hxxps://cdn[.]discordapp[.]com/attachments/1231953046066434059/1286827863730950155/PC_ZONE_FREE_UTILITY_V1[.]rar?ex=66ef5356&is=66ee01d6&hm=c72d04dfe9d39cc42f8a70421f0acb4cc9d255d4e03b94f134c0a34ca6e13c1f&

Analysis

max time kernel
441s
max time network
443s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1231953046066434059/1286827863730950155/PC_ZONE_FREE_UTILITY_V1.rar?ex=66ef5356&is=66ee01d6&hm=c72d04dfe9d39cc42f8a70421f0acb4cc9d255d4e03b94f134c0a34ca6e13c1f&

Score

10^/10

defense_evasion discovery evasion execution persistence ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3120	bcdedit.exe
1124	bcdedit.exe
4400	bcdedit.exe
3660	bcdedit.exe
3700	bcdedit.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 52 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\IoPriority = "3"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
1740	PC ZONE FREE UTILITY V1.exe

Indicator Removal: Clear Persistence 1 TTPs 46 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	powershell.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Power Settings 1 TTPs 31 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1928	powercfg.exe
3452	powercfg.exe
1984	powercfg.exe
5096	powercfg.exe
868	powercfg.exe
2016	powercfg.exe
3684	powercfg.exe
4924	powercfg.exe
2264	powercfg.exe
3920	powercfg.exe
1152	powercfg.exe
4876	powercfg.exe
3916	powercfg.exe
4556	powercfg.exe
4824	powercfg.exe
4008	powercfg.exe
4820	powercfg.exe
3308	powercfg.exe
1596	powercfg.exe
1576	powercfg.exe
1484	powercfg.exe
3912	powercfg.exe
1212	powercfg.exe
768	powercfg.exe
4508	powercfg.exe
4104	powercfg.exe
1204	powercfg.exe
3984	powercfg.exe
2740	powercfg.exe
4560	powercfg.exe
5064	powercfg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\920902~1.67\MSEDGE~1.DLL	cmd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\msedge.exe	cmd.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 1 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
3452	powershell.exe

Launches sc.exe 43 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3624	sc.exe
5028	sc.exe
1760	sc.exe
4068	sc.exe
4032	sc.exe
5020	sc.exe
2684	sc.exe
2888	sc.exe
4816	sc.exe
2752	sc.exe
2532	sc.exe
2948	sc.exe
3004	sc.exe
1484	sc.exe
2124	sc.exe
5064	sc.exe
4232	sc.exe
672	sc.exe
2820	sc.exe
4556	sc.exe
3744	sc.exe
4336	sc.exe
4612	sc.exe
884	sc.exe
4528	sc.exe
3648	sc.exe
3548	sc.exe
2600	sc.exe
2892	sc.exe
1028	sc.exe
2996	sc.exe
1116	sc.exe
3824	sc.exe
3664	sc.exe
5084	sc.exe
4708	sc.exe
4840	sc.exe
4044	sc.exe
3920	sc.exe
2232	sc.exe
4280	sc.exe
368	sc.exe
1428	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 32 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3736	powershell.exe
2044	powershell.exe
2076	powershell.exe
3916	powershell.exe
948	powershell.exe
1816	powershell.exe
3416	powershell.exe
4372	powershell.exe
1344	powershell.exe
956	powershell.exe
2580	powershell.exe
4032	powershell.exe
2300	powershell.exe
3624	powershell.exe
4876	powershell.exe
4496	powershell.exe
2952	powershell.exe
2968	powershell.exe
4416	powershell.exe
3004	powershell.exe
4848	powershell.exe
4724	powershell.exe
3692	powershell.exe
628	powershell.exe
4948	powershell.exe
1516	powershell.exe
2232	powershell.exe
4292	powershell.exe
1484	powershell.exe
4484	powershell.exe
1684	powershell.exe
2484	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
4280	timeout.exe
4356	timeout.exe
4608	timeout.exe
4612	timeout.exe
3728	timeout.exe
3816	timeout.exe
4324	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4028	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
1500	msedge.exe
1500	msedge.exe
2280	identity_helper.exe
2280	identity_helper.exe
3184	msedge.exe
3184	msedge.exe
3672	msedge.exe
3672	msedge.exe
3996	msedge.exe
3996	msedge.exe
4032	powershell.exe
4032	powershell.exe
2232	powershell.exe
2232	powershell.exe
2968	powershell.exe
2968	powershell.exe
2300	powershell.exe
2300	powershell.exe
4416	powershell.exe
4416	powershell.exe
4496	powershell.exe
4496	powershell.exe
2044	powershell.exe
2044	powershell.exe
2076	powershell.exe
2076	powershell.exe
628	powershell.exe
628	powershell.exe
4948	powershell.exe
4948	powershell.exe
3916	powershell.exe
3916	powershell.exe
4372	powershell.exe
4372	powershell.exe
3624	powershell.exe
3624	powershell.exe
1484	powershell.exe
1484	powershell.exe
3004	powershell.exe
3004	powershell.exe
1344	powershell.exe
1344	powershell.exe
948	powershell.exe
948	powershell.exe
1816	powershell.exe
1816	powershell.exe
956	powershell.exe
956	powershell.exe
4484	powershell.exe
4484	powershell.exe
4848	powershell.exe
4848	powershell.exe
3416	powershell.exe
3416	powershell.exe
4724	powershell.exe
4724	powershell.exe
1516	powershell.exe
1516	powershell.exe
4876	powershell.exe
4876	powershell.exe
3692	powershell.exe
3692	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
3996	msedge.exe
3996	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	876	7zG.exe
Token: 35	876	7zG.exe
Token: SeSecurityPrivilege	876	7zG.exe
Token: SeSecurityPrivilege	876	7zG.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeShutdownPrivilege	2264	powercfg.exe
Token: SeCreatePagefilePrivilege	2264	powercfg.exe
Token: SeShutdownPrivilege	2740	powercfg.exe
Token: SeCreatePagefilePrivilege	2740	powercfg.exe
Token: SeShutdownPrivilege	4560	powercfg.exe
Token: SeCreatePagefilePrivilege	4560	powercfg.exe
Token: SeShutdownPrivilege	3916	powercfg.exe
Token: SeCreatePagefilePrivilege	3916	powercfg.exe
Token: SeShutdownPrivilege	5064	powercfg.exe
Token: SeCreatePagefilePrivilege	5064	powercfg.exe
Token: SeShutdownPrivilege	1928	powercfg.exe
Token: SeCreatePagefilePrivilege	1928	powercfg.exe
Token: SeShutdownPrivilege	5096	powercfg.exe
Token: SeCreatePagefilePrivilege	5096	powercfg.exe
Token: SeShutdownPrivilege	868	powercfg.exe
Token: SeCreatePagefilePrivilege	868	powercfg.exe
Token: SeShutdownPrivilege	3308	powercfg.exe
Token: SeCreatePagefilePrivilege	3308	powercfg.exe
Token: SeShutdownPrivilege	768	powercfg.exe
