Malware Analysis Report

2024-11-16 12:53

Sample ID 240811-bgrzcaxfkp
Target https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&
Tags
defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1& was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Possible privilege escalation attempt

Event Triggered Execution: Image File Execution Options Injection

Disables taskbar notifications via registry modification

Modifies file permissions

Checks computer location settings

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Command and Scripting Interpreter: PowerShell

Hijack Execution Flow: Executable Installer File Permissions Weakness

Power Settings

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Checks whether UAC is enabled

Drops desktop.ini file(s)

Indicator Removal: File Deletion

Sets desktop wallpaper using registry

Hide Artifacts: Ignore Process Interrupts

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

NTFS ADS

Modifies registry class

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Modifies data under HKEY_USERS

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-08-11 01:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 01:07

Reported

2024-08-11 01:12

Platform

win10v2004-20240802-en

Max time kernel

295s

Max time network

277s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Users\Admin\Downloads\zion.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\zion.exe N/A

Disables taskbar notifications via registry modification

evasion

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\MitigationOptions = 22222222222222222222222222222222 C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\MitigationOptions = 22222222222222222222222222222222 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\MitigationOptions = 22222222222222222222222222222222 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\MitigationOptions = 22222222222222222222222222222222 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\MitigationOptions = 22222222222222222222222222222222 C:\Windows\SysWOW64\reg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\MitigationOptions = 22222222222222222222222222222222 C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\zion.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\SysWOW64\OneDriveSetup.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\zion.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Windows\SysWOW64\OneDriveSetup.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\Downloads\zion.exe N/A

