ed4a512d305 |
| SHA1 | 90480790af71dc8cd73d917cfef0d83bf2fe3c41 |
| SHA256 | c686ce1771f2e909b7a4b262cb69b49dae790596e5ecc1babe9c3eecb4fb32ce |
| SHA512 | 7fbfe6ae36c467bd46449cd273c823880d303d5e6f43bccb766fe95743d462a88cb970ff32e812ce40bc686251ae814d5b3f8e2ae777df086cc91dac9773e57d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d9c774fc7abacbaac14defb787165dc |
| SHA1 | c57e157a012bf369265bde60e4745ca0b7a1da81 |
| SHA256 | f05466a0586b1317e957a3aa88997dfb231b0268dd1c0acfd550e0f81c699cd1 |
| SHA512 | 8f9b18e9e65efd3afd7c555b2b030ebde70f76d1b59f487750a15aa3e0fc122d52aff66dde3b72a115d14f74301912664a1e79bd5b1883b1dcb286db06895e51 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 155cd15ef8feb9003a4827cb8ec38dbf |
| SHA1 | 413f7331b3af2ea8c1ddea4d88a73c1ab86ab114 |
| SHA256 | 742365a7e932ae599f4d041ed3f6f3588df4340a862242583cb06b3796ec45ee |
| SHA512 | f880fc911116b0f218434b9d33732c2c426dbeb1a28ddb9fbbb18db9b400cfd9331bbb40f9b2c9d44f3c37a7733630b11e83980f2ab552fef07a87abaa40e518 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 03ef8a6ddea2549fca42bfb47ceafc2d |
| SHA1 | 29316da0f17730905b0614ade6b10c477e02bdf5 |
| SHA256 | be77fa3063ad73e141ee3c0531cdd438bf691c58baa7af1ff329a8c9b18e4661 |
| SHA512 | f86c3135ca65601a4d85cc1c9446c0f5709d3ade70c38f09c6e165f2cb2c1b0b5c36bd44c65a1f7dc22364941f9219109685c8102c85d9d586eb0ff5f2b5520c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c2ca63200f596f200e6343c9c639cd8c |
| SHA1 | 56695d7d9f1f30e45106dea4c0f3510e3921630b |
| SHA256 | 12df60a630393e8de63bcdb6aa09930d2e4f9419c4d318d6b14d1c225a05fe80 |
| SHA512 | a723ba8a279fb0cfa43e41eafd965a1b5dd8ff366b4615e233cd6e06ee26bd541b8c1ab12f41bf6deb11c00727406c7d93157b26f7bb7572af5c080633e19172 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 88ad0c478f4ea0067c2f0de22b8a83c0 |
| SHA1 | d83027fd45e650b158c1ff43f11ab9f8bc1db8b0 |
| SHA256 | 3395de947a300bd5e949560003e7428b6e11da3a59a55f0d72eb586d55d80899 |
| SHA512 | 739aa3f49444742f1fadaee05ce660f5c296c63addde3044f46853e8f19f5457332c03c70c1719511fbd6ebba67752da977830bf995c2e8538515afab6838ee9 |
memory/2652-8611-0x0000020826120000-0x0000020826121000-memory.dmp
memory/2652-8612-0x0000020820DD0000-0x0000020820DD1000-memory.dmp
memory/2652-8614-0x0000020821BF0000-0x0000020821BF1000-memory.dmp
memory/2652-8617-0x0000020820DD0000-0x0000020820DD1000-memory.dmp
memory/2652-8620-0x0000020821B40000-0x0000020821B41000-memory.dmp