Token: SeCreatePagefilePrivilege	768	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	3920	powercfg.exe
Token: SeCreatePagefilePrivilege	3920	powercfg.exe
Token: SeShutdownPrivilege	1152	powercfg.exe
Token: SeCreatePagefilePrivilege	1152	powercfg.exe
Token: SeShutdownPrivilege	4876	powercfg.exe
Token: SeCreatePagefilePrivilege	4876	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
876	7zG.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3996	msedge.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe
3048	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1740	PC ZONE FREE UTILITY V1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3536	1500	msedge.exe	82
PID 1500 wrote to memory of 3536	1500	msedge.exe	82
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 4704	1500	msedge.exe	83
PID 1500 wrote to memory of 2500	1500	msedge.exe	84
PID 1500 wrote to memory of 2500	1500	msedge.exe	84
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85
PID 1500 wrote to memory of 3396	1500	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1231953046066434059/1286827863730950155/PC_ZONE_FREE_UTILITY_V1.rar?ex=66ef5356&is=66ee01d6&hm=c72d04dfe9d39cc42f8a70421f0acb4cc9d255d4e03b94f134c0a34ca6e13c1f&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9931e46f8,0x7ff9931e4708,0x7ff9931e4718
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3412 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,1529270707591949770,17693757600140555007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1051:108:7zEvent18662
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:876

C:\Users\Admin\Downloads\PC ZONE FREE UTILITY V1.exe
"C:\Users\Admin\Downloads\PC ZONE FREE UTILITY V1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1740
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CDCF.tmp\CDE0.tmp\CDE1.bat "C:\Users\Admin\Downloads\PC ZONE FREE UTILITY V1.exe""
  2⤵
  - Drops file in Program Files directory
  PID:5000
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/pczone
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ff9931e46f8,0x7ff9931e4708,0x7ff9931e4718
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,8902622973668776660,9959137928322846123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:3684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,8902622973668776660,9959137928322846123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,8902622973668776660,9959137928322846123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
      4⤵
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8902622973668776660,9959137928322846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8902622973668776660,9959137928322846123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:5060
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:2504
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:1608
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:2248
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:1968
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:4744
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:4856
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:4740
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:2772
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:4396
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:4604
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:4964
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:2932
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:5060
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:2488
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:2764
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:2468
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:2876
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:4432
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:4752
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:2536
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:4736
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:3220
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:4296
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:3256
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:516
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:220
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:4364
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:768
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:1516
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:3320
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:4212
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:3444
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:4324
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:4612
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:2996
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:3092
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:5080
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:4424
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:1152
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:4672
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:3992
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:3648
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:5072
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:784
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:2208
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:3744
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
    3⤵
    PID:4100
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
    3⤵
    PID:696
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
    3⤵
    PID:3056
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
    3⤵
    PID:1824
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
    3⤵
    PID:4068
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
    3⤵