Indicator Removal: File Deletion

defense_evasion

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "0" C:\Users\Admin\Downloads\zion.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\MI92C9~1.0_X\Assets\NOTIFI~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI10D6~1.0_X\APPXSI~1.P7X C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\models\en-GB.PhoneNumber.ot C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\Images\SUGGES~1\PUSHPI~2.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\CONTRA~2\LOGOSC~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\AppList.targetsize-48_altform-unplated_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI6712~1.SCA\APPXSI~1.P7X C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Logos\SQUARE~3\PAINTA~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\SC7949~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID540~1.SCA\Assets\CONTRA~1\MIXEDR~2.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI6F49~1.0_X\MSASIG~1.WIN C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI67C7~1.0_X\Assets\SC3856~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-white_targetsize-30.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONE746~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\OneNoteNotebookMedTile.scale-400.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\BADGEL~4.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI3AA8~1.SCA\APPXMA~1.XML C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI33D2~1.0_X\skypert.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HX182E~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\Car\RTL\CONTRA~1\LARGET~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIAA44~1.0_X\Assets\AppTiles\STFCCA~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\184.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID483~1.0_X\APPXSI~1.P7X C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI05FA~1.0_X\Assets\ST4E69~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONDCEB~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\DIRECT~1\Home\RTL\CONTRA~1\WIDETI~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\16.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\CONTRA~1\AP04D0~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\LargeTile.scale-400_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\SplashScreen.scale-200_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI33D2~1.0_X\REACTA~1\assets\RNApp\app\uwp\images\MS-LOG~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0A7F~1.0_X\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxA-Advanced-Dark.scale-400.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAEE59~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI3AA8~1.SCA\Assets\CONTRA~2\WIDELO~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID53B~1.0_X\APPXMA~1.XML C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI8AAC~1.0_X\SYSTEM~3.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~1\BA0B9B~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID54F~1.0_X\CircularProgressBar.xbf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI4E99~1.0_X\Assets\WINDOW~1\WI8530~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\en-gb\LOCIMA~1\offsymb.ttf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIAA44~1.0_X\RESOUR~1\RETAIL~1\data\en-us\1.jpg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\THUMBN~1\STF9B2~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~2\WideTile.scale-200_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\RUNNIN~2.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VOF249~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\MSPTLS~1.DLL C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-black_targetsize-36.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\AppTiles\CONTRA~2\MAPSST~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\CONTRA~1\WEATHE~4.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEA2E~1.0_X\APPXMA~1.XML C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VO5682~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAA992~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MIA289~1.SCA\Assets\InsiderHubLargeTile.scale-125.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI33D2~1.0_X\Assets\Audio\SKAFE7~1.M4A C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI33D2~1.0_X\Assets\Images\SK344A~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.targetsize-60.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\GE5DAD~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI20B0~1.SCA\APPXBL~1.XML C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONA00C~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~2\PE1BB7~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI11B4~1.0_X\images\FETCHI~3.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VoiceRecorderAppList.contrast-white_targetsize-96.png C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\MainPage.xaml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\formatWorker.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.grid.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\pris\resources.el-GR.pri C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\tree_icons.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\frontend\host\api\data\i_alertinfo.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\Assets\Square44x44Logo.scale-200.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\resources.uk-UA.pri C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-200_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars39.contrast-black_scale-200.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\17.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\Fonts\ECMDL2.ttf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\pris\resources.es-ES.pri C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_error.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\uk-UA\assets\ERRORP~1\DisableAboutFlag.htm C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-32.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Toolkit.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\frontend\host\api\data\helpErrorBox.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_frame_grouping.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\stringResources.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-150.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\it-IT\assets\ERRORP~1\pdferrorneedcontentlocally.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\ProvisionedApplicationsWhite.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\media\HelloFaceAnimation.gif C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentDiscoveryError.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square71x71Logo.contrast-white_scale-100.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\ecsystem.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\TabControl\sharedTabControl.css C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\pdferrorquitapplicationguard.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\templateStyle.css C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobekeyboard-vm.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-400_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.scale-200.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartselection_clear_disabled.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\ja-JP\assets\ERRORP~1\pdferrorofflineaccessdenied.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\hololensDiagnostics\views\hololensDiagnostics.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\js\unifiedEnrollmentFinishedPage.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppxBlockMap.xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-32_altform-unplated_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-400.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\es-ES\assets\ERRORP~1\ErrorPageStyles.css C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\ja-JP\assets\ERRORP~1\http_400.htm C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\LockScreenLogo.scale-200.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-frame-template.html C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\lib\knockout-winjs-wrapper.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeeula-data.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\Assets\1X1.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\080a\tokens_esMX.xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningentry-data.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-24_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64_altform-unplated_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-48.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Assets\StoreLogo.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\http_404.htm C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\PPIRemovableStorageDevicesSquareTile44x44.scale-400.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\pris\resources.fr-FR.pri C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SCREEN~1\SCREEN~1\Assets\Square44x44Logo.targetsize-24_altform-unplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SCREEN~1\SCREEN~1\Assets\StoreLogo.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\memoryAnalyzer.f12.css C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\clearCookies.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartselection_clear.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.MIC\es-ES\assets\ERRORP~1\invalidcert.htm C:\Windows\SysWOW64\cmd.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\powercfg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1000" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseThreshold1 = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\ContactVisualization = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\GestureVisualization = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\HungAppTimeout = "1000" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WaitToKillAppTimeout = "1000" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Sound\Beep = "No" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Sound\ExtendedSounds = "No" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MaxAnimate = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\ForegroundLockTimeout = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\MenuShowDelay = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SlateLaunch\LaunchAT = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\DynamicScrollbars = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\FontSmoothing = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseSpeed = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseThreshold2 = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SlateLaunch\ATapp C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseSensitivity = "10" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\AutoEndTasks = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\Flags = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\DragFullWindows = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\UserPreferencesMask = 9012038010000000 C:\Users\Admin\Downloads\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseHoverTime = "0" C:\Users\Admin\Downloads\zion.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678123241711731" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{A7126D4C-F492-4EB9-8A2A-F673DBDD3334}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{FAC14B75-7862-4CEB-BE41-F53945A61C17}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\FileSyncClient.AutoPlayHandler\shell C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\FileSyncClient.FileSyncClient C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY\CURVER C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\WIN32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\PROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 4f12242f895bd461c879f1e773d97c8ee816e4b5a37737ac6216dd9bb9e3a2bb C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR C:\Windows\SysWOW64\OneDriveSetup.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 226754.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\zion.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A
N/A N/A C:\Users\Admin\Downloads\zion.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 4548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 4548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 2832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 1924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 1924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4100 wrote to memory of 3740 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\Downloads\zion.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\Downloads\zion.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLanguageFeaturesUninstall = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard = "1" C:\Users\Admin\Downloads\zion.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "1" C:\Users\Admin\Downloads\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0" C:\Users\Admin\Downloads\zion.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc8c046f8,0x7ffdc8c04708,0x7ffdc8c04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6200 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\zion.exe

