Analysis Overview
Threat Level: Known bad
The file https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1& was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Modifies boot configuration data using bcdedit
Downloads MZ/PE file
Possible privilege escalation attempt
Event Triggered Execution: Image File Execution Options Injection
Disables taskbar notifications via registry modification
Modifies file permissions
Checks computer location settings
Executes dropped EXE
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
Command and Scripting Interpreter: PowerShell
Hijack Execution Flow: Executable Installer File Permissions Weakness
Power Settings
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Checks whether UAC is enabled
Drops desktop.ini file(s)
Indicator Removal: File Deletion
Sets desktop wallpaper using registry
Hide Artifacts: Ignore Process Interrupts
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
NTFS ADS
Modifies registry class
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious behavior: GetForegroundWindowSpam
System policy modification
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-11 01:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 01:07
Reported
2024-08-11 01:12
Platform
win10v2004-20240802-en
Max time kernel
295s
Max time network
277s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Disables taskbar notifications via registry modification
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\MitigationOptions = 22222222222222222222222222222222 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\MitigationOptions = 22222222222222222222222222222222 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\MitigationOptions = 22222222222222222222222222222222 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\MitigationOptions = 22222222222222222222222222222222 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\MitigationOptions = 22222222222222222222222222222222 | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\MitigationOptions = 22222222222222222222222222222222 | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Windows\SysWOW64\reg.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\zion.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\zion.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
Indicator Removal: File Deletion
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\Wallpaper = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\MI92C9~1.0_X\Assets\NOTIFI~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI10D6~1.0_X\APPXSI~1.P7X | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\models\en-GB.PhoneNumber.ot | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\Images\SUGGES~1\PUSHPI~2.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\CONTRA~2\LOGOSC~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\AppList.targetsize-48_altform-unplated_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6712~1.SCA\APPXSI~1.P7X | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Logos\SQUARE~3\PAINTA~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\SC7949~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI32BC~1.0_X\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID540~1.SCA\Assets\CONTRA~1\MIXEDR~2.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6F49~1.0_X\MSASIG~1.WIN | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI67C7~1.0_X\Assets\SC3856~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-white_targetsize-30.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONE746~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\OneNoteNotebookMedTile.scale-400.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~2\BADGEL~4.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI3AA8~1.SCA\APPXMA~1.XML | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI33D2~1.0_X\skypert.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\HX182E~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\SECOND~1\Car\RTL\CONTRA~1\LARGET~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIAA44~1.0_X\Assets\AppTiles\STFCCA~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\184.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID483~1.0_X\APPXSI~1.P7X | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI05FA~1.0_X\Assets\ST4E69~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONDCEB~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIE908~1.SCA\Assets\SECOND~1\DIRECT~1\Home\RTL\CONTRA~1\WIDETI~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\WEATHE~1\30x30\16.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\CONTRA~1\AP04D0~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\LargeTile.scale-400_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID5E5~1.0_X\Assets\CONTRA~2\SplashScreen.scale-200_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI33D2~1.0_X\REACTA~1\assets\RNApp\app\uwp\images\MS-LOG~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A7F~1.0_X\Assets\AppList.targetsize-48_altform-lightunplated_devicefamily-colorfulunplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\HxA-Advanced-Dark.scale-400.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAEE59~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI3AA8~1.SCA\Assets\CONTRA~2\WIDELO~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID53B~1.0_X\APPXMA~1.XML | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI8AAC~1.0_X\SYSTEM~3.DLL | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6132~1.0_X\Assets\CONTRA~1\BA0B9B~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID54F~1.0_X\CircularProgressBar.xbf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4E99~1.0_X\Assets\WINDOW~1\WI8530~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\en-gb\LOCIMA~1\offsymb.ttf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIAA44~1.0_X\RESOUR~1\RETAIL~1\data\en-us\1.jpg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI6F49~1.0_X\Assets\Images\Stickers\THUMBN~1\STF9B2~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB28C~1.0_X\Assets\CONTRA~2\WideTile.scale-200_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~1\RUNNIN~2.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VOF249~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\MSPTLS~1.DLL | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.contrast-black_targetsize-36.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI4DB5~1.0_X\Assets\AppTiles\CONTRA~2\MAPSST~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\CONTRA~1\WEATHE~4.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIEA2E~1.0_X\APPXMA~1.XML | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VO5682~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIBE99~1.0_X\Assets\GAA992~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MIA289~1.SCA\Assets\InsiderHubLargeTile.scale-125.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI33D2~1.0_X\Assets\Audio\SKAFE7~1.M4A | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI33D2~1.0_X\Assets\Images\SK344A~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB44A~1.0_X\Assets\CalculatorAppList.targetsize-60.