    PID:2600
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoftd\Office\OfficeTelemetryAgentFallBack"
    3⤵
    PID:2124
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoftd\Office\OfficeTelemetryAgentFallBack" /disable
    3⤵
    PID:4768
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\Office 15 Subscription Heartbeat"
    3⤵
    PID:5044
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Office\Office 15 Subscription Heartbeat" /disable
    3⤵
    PID:2056
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime"
    3⤵
    PID:1428
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /disable
    3⤵
    PID:4320
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Time Synchronization\SynchronizeTime"
    3⤵
    PID:2076
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /disable
    3⤵
    PID:2500
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update"
    3⤵
    PID:3156
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /disable
    3⤵
    PID:3844
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
    3⤵
    PID:1968
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\Device Information\Device" /disable
    3⤵
    PID:4744
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:4856
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:4740
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:2772
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:4396
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:4604
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:4964
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
    3⤵
    PID:2932
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
    3⤵
    PID:5060
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
    3⤵
    PID:2488
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
    3⤵
    PID:2764
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:2468
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:2876
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:4432
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:4752
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:2536
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:4736
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:3220
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:4296
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
    3⤵
    PID:3256
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
    3⤵
    PID:516
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
    3⤵
    PID:220
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
    3⤵
    PID:3916
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
    3⤵
    PID:2584
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
    3⤵
    PID:2168
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:1232
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:2264
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:2696
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:1764
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:368
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:2892
- - C:\Windows\system32\sc.exe
    sc stop DiagTrack
    3⤵
    - Launches sc.exe
    PID:2820
- - C:\Windows\system32\sc.exe
    sc config DiagTrack start= disabled
    3⤵
    - Launches sc.exe
    PID:4556
- - C:\Windows\system32\sc.exe
    sc stop dmwappushservice
    3⤵
    - Launches sc.exe
    PID:3824
- - C:\Windows\system32\sc.exe
    sc config dmwappushservice start= disabled
    3⤵
    - Launches sc.exe
    PID:3920
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3624
- - C:\Windows\system32\sc.exe
    sc config WaaSMedicSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:3004
- - C:\Windows\system32\sc.exe
    sc stop DPS
    3⤵
    - Launches sc.exe
    PID:2232
- - C:\Windows\system32\sc.exe
    sc config DPS start= disabled
    3⤵
    - Launches sc.exe
    PID:3648
- - C:\Windows\system32\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    PID:5028
- - C:\Windows\system32\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2684
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3548
- - C:\Windows\system32\sc.exe
    sc config UsoSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1484
- - C:\Windows\system32\sc.exe
    sc stop WinRM
    3⤵
    - Launches sc.exe
    PID:3744
- - C:\Windows\system32\sc.exe
    sc config WinRM start= disabled
    3⤵
    - Launches sc.exe
    PID:4336
- - C:\Windows\system32\sc.exe
    sc stop BITS
    3⤵
    - Launches sc.exe
    PID:4280
- - C:\Windows\system32\sc.exe
    sc config BITS start= disabled
    3⤵
    - Launches sc.exe
    PID:2888
- - C:\Windows\system32\sc.exe
    sc stop pla
    3⤵
    - Launches sc.exe
    PID:1760
- - C:\Windows\system32\sc.exe
    sc config pla start= disabled
    3⤵
    - Launches sc.exe
    PID:4816
- - C:\Windows\system32\sc.exe
    sc stop PcaSvc
    3⤵
    - Launches sc.exe
    PID:4068
- - C:\Windows\system32\sc.exe
    sc config PcaSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2600
- - C:\Windows\system32\sc.exe
    sc stop WSearch
    3⤵
    - Launches sc.exe
    PID:2124
- - C:\Windows\system32\sc.exe
    sc config WSearch start= disabled
    3⤵
    - Launches sc.exe
    PID:2532
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:4968
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:5008
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:3284
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:2244
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan"
    3⤵
    PID:2504
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /disable
    3⤵
    PID:4400
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance"
    3⤵
    PID:2248
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /disable
    3⤵
    PID:3048
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup"
    3⤵
    PID:4272
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /disable