"C:\Users\Admin\Downloads\zion.exe"

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" /restoredefaultschemes

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -duplicatescheme 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 00000000-0000-0000-0000-000000000000

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-000000000000

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -changename 00000000-0000-0000-0000-000000000000 "ZION Tweaking"

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -hibernate off

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 54533251-82be-4824-96c1-47b60b740d00 921becee-fb48-4e16-8c5c-9b8997d07bce 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 0cc5b647-c1df-4637-891a-dec35c318583 12bbebe6-58d6-4636-95bb-3217ef867c1a 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 5d76a2ca-e8c0-402f-a133-2158492d58ad 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 75b0ae3f-bce9-490a-80b1-aef3b9f7b8fe 5d76a2ca-e8c0-402f-a133-2158492d58ad 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 5ca83367-6e45-459f-a27b-476b1d01c936 8ba3d6a4-fe92-4783-84ef-5650e77f1ef6 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-000000000000

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 0

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setactive scheme_current

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C devmanview /disable "Remote Desktop Device Redirector Bus"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disable8dot3 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior query memoryusage

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set memoryusage 2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set mftzone 4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disabledeletenotify 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set encryptpagingfile 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Themes" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\AcpiDev" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CAD" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CldFlt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\FileCrypt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\PptpMiniport" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RapiMgr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasAgileVpn" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Rasl2tp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasSstp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wanarp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\wanarpv6" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wdnsfltr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WcesComm" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcifs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcnfs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRT" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRTProxy" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HidUsb\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbccgp\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbehci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbhub\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbohci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbuhci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\disk\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAVC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Ntfs\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v "MagnetismUpdateIntervalInMilliseconds" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorUpdateInterval" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v ContentEvaluation /t REG_DWORD /d "0" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\TimeOut" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneShowAllFolders" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "186" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d "2" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\AppEvents\Schemes" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DelayedDesktopSwitchTimeout" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_LargeMFUIcons" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "2" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Peernet" /v "Disabled" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /v "DEPOff" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseActionCenterExperience" /t REG_DWORD /d "0" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "0" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d "0" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&1

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /deletevalue useplatformclock

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set useplatformtick yes

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disabledynamictick yes

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tscsyncpolicy Enhanced

C:\Windows\system32\bcdedit.exe

bcdedit.exe /deletevalue useplatformclock

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootdebug No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set useplatformtick yes

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set disabledynamictick yes

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootlog No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set tscsyncpolicy Enhanced

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set bootdebug No

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set debug No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set bootlog No

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disableelamdrivers Yes

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set bootux disabled

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set debug No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set disableelamdrivers Yes

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set integrityservices disable

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set quietboot yes

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tpmbootentropy ForceDisable

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /timeout 3

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set hypervisorlaunchtype off

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000067 true

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set integrityservices disable

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set quietboot yes

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000069 true

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000068 true

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set tpmbootentropy ForceDisable

C:\Windows\system32\bcdedit.exe

bcdedit.exe /timeout 3

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {globalsettings} custom:16000067 true

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {globalsettings} custom:16000069 true

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {globalsettings} custom:16000068 true

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disable8dot3 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior query memoryusage

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set memoryusage 2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set mftzone 4

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disablelastaccess 1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set disabledeletenotify 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&1

C:\Windows\SysWOW64\fsutil.exe

fsutil behavior set encryptpagingfile 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set hypervisorlaunchtype off

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C FOR /F %%a in ('WMIC PATH Win32_USBHub GET DeviceID^| FINDSTR /L "VID_"') DO ( REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "EnhancedPowerManagementEnabled" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "AllowIdleIrpInD3" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D1Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D2Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D3Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "DeviceSelectiveSuspended" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "SelectiveSuspendEnabled" /T REG_DWORD /d 0 >NUL 2>&1 ECHO Disabling USB idling for %%a )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C FOR /F "tokens=*" %%a in ('REG QUERY "HKLM\SYSTEM\CurrentControlSet\Enum" /S /F "StorPort"^| FINDSTR /E "StorPort"') DO ( REG ADD "%%a" /F /V "EnableIdlePowerManagement" /T REG_DWORD /d 0 >NUL 2>&1 FOR /F "tokens=*" %%z IN ("%%a") DO ( SET STR=%%z SET STR=!STR:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\=! SET STR=!STR:\Device Parameters\StorPort=! ECHO Disabling StorPort Idling for !STR! ) )