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\CONTRA~2\GE5DAD~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI20B0~1.SCA\APPXBL~1.XML | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0A11~1.0_X\images\CONTRA~2\ONA00C~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI46F3~1.0_X\Assets\CONTRA~2\PE1BB7~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI11B4~1.0_X\images\FETCHI~3.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIEACE~1.0_X\Assets\VoiceRecorderAppList.contrast-white_targetsize-96.png | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\MainPage.xaml | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\formatWorker.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.grid.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\pris\resources.el-GR.pri | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\tree_icons.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\frontend\host\api\data\i_alertinfo.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\Assets\Square44x44Logo.scale-200.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\resources.uk-UA.pri | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square150x150logo.scale-200_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars39.contrast-black_scale-200.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\17.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\InputApp\Assets\Fonts\ECMDL2.ttf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\pris\resources.es-ES.pri | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_error.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\uk-UA\assets\ERRORP~1\DisableAboutFlag.htm | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-32.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Toolkit.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\frontend\host\api\data\helpErrorBox.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_frame_grouping.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\stringResources.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\Assets\StoreLogo.scale-150.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\it-IT\assets\ERRORP~1\pdferrorneedcontentlocally.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\images\ProvisionedApplicationsWhite.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\media\HelloFaceAnimation.gif | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\views\unifiedEnrollmentDiscoveryError.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square71x71Logo.contrast-white_scale-100.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\ecsystem.dll | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\TabControl\sharedTabControl.css | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\pdferrorquitapplicationguard.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\templateStyle.css | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobekeyboard-vm.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPStoreLogo.scale-400_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.scale-200.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartselection_clear_disabled.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\ja-JP\assets\ERRORP~1\pdferrorofflineaccessdenied.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\hololensDiagnostics\views\hololensDiagnostics.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\js\unifiedEnrollmentFinishedPage.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\AppxBlockMap.xml | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-32_altform-unplated_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Assets\PasswordExpiry.contrast-white_scale-400.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\es-ES\assets\ERRORP~1\ErrorPageStyles.css | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\ja-JP\assets\ERRORP~1\http_400.htm | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\LockScreenLogo.scale-200.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-frame-template.html | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\lib\knockout-winjs-wrapper.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeeula-data.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\Assets\1X1.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\speech\080a\tokens_esMX.xml | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningentry-data.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-24_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-40_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-64_altform-unplated_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-48.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Assets\StoreLogo.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\fr-FR\assets\ERRORP~1\http_404.htm | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\PPIRemovableStorageDevicesSquareTile44x44.scale-400.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\pris\resources.fr-FR.pri | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SCREEN~1\SCREEN~1\Assets\Square44x44Logo.targetsize-24_altform-unplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SCREEN~1\SCREEN~1\Assets\StoreLogo.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\memoryAnalyzer.f12.css | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\clearCookies.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_chartselection_clear.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.MIC\es-ES\assets\ERRORP~1\invalidcert.htm | C:\Windows\SysWOW64\cmd.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\powercfg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1000" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseThreshold1 = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\ContactVisualization = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Cursors\GestureVisualization = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\HungAppTimeout = "1000" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WaitToKillAppTimeout = "1000" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Sound\Beep = "No" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Sound\ExtendedSounds = "No" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MaxAnimate = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\ForegroundLockTimeout = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\MenuShowDelay = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SlateLaunch\LaunchAT = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\DynamicScrollbars = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\FontSmoothing = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\WindowMetrics\MinAnimate = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseSpeed = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseThreshold2 = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SlateLaunch\ATapp | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseSensitivity = "10" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\AutoEndTasks = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\Flags = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\DragFullWindows = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\UserPreferencesMask = 9012038010000000 | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Mouse\MouseHoverTime = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678123241711731" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{A7126D4C-F492-4EB9-8A2A-F673DBDD3334}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\INPROCSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{F062BA81-ADFE-4A92-886A-23FD851D6406}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{FAC14B75-7862-4CEB-BE41-F53945A61C17}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\FileSyncClient.AutoPlayHandler\shell | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\FLAGS | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; net=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; Name=NativeSupported; media=NativeSupported; message=NativeSupported; companyName=NativeSupported; computer=NativeSupported; math=NativeSupported; duration=NativeSupported" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{fac14b75-7862-4ceb-be41-f53945a61c17} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{B5C25645-7426-433F-8A5F-42B7FF27A7B2}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{D8C80EBB-099C-4208-AFA3-FBC4D11F8A3C}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{53DE12AA-DF96-413D-A25E-C75B6528ABF2}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\FileSyncClient.FileSyncClient | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{79A2A54C-3916-41FD-9FAB-F26ED0BBA755} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total\ = "0" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\SYNCENGINESTORAGEPROVIDERHANDLERPROXY.SYNCENGINESTORAGEPROVIDERHANDLERPROXY\CURVER | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "French Phone Converter" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{1196AE48-D92B-4BC7-85DE-664EC3F761F1}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{EA23A664-A558-4548-A8FE-A6B94D37C3CF}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\0\WIN32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\PROGID | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = 4f12242f895bd461c879f1e773d97c8ee816e4b5a37737ac6216dd9bb9e3a2bb | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\INTERFACE\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 226754.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\zion.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\zion.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\zion.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLanguageFeaturesUninstall = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "1" | C:\Users\Admin\Downloads\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0" | C:\Users\Admin\Downloads\zion.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/850854604554895461/1271993054978379877/zion.exe?ex=66b95b58&is=66b809d8&hm=695201ca1acec349c5bbd4139504d31d00c24a218ae037c846f14484e7b603c1&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc8c046f8,0x7ffdc8c04708,0x7ffdc8c04718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6200 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,2827065131243111530,18395986672900470033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\zion.exe
"C:\Users\Admin\Downloads\zion.exe"
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" /restoredefaultschemes
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -duplicatescheme 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 00000000-0000-0000-0000-000000000000
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-000000000000
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -changename 00000000-0000-0000-0000-000000000000 "ZION Tweaking"
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -hibernate off
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 54533251-82be-4824-96c1-47b60b740d00 921becee-fb48-4e16-8c5c-9b8997d07bce 0
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 0cc5b647-c1df-4637-891a-dec35c318583 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 5d76a2ca-e8c0-402f-a133-2158492d58ad 0
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 75b0ae3f-bce9-490a-80b1-aef3b9f7b8fe 5d76a2ca-e8c0-402f-a133-2158492d58ad 0
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setacvalueindex 00000000-0000-0000-0000-000000000000 5ca83367-6e45-459f-a27b-476b1d01c936 8ba3d6a4-fe92-4783-84ef-5650e77f1ef6 0
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setactive 00000000-0000-0000-0000-000000000000
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor 5d76a2ca-e8c0-402f-a133-2158492d58ad 0
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setactive scheme_current
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\hyperkbd" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\hypervideo" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\gencounter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vmgid" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\storflt" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\bttflt" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\vpci" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\hvservice" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\hvcrash" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C devmanview /disable "Remote Desktop Device Redirector Bus"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disable8dot3 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior query memoryusage
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set memoryusage 2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set mftzone 4
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disabledeletenotify 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set encryptpagingfile 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Themes" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\AcpiDev" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CAD" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\CldFlt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\FileCrypt" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\PptpMiniport" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RapiMgr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasAgileVpn" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Rasl2tp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\RasSstp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wanarp" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\wanarpv6" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wdnsfltr" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WcesComm" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcifs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\Wcnfs" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRT" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\WindowsTrustedRTProxy" /v "Start" /t REG_DWORD /d "4" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\FVE" /v "DisableExternalDMAUnderLock" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HDAudBus\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\HidUsb\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\monitor\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\mouhid\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbccgp\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbehci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbhub\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbohci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\usbuhci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\USBXHCI\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ThreadPriority" /t REG_DWORD /d "15" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\disk\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\iaStorAVC\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\Ntfs\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\storahci\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\stornvme\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters" /v "ThreadPriority" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorMagnetism" /v "MagnetismUpdateIntervalInMilliseconds" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Input\Settings\ControllerProcessor\CursorSpeed" /v "CursorUpdateInterval" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager" /v "AlpcWakePolicy" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v ContentEvaluation /t REG_DWORD /d "0" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ShowStatus" /t REG_DWORD /d "3" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "ExtraIconsOnMinimized" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Transparency" /t REG_DWORD /d "255" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\CTF\LangBar" /v "Label" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\HighContrast" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\Keyboard Response" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\SoundSentry" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\TimeOut" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKU\.DEFAULT\Control Panel\Accessibility\ToggleKeys" /v "Flags" /t REG_SZ /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "NavPaneShowAllFolders" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell" /v "FolderType" /t REG_SZ /d "NotSpecified" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "link" /t REG_BINARY /d "00000000" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "Flags" /t REG_SZ /d "186" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "MaximumSpeed" /t REG_SZ /d "40" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Control Panel\Accessibility\MouseKeys" /v "TimeToMaximumSpeed" /t REG_SZ /d "3000" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d "2" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Language Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Keyboard Layout\Toggle" /v "Layout Hotkey" /t REG_SZ /d "3" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\AppEvents\Schemes" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DelayedDesktopSwitchTimeout" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCANetwork" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_LargeMFUIcons" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background" /v "OEMBackground" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "2" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Gwx" /v "DisableGwx" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableOSUpgrade" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Peernet" /v "Disabled" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /v "DEPOff" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell" /v "UseActionCenterExperience" /t REG_DWORD /d "0" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices" /v "TCGSecurityActivationDisabled" /t REG_DWORD /d "0" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\safer\codeidentifiers" /v "authenticodeenabled" /t REG_DWORD /d "0" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowIndexingEncryptedStoresOrItems" /t REG_DWORD /d "0" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f > NUL 2>&1
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /deletevalue useplatformclock
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set useplatformtick yes
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disabledynamictick yes
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tscsyncpolicy Enhanced
C:\Windows\system32\bcdedit.exe
bcdedit.exe /deletevalue useplatformclock
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootdebug No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set useplatformtick yes
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set disabledynamictick yes
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootlog No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set tscsyncpolicy Enhanced
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set bootdebug No
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set debug No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set bootlog No
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set disableelamdrivers Yes
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set bootux disabled
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set debug No
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set disableelamdrivers Yes
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set integrityservices disable
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set quietboot yes
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set tpmbootentropy ForceDisable
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /timeout 3
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set hypervisorlaunchtype off
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000067 true
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set integrityservices disable
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set quietboot yes
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000069 true
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set {globalsettings} custom:16000068 true
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set tpmbootentropy ForceDisable
C:\Windows\system32\bcdedit.exe
bcdedit.exe /timeout 3
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {globalsettings} custom:16000067 true
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {globalsettings} custom:16000069 true
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {globalsettings} custom:16000068 true
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disable8dot3 1 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disable8dot3 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior query memoryusage >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior query memoryusage
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set memoryusage 2 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set memoryusage 2
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set mftzone 4 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set mftzone 4