    3⤵
    PID:3480
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification"
    3⤵
    PID:4476
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /disable
    3⤵
    PID:3088
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:1980
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:3188
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:2564
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:628
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Speech\SpeechModelDownload"
    3⤵
    PID:3416
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Speech\SpeechModelDownload" /disable
    3⤵
    PID:4240
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Speech\SpeechRuntime"
    3⤵
    PID:3660
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Speech\SpeechRuntime" /disable
    3⤵
    PID:2192
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:2104
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:2144
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:4948
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:3204
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:5040
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:3032
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:4360
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:4492
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:4000
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:2944
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:4864
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:4364
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:768
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:1516
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime"
    3⤵
    PID:3320
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /disable
    3⤵
    PID:4212
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Time Synchronization\SynchronizeTime"
    3⤵
    PID:3444
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /disable
    3⤵
    PID:4324
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4612
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AppModel" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3128
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Cellcore" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3168
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:5080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\CloudExperienceHostOobe" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4424
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DataMarket" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1676
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\HolographicDevice" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1424
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\iclsClient" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\iclsProxy" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Mellanox-Kernel" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2684
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-AssignedAccess-Trace" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1716
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2632
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatform" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3684
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatformTel" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SocketHeciServer" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SpoolerLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:5020
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1612
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TileStore" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3020
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TPMProvisioningService" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4528
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3064
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:5056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4292
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSession" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSessionRepro" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1680
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WinPhoneCritical" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f
    3⤵
    PID:4164
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f
    3⤵
    PID:1184
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableThirdPartySuggestions" /t REG_DWORD /d "1" /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
    3⤵
    PID:2772
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp" /v "DebugLogLevel" /t REG_DWORD /d "0" /f
    3⤵
    PID:4988
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
    3⤵
    PID:1036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f
    3⤵
    PID:3172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
    3⤵
    PID:3540
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f
    3⤵
    PID:4896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
    3⤵
    PID:2848
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
    3⤵
    PID:116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f
    3⤵
    PID:4228
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f
    3⤵
    PID:3512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d "0" /f
    3⤵
    PID:2112
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f
    3⤵
    PID:4940
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
    3⤵
    PID:2036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
    3⤵
    PID:3220
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4296
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
    3⤵
    PID:3256
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:1124
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2940