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set hypervisorlaunchtype off

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubDelay" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubInterval" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "18" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubThreshold" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubType" /t REG_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValue" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMaximum" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMinimum" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueStep" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefault" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCurrent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuePrevious" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNext" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueLast" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueFirst" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueIndex" /t REG_DWORD /d "42" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueName" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDescription" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueVisible" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueHidden" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadOnly" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadnv11" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuenv11Only" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueExecute" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNoExecute" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueSystem" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueUser" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCustom" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAuto" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueManual" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAutomatic" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabledByDefault" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabledByDefault" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f >nul 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f >nul 2>&1

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit -set disabledynamictick yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit -set useplatformtick yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 437 > nul

C:\Windows\SysWOW64\chcp.com

chcp 437

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C PowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

PowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f > nul 2>&1

C:\Windows\SysWOW64\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f

C:\Windows\system32\cmd.exe

"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set bootux disabled

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\reg.exe

reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f

C:\Windows\SysWOW64\powercfg.exe

"C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor THROTTLING 0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineCore" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineUA" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SystemApps" /A & ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows\SystemApps" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\ProgramData\Packages" /A & ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\ProgramData\Packages" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A & ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files\WindowsApps" /A & ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Program Files\WindowsApps" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A & ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A & ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows" /A & ICACLS "C:\Windows" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\System32" /A & ICACLS "C:\Windows\System32" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows\System32" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows\System32" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SysWOW64" /A & ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows\SysWOW64" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)

C:\Windows\SysWOW64\OneDriveSetup.exe

"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall

C:\Windows\SysWOW64\OneDriveSetup.exe

"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-355097885-2402257403-2971294179-1000

C:\Windows\SysWOW64\OneDriveSetup.exe

C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\helpPane.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\backgroundtaskhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\EaseOfAccessDialog.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\RuntimeBroker.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSClient.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSCollect.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamebarpresencewriter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamepanel.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\magnify.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mblctr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\sdiagnhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mobsync.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\narrator.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\osk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\smartscreen.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\backgroundtaskhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\EaseOfAccessDialog.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\WSClient.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamebarpresencewriter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamepanel.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\magnify.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\mobsync.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerCPLApp.cpl"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerApp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Windows\SystemApps"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\Packages"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Packages"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files\WindowsApps"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files (x86)\Microsoft"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdb8f3cc40,0x7ffdb8f3cc4c,0x7ffdb8f3cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3184,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4892,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3444,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 92.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 23.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
NL 142.250.179.138:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
NL 142.250.179.196:443 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
NL 172.217.23.206:443 clients2.google.com udp
NL 172.217.23.206:443 clients2.google.com tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 2dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1 eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256 dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512 682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

\??\pipe\LOCAL\crashpad_4100_OLNZWMLWKJMZDAVI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e4f80e7950cbd3bb11257d2000cb885e
SHA1 10ac643904d539042d8f7aa4a312b13ec2106035
SHA256 1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA512 2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1e15022d1d06a12b0fafde02d5c787d6
SHA1 15200f906c58db38ed741358739ae2b654402b7e
SHA256 dffc6ce56304f8316c567df21633e0fffab793bf24a7dc18c96aab9735729ab9
SHA512 dd9de37bd61946a1c073fb429db66791643091aad71f43e94a7ccee48282334171c4f7d44bd32bdc2529acbcac64e6f2ea9f0367eea182d022e5dd115c067bf9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\Unconfirmed 226754.crdownload