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set disabledeletenotify 0 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set disabledeletenotify 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C fsutil behavior set encryptpagingfile 0 >NUL 2>&1
C:\Windows\SysWOW64\fsutil.exe
fsutil behavior set encryptpagingfile 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f > NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\StorageSense" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v MoveImages /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettings /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 3 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set hypervisorlaunchtype off
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C FOR /F %%a in ('WMIC PATH Win32_USBHub GET DeviceID^| FINDSTR /L "VID_"') DO ( REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "EnhancedPowerManagementEnabled" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "AllowIdleIrpInD3" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D1Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D2Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "fid_D3Latency" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "DeviceSelectiveSuspended" /T REG_DWORD /d 0 >NUL 2>&1 REG ADD "HKLM\SYSTEM\CurrentControlSet\Enum\%%a\Device Parameters" /F /V "SelectiveSuspendEnabled" /T REG_DWORD /d 0 >NUL 2>&1 ECHO Disabling USB idling for %%a )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C FOR /F "tokens=*" %%a in ('REG QUERY "HKLM\SYSTEM\CurrentControlSet\Enum" /S /F "StorPort"^| FINDSTR /E "StorPort"') DO ( REG ADD "%%a" /F /V "EnableIdlePowerManagement" /T REG_DWORD /d 0 >NUL 2>&1 FOR /F "tokens=*" %%z IN ("%%a") DO ( SET STR=%%z SET STR=!STR:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\=! SET STR=!STR:\Device Parameters\StorPort=! ECHO Disabling StorPort Idling for !STR! ) )
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set hypervisorlaunchtype off
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set hypervisorlaunchtype off
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubDelay" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubInterval" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "18" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubThreshold" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubType" /t REG_DWORD /d "2" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValue" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMaximum" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueMinimum" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueStep" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefault" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCurrent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuePrevious" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNext" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueLast" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueFirst" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueIndex" /t REG_DWORD /d "42" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueName" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDescription" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueVisible" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueHidden" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadOnly" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueReadnv11" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValuenv11Only" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueExecute" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueNoExecute" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueSystem" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueUser" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubPower" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueCustom" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAuto" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueManual" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueAutomatic" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDisabledByDefault" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueEnabledByDefault" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultEnabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultDisabled" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultAuto" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleScrubValueDefaultManual" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableLLTDIO /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnDomain /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowLLTDIOOnPublicNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitLLTDIOOnPrivateNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v EnableRspndr /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnDomain /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v AllowRspndrOnPublicNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f >NUL 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\LLTD" /v ProhibitRspndrOnPrivateNet /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f >nul 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PortThreadPriority" /t REG_DWORD /d "00000001" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f >nul 2>&1
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print" /v "PriorityClass" /t REG_DWORD /d "00000001" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit -set disabledynamictick yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit -set useplatformtick yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 437 > nul
C:\Windows\SysWOW64\chcp.com
chcp 437
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C PowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell "ForEach($v in (Get-Command -Name 'Set-ProcessMitigation').Parameters['Disable'].Attributes.ValidValues){Set-ProcessMitigation -System -Disable $v.ToString() -ErrorAction SilentlyContinue}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "10" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Background Only" /t REG_SZ /d "True" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Priority" /t REG_DWORD /d "6" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Background Only" /t REG_SZ /d "True" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Priority" /t REG_DWORD /d "5" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Capture" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Background Only" /t REG_SZ /d "True" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "BackgroundPriority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\DisplayPostProcessing" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Background Only" /t REG_SZ /d "True" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Priority" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Distribution" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "BackgroundPriority" /t REG_DWORD /d "4" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Priority" /t REG_DWORD /d "3" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Playback" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Priority" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Pro Audio" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Background Only" /t REG_SZ /d "True" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Priority" /t REG_DWORD /d "5" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Window Manager" /v "SFIO Priority" /t REG_SZ /d "Normal" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "6" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f > nul 2>&1