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f
    3⤵
    PID:1156
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
    3⤵
    PID:3460
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:220
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3120
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4340
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2012
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2740
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
    3⤵
    PID:1720
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3308
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4972
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4560
- - C:\Windows\system32\sc.exe
    sc stop DiagTrack
    3⤵
    - Launches sc.exe
    PID:4612
- - C:\Windows\system32\sc.exe
    sc config DiagTrack start= disabled
    3⤵
    - Launches sc.exe
    PID:2892
- - C:\Windows\system32\sc.exe
    sc stop dmwappushservice
    3⤵
    - Launches sc.exe
    PID:3664
- - C:\Windows\system32\sc.exe
    sc config dmwappushservice start= disabled
    3⤵
    - Launches sc.exe
    PID:4032
- - C:\Windows\system32\sc.exe
    sc stop diagnosticshub.standardcollector.service
    3⤵
    - Launches sc.exe
    PID:884
- - C:\Windows\system32\sc.exe
    sc config diagnosticshub.standardcollector.service start= disabled
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4556
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DoReport" /t REG_DWORD /d "0" /f
    3⤵
    PID:1152
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:1004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f
    3⤵
    PID:1728
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:1132
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2072
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2148
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1420
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3692
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3548
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4824
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
    3⤵
    PID:1348
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:2632
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3684
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4068
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:456
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f
    3⤵
    PID:2580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1612
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0"
    3⤵
    PID:1984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:2076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:2500
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3156
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3844
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
    3⤵
    PID:1968
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:4476
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4396
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:4964
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
    3⤵
    PID:4244
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
    3⤵
    PID:2488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
    3⤵
    PID:2764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f
    3⤵
    PID:4784
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2104
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:4432
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:4216
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:3776
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:2172
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:4452
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:2944
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:3472
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3436
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:868
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f
    3⤵
    PID:5096
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4980
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:4268
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies data under HKEY_USERS
    PID:2620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4408
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1192
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
    3⤵
    PID:2736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:4708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4612
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
    3⤵
    PID:2456
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3728
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
    3⤵
    PID:2228
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
    3⤵
    PID:3824
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
    3⤵
    PID:3624
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f
    3⤵
    PID:4456
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1852
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:3972
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:3828
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:3648
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:5028
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:876
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:3176
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:3500
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:4104
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:1348
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:1824
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:2632
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:3200
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:3684
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:456
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:2580
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:1612