MD5 bb9e693d2df3edaeceb9d8b6cb2fa1df
SHA1 0a66c6bca9c11cd5375e7c54897ffc36baab5c27
SHA256 201f5728c8000bfa84fea795c6acbba4d216bb2d75d8e239b10f19efc50b8b90
SHA512 a7ab242494e1ccb857656870cc2c44911f2f679b14ad3cccbae4d402f0253c0472ffd9b9c2172aa87d8368c6257563042ca9142002e5bc42d8b58e74f7feba79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d55181b7c7c539560b9a1b8b87adc826
SHA1 0ab4cf98e47358edae29a5509216788dc4fec57f
SHA256 f2990afbd70fa9bc4dfefd7aac4fcaba741af2f6908bc9d66ec4fcf60da3dffb
SHA512 cafd031600c13008bdcba81544d3306a89e146ef21f9f3a3f421ffdfc26bc0b4238d582b376eb866ceea8cee4d29c283e43108762818e3e8e3e4015c83952e8d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f226d92fc60f98adb91a6bf2ae1be724
SHA1 ebd6bdaa5d3038303acf6b10694b92de86677e08
SHA256 846c476077e3b9b0796d5490911fedd70bd3beba69e8f256baef0c7776365fd2
SHA512 42b720adb14f23769d6f2b7388b1ba92e4e20d4840f38bcf62dbb2bc006d9e41b3432773d5ebec0f85d1c44aa3e352541486c58fa7cae836a1fc01763b98b688

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ac4166d98049ef8f6e8b51f3e2c398f4
SHA1 64999676c42345df96befbbda90d2459c9e22c3d
SHA256 b52e358181d9d356fe5f3e5c8c8c463ca4d51f5384257b191ca9becf63b93fba
SHA512 da3d2f022302874a76943b2c68311191189a2396c82d0d0c369c23cf9f61141d1dc695f486e3e3aed3d84a62de76c29db43054a6717a87b4d4eb383f93d16165

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e5b0f23ce52916e8f63e922ab2de5655
SHA1 c64a701a662a4f6012f36b2f549eeba6859d9779
SHA256 aa540faaf238097c0445e8544b89dacca3c964e2fac561e2f6878a5d30aef52b
SHA512 24b7cebc47260cfab718856dee46c1d498de93b5059153e2852afa5f91e0a3b722e8f3e2dcce7020b3b051e7c07027905fb9fcefc06e52eca75465d7b0c72759

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 094ab275342c45551894b7940ae9ad0d
SHA1 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256 ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA512 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

memory/2528-169-0x00000000005D0000-0x0000000000996000-memory.dmp

memory/2528-170-0x0000000005990000-0x0000000005F34000-memory.dmp

memory/2528-171-0x00000000053E0000-0x0000000005472000-memory.dmp

memory/2528-172-0x0000000005580000-0x0000000005986000-memory.dmp

memory/2528-173-0x0000000006080000-0x000000000608A000-memory.dmp

memory/2036-175-0x0000000002F10000-0x0000000002F46000-memory.dmp

memory/2036-176-0x0000000005A60000-0x0000000006088000-memory.dmp

memory/2036-177-0x0000000006090000-0x00000000060B2000-memory.dmp

memory/2036-178-0x0000000006130000-0x0000000006196000-memory.dmp

memory/2036-179-0x00000000061A0000-0x0000000006206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sf5hmidi.51z.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2036-189-0x0000000006210000-0x0000000006564000-memory.dmp

memory/2036-190-0x0000000006810000-0x000000000682E000-memory.dmp

memory/2036-191-0x00000000068B0000-0x00000000068FC000-memory.dmp

memory/2036-192-0x0000000006DF0000-0x0000000006E22000-memory.dmp

memory/2036-193-0x000000006E2D0000-0x000000006E31C000-memory.dmp

memory/2036-203-0x0000000006E30000-0x0000000006E4E000-memory.dmp

memory/2036-204-0x0000000007AE0000-0x0000000007B83000-memory.dmp

memory/2036-205-0x0000000008210000-0x000000000888A000-memory.dmp

memory/2036-206-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

memory/2036-207-0x0000000007BD0000-0x0000000007BDA000-memory.dmp

memory/2036-208-0x0000000007E00000-0x0000000007E96000-memory.dmp

memory/2036-209-0x0000000007D60000-0x0000000007D71000-memory.dmp

memory/2036-210-0x0000000007D90000-0x0000000007D9E000-memory.dmp

memory/2036-211-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

memory/2036-212-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

memory/2036-213-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6BFA.tmp

MD5 bd2866356868563bd9d92d902cf9cc5a
SHA1 c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b
SHA256 6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb
SHA512 5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