C:\Windows\SysWOW64\reg.exe
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
C:\Windows\system32\cmd.exe
"C:\Windows\Sysnative\cmd.exe" /c bcdedit.exe /set bootux disabled
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set bootux disabled
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe" /v "MitigationOptions" /t REG_BINARY /d "22222222222222222222222222222222" /f
C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe" -setacvalueindex scheme_current sub_processor THROTTLING 0
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Active Setup\Installed Components\{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0948A341-8E1E-479F-A667-6169E4D5CB2A}" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{56CA197F-543C-40DC-953C-B9C6196C92A5}" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineCore" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BraveSoftwareUpdateTaskMachineUA" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SystemApps" /A & ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\SystemApps" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\ProgramData\Packages" /A & ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\ProgramData\Packages" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A & ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files\WindowsApps" /A & ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Program Files\WindowsApps" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A & ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A & ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows" /A & ICACLS "C:\Windows" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\System32" /A & ICACLS "C:\Windows\System32" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\System32" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\System32" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SysWOW64" /A & ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\SysWOW64" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /enableOMCTelemetry /enableExtractCabV2 /cusid:S-1-5-21-355097885-2402257403-2971294179-1000
C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry /enableExtractCabV2
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\helpPane.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\backgroundtaskhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\RuntimeBroker.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSClient.dll"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSCollect.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamebarpresencewriter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamepanel.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\magnify.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mblctr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\sdiagnhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mobsync.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\narrator.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\osk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\smartscreen.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\backgroundtaskhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\WSClient.dll"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamebarpresencewriter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamepanel.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\magnify.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\mobsync.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerCPLApp.cpl"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerApp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Windows\SystemApps"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\Packages"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Packages"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files\WindowsApps"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files (x86)\Microsoft"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps"
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdb8f3cc40,0x7ffdb8f3cc4c,0x7ffdb8f3cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3184,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4892,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:1
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3444,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,12623140457598793250,4610558494301089711,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.129.74.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 202.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| NL | 142.250.179.138:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 138.179.250.142.in-addr.arpa | udp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 3.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 172.217.23.206:443 | clients2.google.com | udp |
| NL | 172.217.23.206:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 2dc1a9f2f3f8c3cfe51bb29b078166c5 |
| SHA1 | eaf3c3dad3c8dc6f18dc3e055b415da78b704402 |
| SHA256 | dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa |
| SHA512 | 682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25 |
\??\pipe\LOCAL\crashpad_4100_OLNZWMLWKJMZDAVI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e4f80e7950cbd3bb11257d2000cb885e |
| SHA1 | 10ac643904d539042d8f7aa4a312b13ec2106035 |
| SHA256 | 1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124 |
| SHA512 | 2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1e15022d1d06a12b0fafde02d5c787d6 |
| SHA1 | 15200f906c58db38ed741358739ae2b654402b7e |
| SHA256 | dffc6ce56304f8316c567df21633e0fffab793bf24a7dc18c96aab9735729ab9 |
| SHA512 | dd9de37bd61946a1c073fb429db66791643091aad71f43e94a7ccee48282334171c4f7d44bd32bdc2529acbcac64e6f2ea9f0367eea182d022e5dd115c067bf9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Unconfirmed 226754.crdownload
| MD5 | bb9e693d2df3edaeceb9d8b6cb2fa1df |
| SHA1 | 0a66c6bca9c11cd5375e7c54897ffc36baab5c27 |
| SHA256 | 201f5728c8000bfa84fea795c6acbba4d216bb2d75d8e239b10f19efc50b8b90 |
| SHA512 | a7ab242494e1ccb857656870cc2c44911f2f679b14ad3cccbae4d402f0253c0472ffd9b9c2172aa87d8368c6257563042ca9142002e5bc42d8b58e74f7feba79 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d55181b7c7c539560b9a1b8b87adc826 |
| SHA1 | 0ab4cf98e47358edae29a5509216788dc4fec57f |
| SHA256 | f2990afbd70fa9bc4dfefd7aac4fcaba741af2f6908bc9d66ec4fcf60da3dffb |
| SHA512 | cafd031600c13008bdcba81544d3306a89e146ef21f9f3a3f421ffdfc26bc0b4238d582b376eb866ceea8cee4d29c283e43108762818e3e8e3e4015c83952e8d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f226d92fc60f98adb91a6bf2ae1be724 |
| SHA1 | ebd6bdaa5d3038303acf6b10694b92de86677e08 |
| SHA256 | 846c476077e3b9b0796d5490911fedd70bd3beba69e8f256baef0c7776365fd2 |