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:2792
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:4616
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:4112
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:4416
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:3184
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:4380
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:4304
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:2980
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:4728
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:1608
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:3544
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:4496
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2692
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1908
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d "1" /f
    3⤵
    PID:3720
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "sendcustomerdata" /t REG_DWORD /d "0" /f
    3⤵
    PID:4404
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "includescreenshot" /t REG_DWORD /d "0" /f
    3⤵
    PID:4884
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d "0" /f
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d "0" /f
    3⤵
    PID:4484
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "SendTelemetry" /t REG_DWORD /d "3" /f
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "qmenable" /t REG_DWORD /d "0" /f
    3⤵
    PID:644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "updatereliabilitydata" /t REG_DWORD /d "0" /f
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "shownfirstrunoptin" /t REG_DWORD /d "1" /f
    3⤵
    PID:844
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "skydrivesigninoption" /t REG_DWORD /d "0" /f
    3⤵
    PID:1588
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\ptwatson" /v "ptwoptin" /t REG_DWORD /d "0" /f
    3⤵
    PID:4292
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Firstrun" /v "disablemovie" /t REG_DWORD /d "1" /f
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "Enablelogging" /t REG_DWORD /d "0" /f
    3⤵
    PID:1680
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d "0" /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d "1" /f
    3⤵
    PID:3876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "accesssolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:2776
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "olksolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:3012
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "onenotesolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "pptsolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:3116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "projectsolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:4988
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:3540
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "visiosolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:4564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "wdsolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:2816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "xlsolution" /t REG_DWORD /d "1" /f
    3⤵
    PID:4908
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "agave" /t REG_DWORD /d "1" /f
    3⤵
    PID:116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "appaddins" /t REG_DWORD /d "1" /f
    3⤵
    PID:4228
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "comaddins" /t REG_DWORD /d "1" /f
    3⤵
    PID:3512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "documentfiles" /t REG_DWORD /d "1" /f
    3⤵
    PID:5040
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "templatefiles" /t REG_DWORD /d "1" /f
    3⤵
    PID:4812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:380
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3228
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3916
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2584
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
    3⤵
    PID:1232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:2264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
    3⤵
    PID:2696
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
    3⤵
    PID:1764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
    3⤵
    PID:4020
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
    3⤵
    PID:4372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /f
    3⤵
    PID:4876
- - C:\Windows\system32\sc.exe
    sc config xbgm start= disabled
    3⤵
    - Launches sc.exe
    PID:1028
- - C:\Windows\system32\sc.exe
    sc config XblAuthManager start= disabled
    3⤵
    - Launches sc.exe
    PID:2996
- - C:\Windows\system32\sc.exe
    sc config XblGameSave start= disabled
    3⤵
    - Launches sc.exe
    PID:368
- - C:\Windows\system32\sc.exe
    sc config XboxGipSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4708
- - C:\Windows\system32\sc.exe
    sc config XboxNetApiSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:5064
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:3664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.People* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsAlarms* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsCamera* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsMaps* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.3dBuilder* | Remove-AppxPackage}
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:2776
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
    3⤵
    PID:1156
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
    3⤵
    PID:4784
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet002\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
    3⤵
    PID:2816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMax" /t REG_DWORD /d "0" /f
    3⤵