C:\Users\Admin\AppData\Local\Temp\aria-debug-1324.log

MD5 4b353efe9bf453b993c829f3fc714ad1
SHA1 a8d5882a2a6b527618d03c98b9b2dc0319654a84
SHA256 a160bdbf8f222c0e79ccd1c9e50d51958d1fc2b3303a83fb98408a0d62cc0af3
SHA512 c179ad62c388bdc05cbcef0844dd4e131f96fc6917be82faa158e98ac00134e0dcd12db5d3d1887271ab7ac9efb113d1252b30ef6b9bedc04307143dabc74649

C:\Users\Admin\AppData\Local\Temp\aria-debug-4620.log

MD5 3153425e84a73631edb55eac678a4632
SHA1 f7bbc0ce16a15de478311d0cdc8b3e9ab502c30d
SHA256 5e6e7bf63cc0e9c157e5fcb7b09039c9836a9a27e8371933073ff88ec4b74af9
SHA512 f218c14a539df7882bd6367a8857690aab64dd05935468c94e076ba1a4858424897f6cf5b1f5ef48b72bf2ebf0ed21a7e2c515d89e6321c37c5a937699ae2945

memory/1412-321-0x0000019A1CD40000-0x0000019A1CD50000-memory.dmp

memory/1412-305-0x0000019A1CC40000-0x0000019A1CC50000-memory.dmp

memory/1412-337-0x0000019A25300000-0x0000019A25301000-memory.dmp

memory/1412-339-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-338-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-340-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-341-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-342-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-343-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-344-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-345-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-346-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-347-0x0000019A25320000-0x0000019A25321000-memory.dmp

memory/1412-349-0x0000019A24F40000-0x0000019A24F41000-memory.dmp

memory/1412-348-0x0000019A24F50000-0x0000019A24F51000-memory.dmp

memory/1412-351-0x0000019A24F50000-0x0000019A24F51000-memory.dmp

memory/1412-354-0x0000019A24F40000-0x0000019A24F41000-memory.dmp

memory/1412-357-0x0000019A24E80000-0x0000019A24E81000-memory.dmp

memory/1412-369-0x0000019A25080000-0x0000019A25081000-memory.dmp

memory/1412-371-0x0000019A25090000-0x0000019A25091000-memory.dmp

memory/1412-372-0x0000019A25090000-0x0000019A25091000-memory.dmp

memory/1412-373-0x0000019A251A0000-0x0000019A251A1000-memory.dmp

memory/1644-405-0x000001B11A8D0000-0x000001B11A8F0000-memory.dmp

memory/1644-394-0x000001B11A540000-0x000001B11A560000-memory.dmp

memory/1644-380-0x000001B11A580000-0x000001B11A5A0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9065INFT\microsoft.windows[1].xml

MD5 e1f6b310d13fcb74f3b4982ff2a11077
SHA1 5e80095344e54e0652d4e177cc2470470418fe41
SHA256 e5812e54c1a51e8854d4d1eaabbd6f85deb35910ee7384cf9a7f8fb58c9e22a5
SHA512 7349af7925aa6097104232547462ceca5477f58b48415722436ba893c46e2408ba60025bc1b4d8e8df343eea397af90f51792764ec358f5456d07ae0fdb388f6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 6a8502bb0e684f92fa1e52536126aed6
SHA1 129dfb22479cbc8d305850129c06fcbde2d0351a
SHA256 4536ff05b9f766931564b728df2bf254960acbfbbb0deafefc3f5bb0e9851c89
SHA512 060de951ce5c48e24ef3d1890446d16a3d08e996418d853b493ba368cbeb3b942e4272b58447de0e80e11bef54ed5d4923451f8ce45bf97fe1a194f02a1dd652

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133678122743717526.txt

MD5 21acaf3ebdd2e8687e75d3d7fc309258
SHA1 2b79316434474d706d9590808da4aafee1d52a8e
SHA256 7c715874aa99fe6d892ed6e1be7c619bc0ffcf41149d6b7771c4c38ee33ec151
SHA512 961650be356cb9b178cf428116305a94726f699a017a3f7a4982ad4864c35ae2b54286afae2689b1db1785c3b2e8114be6accb413f70c004a06eafa5732e67af