| SHA512 | 42b720adb14f23769d6f2b7388b1ba92e4e20d4840f38bcf62dbb2bc006d9e41b3432773d5ebec0f85d1c44aa3e352541486c58fa7cae836a1fc01763b98b688 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ac4166d98049ef8f6e8b51f3e2c398f4 |
| SHA1 | 64999676c42345df96befbbda90d2459c9e22c3d |
| SHA256 | b52e358181d9d356fe5f3e5c8c8c463ca4d51f5384257b191ca9becf63b93fba |
| SHA512 | da3d2f022302874a76943b2c68311191189a2396c82d0d0c369c23cf9f61141d1dc695f486e3e3aed3d84a62de76c29db43054a6717a87b4d4eb383f93d16165 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e5b0f23ce52916e8f63e922ab2de5655 |
| SHA1 | c64a701a662a4f6012f36b2f549eeba6859d9779 |
| SHA256 | aa540faaf238097c0445e8544b89dacca3c964e2fac561e2f6878a5d30aef52b |
| SHA512 | 24b7cebc47260cfab718856dee46c1d498de93b5059153e2852afa5f91e0a3b722e8f3e2dcce7020b3b051e7c07027905fb9fcefc06e52eca75465d7b0c72759 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 094ab275342c45551894b7940ae9ad0d |
| SHA1 | 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e |
| SHA256 | ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3 |
| SHA512 | 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d |
memory/2528-169-0x00000000005D0000-0x0000000000996000-memory.dmp
memory/2528-170-0x0000000005990000-0x0000000005F34000-memory.dmp
memory/2528-171-0x00000000053E0000-0x0000000005472000-memory.dmp
memory/2528-172-0x0000000005580000-0x0000000005986000-memory.dmp
memory/2528-173-0x0000000006080000-0x000000000608A000-memory.dmp
memory/2036-175-0x0000000002F10000-0x0000000002F46000-memory.dmp
memory/2036-176-0x0000000005A60000-0x0000000006088000-memory.dmp
memory/2036-177-0x0000000006090000-0x00000000060B2000-memory.dmp
memory/2036-178-0x0000000006130000-0x0000000006196000-memory.dmp
memory/2036-179-0x00000000061A0000-0x0000000006206000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sf5hmidi.51z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2036-189-0x0000000006210000-0x0000000006564000-memory.dmp
memory/2036-190-0x0000000006810000-0x000000000682E000-memory.dmp
memory/2036-191-0x00000000068B0000-0x00000000068FC000-memory.dmp
memory/2036-192-0x0000000006DF0000-0x0000000006E22000-memory.dmp
memory/2036-193-0x000000006E2D0000-0x000000006E31C000-memory.dmp
memory/2036-203-0x0000000006E30000-0x0000000006E4E000-memory.dmp
memory/2036-204-0x0000000007AE0000-0x0000000007B83000-memory.dmp
memory/2036-205-0x0000000008210000-0x000000000888A000-memory.dmp
memory/2036-206-0x0000000007AA0000-0x0000000007ABA000-memory.dmp
memory/2036-207-0x0000000007BD0000-0x0000000007BDA000-memory.dmp
memory/2036-208-0x0000000007E00000-0x0000000007E96000-memory.dmp
memory/2036-209-0x0000000007D60000-0x0000000007D71000-memory.dmp
memory/2036-210-0x0000000007D90000-0x0000000007D9E000-memory.dmp
memory/2036-211-0x0000000007DA0000-0x0000000007DB4000-memory.dmp
memory/2036-212-0x0000000007DE0000-0x0000000007DFA000-memory.dmp
memory/2036-213-0x0000000007DD0000-0x0000000007DD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp6BFA.tmp
| MD5 | bd2866356868563bd9d92d902cf9cc5a |
| SHA1 | c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b |
| SHA256 | 6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb |
| SHA512 | 5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27 |
C:\Users\Admin\AppData\Local\Temp\aria-debug-1324.log
| MD5 | 4b353efe9bf453b993c829f3fc714ad1 |
| SHA1 | a8d5882a2a6b527618d03c98b9b2dc0319654a84 |
| SHA256 | a160bdbf8f222c0e79ccd1c9e50d51958d1fc2b3303a83fb98408a0d62cc0af3 |
| SHA512 | c179ad62c388bdc05cbcef0844dd4e131f96fc6917be82faa158e98ac00134e0dcd12db5d3d1887271ab7ac9efb113d1252b30ef6b9bedc04307143dabc74649 |
C:\Users\Admin\AppData\Local\Temp\aria-debug-4620.log
| MD5 | 3153425e84a73631edb55eac678a4632 |
| SHA1 | f7bbc0ce16a15de478311d0cdc8b3e9ab502c30d |
| SHA256 | 5e6e7bf63cc0e9c157e5fcb7b09039c9836a9a27e8371933073ff88ec4b74af9 |
| SHA512 | f218c14a539df7882bd6367a8857690aab64dd05935468c94e076ba1a4858424897f6cf5b1f5ef48b72bf2ebf0ed21a7e2c515d89e6321c37c5a937699ae2945 |
memory/1412-321-0x0000019A1CD40000-0x0000019A1CD50000-memory.dmp
memory/1412-305-0x0000019A1CC40000-0x0000019A1CC50000-memory.dmp
memory/1412-337-0x0000019A25300000-0x0000019A25301000-memory.dmp
memory/1412-339-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-338-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-340-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-341-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-342-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-343-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-344-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-345-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-346-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-347-0x0000019A25320000-0x0000019A25321000-memory.dmp
memory/1412-349-0x0000019A24F40000-0x0000019A24F41000-memory.dmp
memory/1412-348-0x0000019A24F50000-0x0000019A24F51000-memory.dmp
memory/1412-351-0x0000019A24F50000-0x0000019A24F51000-memory.dmp
memory/1412-354-0x0000019A24F40000-0x0000019A24F41000-memory.dmp
memory/1412-357-0x0000019A24E80000-0x0000019A24E81000-memory.dmp
memory/1412-369-0x0000019A25080000-0x0000019A25081000-memory.dmp
memory/1412-371-0x0000019A25090000-0x0000019A25091000-memory.dmp
memory/1412-372-0x0000019A25090000-0x0000019A25091000-memory.dmp
memory/1412-373-0x0000019A251A0000-0x0000019A251A1000-memory.dmp
memory/1644-405-0x000001B11A8D0000-0x000001B11A8F0000-memory.dmp
memory/1644-394-0x000001B11A540000-0x000001B11A560000-memory.dmp
memory/1644-380-0x000001B11A580000-0x000001B11A5A0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\9065INFT\microsoft.windows[1].xml
| MD5 | e1f6b310d13fcb74f3b4982ff2a11077 |
| SHA1 | 5e80095344e54e0652d4e177cc2470470418fe41 |
| SHA256 | e5812e54c1a51e8854d4d1eaabbd6f85deb35910ee7384cf9a7f8fb58c9e22a5 |
| SHA512 | 7349af7925aa6097104232547462ceca5477f58b48415722436ba893c46e2408ba60025bc1b4d8e8df343eea397af90f51792764ec358f5456d07ae0fdb388f6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
| MD5 | 6a8502bb0e684f92fa1e52536126aed6 |
| SHA1 | 129dfb22479cbc8d305850129c06fcbde2d0351a |
| SHA256 | 4536ff05b9f766931564b728df2bf254960acbfbbb0deafefc3f5bb0e9851c89 |
| SHA512 | 060de951ce5c48e24ef3d1890446d16a3d08e996418d853b493ba368cbeb3b942e4272b58447de0e80e11bef54ed5d4923451f8ce45bf97fe1a194f02a1dd652 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133678122743717526.txt
| MD5 | 21acaf3ebdd2e8687e75d3d7fc309258 |
| SHA1 | 2b79316434474d706d9590808da4aafee1d52a8e |
| SHA256 | 7c715874aa99fe6d892ed6e1be7c619bc0ffcf41149d6b7771c4c38ee33ec151 |
| SHA512 | 961650be356cb9b178cf428116305a94726f699a017a3f7a4982ad4864c35ae2b54286afae2689b1db1785c3b2e8114be6accb413f70c004a06eafa5732e67af |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}
| MD5 | 8aaad0f4eb7d3c65f81c6e6b496ba889 |
| SHA1 | 231237a501b9433c292991e4ec200b25c1589050 |
| SHA256 | 813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1 |
| SHA512 | 1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json
| MD5 | e53c26627a0d4a84fcb279b7e6aa54c5 |
| SHA1 | 6ea43fdc996f9660692d94dcaa26524fe6930211 |
| SHA256 | 7b23e3e7dbb8e48bb87c030e4cf8eb7a277e736327c3d0dbc70b9cf3abe407d3 |