    PID:2172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
    3⤵
    PID:3776
- - C:\Windows\system32\reg.exe
    Reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\Power /v CoreParkingDisabled /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:4028
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor CPMINCORES 100
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\system32\powercfg.exe
    powercfg /setactive SCHEME_CURRENT
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set allowedinmemorysettings 0x0
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3120
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set isolatedcontext No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1124
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DistributeTimers" /t REG_DWORD /d "1" /f
    3⤵
    PID:1956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableTsx" /t REG_DWORD /d "0" /f
    3⤵
    PID:4408
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2012
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current SUB_SLEEP AWAYMODE 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Windows\system32\powercfg.exe
    powercfg /setactive SCHEME_CURRENT
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current SUB_SLEEP ALLOWSTANDBY 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5064
- - C:\Windows\system32\powercfg.exe
    powercfg /setactive SCHEME_CURRENT
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current SUB_SLEEP HYBRIDSLEEP 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5096
- - C:\Windows\system32\powercfg.exe
    powercfg /setactive SCHEME_CURRENT
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\system32\powercfg.exe
    powercfg /setactive SCHEME_CURRENT
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3728
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor IDLESCALING 1
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- - C:\Windows\system32\powercfg.exe
    powercfg /setactive SCHEME_CURRENT
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor THROTTLING 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\0cc5b647-c1df-4637-891a-dec35c318583" /v "ValueMin" /t REG_DWORD /d "0" /f
    3⤵
    PID:1676
- - C:\Windows\system32\powercfg.exe
    powercfg /setACvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\system32\powercfg.exe
    powercfg /setDCvalueindex scheme_current SUB_PROCESSOR SYSCOOLPOL 1
    3⤵
    - Power Settings
    PID:1596
- - C:\Windows\system32\powercfg.exe
    powercfg /setactive SCHEME_CURRENT
    3⤵
    - Power Settings
    PID:2016
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMAX 100
    3⤵
    - Power Settings
    PID:3452
- - C:\Windows\system32\powercfg.exe
    powercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMAX 100
    3⤵
    - Power Settings
    PID:4508
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
    3⤵
    - Power Settings
    PID:4824
- - C:\Windows\system32\powercfg.exe
    powercfg -setdcvalueindex scheme_current sub_processor PROCTHROTTLEMIN 100
    3⤵
    - Power Settings
    PID:1484
- - C:\Windows\system32\powercfg.exe
    powercfg -setactive scheme_current
    3⤵
    - Power Settings
    PID:4008
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor CPMAXCORES 100
    3⤵
    - Power Settings
    PID:1576
- - C:\Windows\system32\powercfg.exe
    powercfg -setdcvalueindex scheme_current sub_processor CPMAXCORES 100
    3⤵
    - Power Settings
    PID:3684
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor CPMINCORES 100
    3⤵
    - Power Settings
    PID:4820
- - C:\Windows\system32\powercfg.exe
    powercfg -setdcvalueindex scheme_current sub_processor CPMINCORES 100
    3⤵
    - Power Settings
    PID:3912
- - C:\Windows\system32\powercfg.exe
    powercfg -setactive scheme_current
    3⤵
    - Power Settings
    PID:4104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\be337238-0d82-4146-a960-4f3749d470c7" /v "Attributes" /t REG_DWORD /d 2 /f
    3⤵
    PID:536
- - C:\Windows\system32\powercfg.exe
    powercfg -setacvalueindex scheme_current sub_processor PERFBOOSTMODE 0
    3⤵
    - Power Settings
    PID:4924
- - C:\Windows\system32\powercfg.exe
    powercfg -setdcvalueindex scheme_current sub_processor PERFBOOSTMODE 0
    3⤵
    - Power Settings
    PID:3984
- - C:\Windows\system32\powercfg.exe
    powercfg -setactive scheme_current
    3⤵
    - Power Settings
    PID:1204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "0" /f
    3⤵
    PID:4616
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f
    3⤵
    PID:2792
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 2 /f
    3⤵
    PID:2304
- - C:\Windows\system32\sc.exe
    sc config "DiagTrack" start= disabled
    3⤵
    - Launches sc.exe
    PID:4840
- - C:\Windows\system32\sc.exe
    sc config "SysMain" start= disabled
    3⤵
    - Launches sc.exe
    PID:4232
- - C:\Windows\system32\sc.exe
    sc config "WSearch" start= disabled
    3⤵
    - Launches sc.exe
    PID:4528
- - C:\Windows\system32\sc.exe
    sc config "Fax" start= disabled
    3⤵
    - Launches sc.exe
    PID:672
- - C:\Windows\system32\sc.exe
    sc config "TabletInputService" start= disabled
    3⤵
    - Launches sc.exe
    PID:2752
- - C:\Windows\system32\sc.exe
    sc stop "DiagTrack"
    3⤵
    - Launches sc.exe
    PID:4044
- - C:\Windows\system32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:5020
- - C:\Windows\system32\sc.exe
    sc stop "WSearch"
    3⤵
    - Launches sc.exe
    PID:1428
- - C:\Windows\system32\sc.exe
    sc stop "Fax"
    3⤵
    - Launches sc.exe
    PID:1116
- - C:\Windows\system32\sc.exe
    sc stop "TabletInputService"
    3⤵
    - Launches sc.exe
    PID:2948
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set DisableDeleteNotify 0
    3⤵
    PID:1696
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsDisable8dot3NameCreation" /t REG_DWORD /d 1 /f
    3⤵
    PID:4016