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}

MD5 8aaad0f4eb7d3c65f81c6e6b496ba889
SHA1 231237a501b9433c292991e4ec200b25c1589050
SHA256 813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA512 1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

MD5 e53c26627a0d4a84fcb279b7e6aa54c5
SHA1 6ea43fdc996f9660692d94dcaa26524fe6930211
SHA256 7b23e3e7dbb8e48bb87c030e4cf8eb7a277e736327c3d0dbc70b9cf3abe407d3
SHA512 7740720d5bdf56631cfce5b9549f62b326605cb8156b5035ef5b027380d7daae42b4b5e08679b60860d528aeb5d8c8f373722a0284b9136e169f3198c49a2a13

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer

MD5 ab0262f72142aab53d5402e6d0cb5d24
SHA1 eaf95bb31ae1d4c0010f50e789bdc8b8e3116116
SHA256 20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb
SHA512 bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 b24f93b4c217de8efaad9029c2dca642
SHA1 08a461cc2e5e1ea7aebddd1cd1f322567b614805
SHA256 92803b341dc74b12cc163da46aa0cdf7f5bc67e4c8dd0d875a4bd96a7bae4938
SHA512 77a35aab6c76469123943bca072a31ee4d938867496ec56d0f497fc04848e2837129a34477e4060b84ea6ad7b0a75e0c37c0ee0ec984d7a7d2e336d44cd8f894

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\appssynonyms.txt

MD5 06a69ad411292eca66697dc17898e653
SHA1 fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d
SHA256 2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1
SHA512 ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\appsglobals.txt

MD5 931b27b3ec2c5e9f29439fba87ec0dc9
SHA1 dd5e78f004c55bbebcd1d66786efc5ca4575c9b4
SHA256 541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e
SHA512 4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\apps.schema

MD5 1659677c45c49a78f33551da43494005
SHA1 ae588ef3c9ea7839be032ab4323e04bc260d9387
SHA256 5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb
SHA512 740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\appsconversions.txt

MD5 2bef0e21ceb249ffb5f123c1e5bd0292
SHA1 86877a464a0739114e45242b9d427e368ebcc02c
SHA256 8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307
SHA512 f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\0.0.filtertrie.intermediate.txt

MD5 c9021b3c23272d788052eadac7fe9cd7
SHA1 4ccfb37013187100404ceb433525222b062bb485
SHA256 b442fced42e8f2a3fec8a08e1f8cecdd8329818eae89dccde8b858abcf9b304e
SHA512 84c53a3619811c4501a7160da75de1774beb14c58e670590e351699a2a3b0418128ebfc1b99e70eefd8c8dcf5f157ddf36d3299639bed402ac902e377ecb6ce2

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\0.1.filtertrie.intermediate.txt

MD5 34bd1dfb9f72cf4f86e6df6da0a9e49a
SHA1 5f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA256 8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512 e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\0.2.filtertrie.intermediate.txt

MD5 c204e9faaf8565ad333828beff2d786e
SHA1 7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256 d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512 e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\Apps.ft

MD5 ea2609d9a35b96b5eaeae9b42353e0ef
SHA1 510488d645ed13eff8ca4244dc241693d1dee5df
SHA256 a2c21852b0e1f2e49c008acd772e1184ce6ab4ac462fd8ae2e3fb88b5e8e5147
SHA512 32412639e9b2fe3b4443b96a84cb6227af7691034defff2d9731f67e37e2e6a622de2df594be4ad0527d7686458cfe4d5de92b85d54ce693f88813994dabfb79

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\Apps.index

MD5 9c2233f8388e4fcbabf8e101f3a86a45
SHA1 3b39a1afa8f7d1e651821e8b37d985b4337300e7
SHA256 18c1dc63dfa3404cd3cd734ec8edc065217c762a314ff67436986142ff798774
SHA512 45ff85a89e1d1af476d21ab8fa7c7712bb68051b7d2a2e856f7f8c3edcbc788546e2301ca49ac80a1546f2ea5bd95624673fc6c6e7b3121ed527967d3f3cc819

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\apps.csg

MD5 5475132f1c603298967f332dc9ffb864
SHA1 4749174f29f34c7d75979c25f31d79774a49ea46
SHA256 0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd
SHA512 54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