| SHA512 | 7740720d5bdf56631cfce5b9549f62b326605cb8156b5035ef5b027380d7daae42b4b5e08679b60860d528aeb5d8c8f373722a0284b9136e169f3198c49a2a13 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_Explorer
| MD5 | ab0262f72142aab53d5402e6d0cb5d24 |
| SHA1 | eaf95bb31ae1d4c0010f50e789bdc8b8e3116116 |
| SHA256 | 20a108577209b2499cfdba77645477dd0d9771a77d42a53c6315156761efcfbb |
| SHA512 | bf9580f3e5d1102cf758503e18a2cf98c799c4a252eedf9344f7c5626da3a1cf141353f01601a3b549234cc3f2978ad31f928068395b56f9f0885c07dbe81da1 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
| MD5 | b24f93b4c217de8efaad9029c2dca642 |
| SHA1 | 08a461cc2e5e1ea7aebddd1cd1f322567b614805 |
| SHA256 | 92803b341dc74b12cc163da46aa0cdf7f5bc67e4c8dd0d875a4bd96a7bae4938 |
| SHA512 | 77a35aab6c76469123943bca072a31ee4d938867496ec56d0f497fc04848e2837129a34477e4060b84ea6ad7b0a75e0c37c0ee0ec984d7a7d2e336d44cd8f894 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\appssynonyms.txt
| MD5 | 06a69ad411292eca66697dc17898e653 |
| SHA1 | fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d |
| SHA256 | 2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1 |
| SHA512 | ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\appsglobals.txt
| MD5 | 931b27b3ec2c5e9f29439fba87ec0dc9 |
| SHA1 | dd5e78f004c55bbebcd1d66786efc5ca4575c9b4 |
| SHA256 | 541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e |
| SHA512 | 4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\apps.schema
| MD5 | 1659677c45c49a78f33551da43494005 |
| SHA1 | ae588ef3c9ea7839be032ab4323e04bc260d9387 |
| SHA256 | 5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb |
| SHA512 | 740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\appsconversions.txt
| MD5 | 2bef0e21ceb249ffb5f123c1e5bd0292 |
| SHA1 | 86877a464a0739114e45242b9d427e368ebcc02c |
| SHA256 | 8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307 |
| SHA512 | f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\0.0.filtertrie.intermediate.txt
| MD5 | c9021b3c23272d788052eadac7fe9cd7 |
| SHA1 | 4ccfb37013187100404ceb433525222b062bb485 |
| SHA256 | b442fced42e8f2a3fec8a08e1f8cecdd8329818eae89dccde8b858abcf9b304e |
| SHA512 | 84c53a3619811c4501a7160da75de1774beb14c58e670590e351699a2a3b0418128ebfc1b99e70eefd8c8dcf5f157ddf36d3299639bed402ac902e377ecb6ce2 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\0.1.filtertrie.intermediate.txt
| MD5 | 34bd1dfb9f72cf4f86e6df6da0a9e49a |
| SHA1 | 5f96d66f33c81c0b10df2128d3860e3cb7e89563 |
| SHA256 | 8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c |
| SHA512 | e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\0.2.filtertrie.intermediate.txt
| MD5 | c204e9faaf8565ad333828beff2d786e |
| SHA1 | 7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1 |
| SHA256 | d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f |
| SHA512 | e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\Apps.ft
| MD5 | ea2609d9a35b96b5eaeae9b42353e0ef |
| SHA1 | 510488d645ed13eff8ca4244dc241693d1dee5df |
| SHA256 | a2c21852b0e1f2e49c008acd772e1184ce6ab4ac462fd8ae2e3fb88b5e8e5147 |
| SHA512 | 32412639e9b2fe3b4443b96a84cb6227af7691034defff2d9731f67e37e2e6a622de2df594be4ad0527d7686458cfe4d5de92b85d54ce693f88813994dabfb79 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fbb7be7d-331a-4696-93e5-c5703efd7108}\Apps.index
| MD5 | 9c2233f8388e4fcbabf8e101f3a86a45 |
| SHA1 | 3b39a1afa8f7d1e651821e8b37d985b4337300e7 |
| SHA256 | 18c1dc63dfa3404cd3cd734ec8edc065217c762a314ff67436986142ff798774 |
| SHA512 | 45ff85a89e1d1af476d21ab8fa7c7712bb68051b7d2a2e856f7f8c3edcbc788546e2301ca49ac80a1546f2ea5bd95624673fc6c6e7b3121ed527967d3f3cc819 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c4088887-f3a0-4199-a0f8-b6a1890d5276}\apps.csg
| MD5 | 5475132f1c603298967f332dc9ffb864 |
| SHA1 | 4749174f29f34c7d75979c25f31d79774a49ea46 |
| SHA256 | 0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd |
| SHA512 | 54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
| MD5 | 48d2860dd3168b6f06a4f27c6791bcaa |
| SHA1 | f5f803efed91cd45a36c3d6acdffaaf0e863bf8c |
| SHA256 | 04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77 |
| SHA512 | 172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 701173a926a5b78f7b65bd0a07497bdf |
| SHA1 | 7c6fa2e1889153947e4beb81096c12ce1fe3981d |
| SHA256 | 7eaf7acec8f28622b1d401539697df4cb2d3a35585d5efa978c9c661ab0970c6 |
| SHA512 | ecc39c6ed0e3c43927c4abadc35f805f8bc915092abb5d24e0c8b130234d3485e78a1554c6c393a7ba6161dc9309cf8e068d3182203f312b0fb4201864fa2943 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1c4e7165a78c8b3943df98e1684697e5 |
| SHA1 | 1e2b6296026d4ea3cba34d73315d449423eb600f |
| SHA256 | 370ff3a0bec253dd7c1076d4004074e0b14f7af1276b11ff00eed2b487a4eb20 |
| SHA512 | e51284ac5dc36be273bed1c2a13f4ba25d383f5358639cd3e68ec5bdd61a97b66dc47318cc74d138d708c9688ad15f161a61755c82ff6d13a62e712c3fb2ba5e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 2aa0a6ead705fe22b606a51ba83175e6 |
| SHA1 | 1fc32239d939dfe4edc90fddf23cc41db3b6a4f9 |
| SHA256 | 10c337a02e4bb3d41db5f6a72f25766ec6145e2f87fd8a7b9a842f8c62f6ec01 |
| SHA512 | 5194739551fa5b0417bd26de190f181ece14c668f77bba15b66cd218e59eb7055a3bb1f248f443bc672534f2f78e1ba7a16a1272cdb65d7076b5c3f478e75664 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 8f2d502b7f88effbb06a481aadf90e47 |
| SHA1 | ce0deaf4748ab83e059cc0014bf18f01bf697665 |
| SHA256 | 147ea2bd502731a22f7d9195831c523b172b1160b0b1bebd8814f2565a8e32b9 |
| SHA512 | 5069aef5b5f122b68a3b79084796c2a4bab6d6372827290531256f2711a60eb976c11f90563b23dab387595aeb43eacb2c345fba5482082d8e7462720ce584c4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 2a0193c059afe559ac760913966a57e1 |
| SHA1 | 114b6c9806637f1dcd7947455c61de5a23abccb0 |
| SHA256 | a7df549fb93095b3f05debbd7edcd473d4386190cd2958347dd8006d3e11ed80 |
| SHA512 | b0e4efe87f36713723bb88fa6b26c71a23de54967fe16cae2d3cfca8ea53cc86166501d6d4befb094c90474136aa6ee9f5e3d501077a4109dbdcf295b0f78d13 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f76e0aa64f3e55a168acf24738370c02 |
| SHA1 | 2a4f17109f2cf670ea9b031a4542d899786db2d8 |
| SHA256 | 3af96e98c62feb9820ce9e96e2b8ba6cfff364183e7c205ae094a8da17f71457 |
| SHA512 | 77263da91f007666c08fdd3eaa34ea7ee52f4d9e77602e7d0e6b7bb13132cc140e2c8eca7356838641fcc747737d9a64668fcf170de411e08b580201bb413869 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | f76401eca6986776307446804a68f99a |
| SHA1 | e3e06fcabfaefb9f6b77832e45c96c4e10678575 |
| SHA256 | 7d13bac00ac4d1cef73ecf816adf7b7eb1070a93d1c0f405c1a9978eac245bb4 |
| SHA512 | b8d5a9189dfc335a1ffecebbf575eb5a29cc3d4c230ae9289771762606092036500ca13ba07d44e86b4461ac3fd3408fb068e08c7fa6555002055293463e5b5f |
memory/4388-925-0x000001419FA50000-0x000001419FA51000-memory.dmp
memory/4388-927-0x000001419FA50000-0x000001419FA51000-memory.dmp
memory/4388-926-0x000001419FA50000-0x000001419FA51000-memory.dmp
memory/4388-935-0x000001419FA50000-0x000001419FA51000-memory.dmp
memory/4388-934-0x000001419FA50000-0x000001419FA51000-memory.dmp
memory/4388-933-0x000001419FA50000-0x000001419FA51000-memory.dmp
memory/4388-932-0x000001419FA50000-0x000001419FA51000-memory.dmp
memory/4388-931-0x000001419FA50000-0x000001419FA51000-memory.dmp