MD5 48d2860dd3168b6f06a4f27c6791bcaa
SHA1 f5f803efed91cd45a36c3d6acdffaaf0e863bf8c
SHA256 04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77
SHA512 172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 701173a926a5b78f7b65bd0a07497bdf
SHA1 7c6fa2e1889153947e4beb81096c12ce1fe3981d
SHA256 7eaf7acec8f28622b1d401539697df4cb2d3a35585d5efa978c9c661ab0970c6
SHA512 ecc39c6ed0e3c43927c4abadc35f805f8bc915092abb5d24e0c8b130234d3485e78a1554c6c393a7ba6161dc9309cf8e068d3182203f312b0fb4201864fa2943

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1c4e7165a78c8b3943df98e1684697e5
SHA1 1e2b6296026d4ea3cba34d73315d449423eb600f
SHA256 370ff3a0bec253dd7c1076d4004074e0b14f7af1276b11ff00eed2b487a4eb20
SHA512 e51284ac5dc36be273bed1c2a13f4ba25d383f5358639cd3e68ec5bdd61a97b66dc47318cc74d138d708c9688ad15f161a61755c82ff6d13a62e712c3fb2ba5e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 2aa0a6ead705fe22b606a51ba83175e6
SHA1 1fc32239d939dfe4edc90fddf23cc41db3b6a4f9
SHA256 10c337a02e4bb3d41db5f6a72f25766ec6145e2f87fd8a7b9a842f8c62f6ec01
SHA512 5194739551fa5b0417bd26de190f181ece14c668f77bba15b66cd218e59eb7055a3bb1f248f443bc672534f2f78e1ba7a16a1272cdb65d7076b5c3f478e75664

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 8f2d502b7f88effbb06a481aadf90e47
SHA1 ce0deaf4748ab83e059cc0014bf18f01bf697665
SHA256 147ea2bd502731a22f7d9195831c523b172b1160b0b1bebd8814f2565a8e32b9
SHA512 5069aef5b5f122b68a3b79084796c2a4bab6d6372827290531256f2711a60eb976c11f90563b23dab387595aeb43eacb2c345fba5482082d8e7462720ce584c4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 2a0193c059afe559ac760913966a57e1
SHA1 114b6c9806637f1dcd7947455c61de5a23abccb0
SHA256 a7df549fb93095b3f05debbd7edcd473d4386190cd2958347dd8006d3e11ed80
SHA512 b0e4efe87f36713723bb88fa6b26c71a23de54967fe16cae2d3cfca8ea53cc86166501d6d4befb094c90474136aa6ee9f5e3d501077a4109dbdcf295b0f78d13

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f76e0aa64f3e55a168acf24738370c02
SHA1 2a4f17109f2cf670ea9b031a4542d899786db2d8
SHA256 3af96e98c62feb9820ce9e96e2b8ba6cfff364183e7c205ae094a8da17f71457
SHA512 77263da91f007666c08fdd3eaa34ea7ee52f4d9e77602e7d0e6b7bb13132cc140e2c8eca7356838641fcc747737d9a64668fcf170de411e08b580201bb413869

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f76401eca6986776307446804a68f99a
SHA1 e3e06fcabfaefb9f6b77832e45c96c4e10678575
SHA256 7d13bac00ac4d1cef73ecf816adf7b7eb1070a93d1c0f405c1a9978eac245bb4
SHA512 b8d5a9189dfc335a1ffecebbf575eb5a29cc3d4c230ae9289771762606092036500ca13ba07d44e86b4461ac3fd3408fb068e08c7fa6555002055293463e5b5f

memory/4388-925-0x000001419FA50000-0x000001419FA51000-memory.dmp

memory/4388-927-0x000001419FA50000-0x000001419FA51000-memory.dmp

memory/4388-926-0x000001419FA50000-0x000001419FA51000-memory.dmp

memory/4388-935-0x000001419FA50000-0x000001419FA51000-memory.dmp

memory/4388-934-0x000001419FA50000-0x000001419FA51000-memory.dmp

memory/4388-933-0x000001419FA50000-0x000001419FA51000-memory.dmp

memory/4388-932-0x000001419FA50000-0x000001419FA51000-memory.dmp

memory/4388-931-0x000001419FA50000-0x000001419FA51000-memory.dmp