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v "NtfsMemoryUsage" /t REG_DWORD /d 2 /f
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "ClearPageFileAtShutdown" /t REG_DWORD /d 1 /f
    3⤵
    PID:3236
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d 1 /f
    3⤵
    PID:812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d 1 /f
    3⤵
    PID:4012
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "SecondLevelDataCache" /t REG_DWORD /d 512 /f
    3⤵
    PID:896
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:4172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsAll" /t REG_DWORD /d "1" /f
    3⤵
    PID:816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGames" /t REG_DWORD /d "10" /f
    3⤵
    PID:956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "FpsStatusGamesAll" /t REG_DWORD /d "4" /f
    3⤵
    PID:4496
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Games" /v "GameFluidity" /t REG_DWORD /d "1" /f
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
    3⤵
    PID:4896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2772
- - C:\Windows\system32\powercfg.exe
    powercfg /h off
    3⤵
    - Power Settings
    PID:1984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HibernateEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4392
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "SleepReliabilityDetailedDiagnostics" /t REG_DWORD /d "0" /f
    3⤵
    PID:3440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "SleepStudyDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4292
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set disabledynamictick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4400
- - C:\Windows\system32\bcdedit.exe
    bcdedit /deletevalue useplatformclock
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3700
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set useplatformtick yes
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3660
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set memoryusage 2
    3⤵
    PID:2292
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set mftzone 4
    3⤵
    PID:2376
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2944
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set disabledeletenotify 0
    3⤵
    PID:2104
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set encryptpagingfile 0
    3⤵
    PID:2764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:380
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Background Only" /t REG_SZ /d "False" /f
    3⤵
    PID:3256
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "BackgroundPriority" /t REG_DWORD /d "0" /f
    3⤵
    PID:820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:3444
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:4324
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Priority" /t REG_DWORD /d "2" /f
    3⤵
    PID:3472
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Scheduling Category" /t REG_SZ /d "Medium" /f
    3⤵
    PID:5004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "SFIO Priority" /t REG_SZ /d "High" /f
    3⤵
    PID:4364
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Low Latency" /v "Latency Sensitive" /t REG_SZ /d "True" /f
    3⤵
    PID:3228
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Affinity" /t REG_DWORD /d "0" /f
    3⤵
    PID:4980
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
    3⤵
    PID:4708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "BackgroundPriority" /t REG_DWORD /d "0" /f
    3⤵
    PID:5024
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d "10000" /f
    3⤵
    PID:1192
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d "8" /f
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d "2" /f
    3⤵
    PID:1232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
    3⤵
    PID:1720
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
    3⤵
    PID:2996
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Latency Sensitive" /t REG_SZ /d "True" /f
    3⤵
    PID:1516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "Win32PrioritySeparation" /t REG_DWORD /d "38" /f
    3⤵
    PID:1640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d "0" /f
    3⤵
    PID:3640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d "0" /f
    3⤵
    PID:1136
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "DisableExceptionChainValidation" /t REG_DWORD /d "1" /f
    3⤵
    PID:3092
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "KernelSEHOPEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3648
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "EnableCfg" /t REG_DWORD /d "0" /f
    3⤵
    PID:1424
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "ProtectionMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:3160
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettings" /t REG_DWORD /d "1" /f
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverride" /t REG_DWORD /d "3" /f
    3⤵
    PID:3056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "FeatureSettingsOverrideMask" /t REG_DWORD /d "3" /f
    3⤵
    PID:4280
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:2208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Remove-Item -Path \"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\" -Recurse -ErrorAction SilentlyContinue"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Indicator Removal: Clear Persistence
    - Hide Artifacts: Ignore Process Interrupts
    PID:3452
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
    3⤵
    PID:3912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ8Priority" /t REG_DWORD /d "1" /f
    3⤵
    PID:1736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
    3⤵
    PID:4104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Control\PriorityControl" /v "IRQ16Priority" /t REG_DWORD /d "2" /f
    3⤵
    PID:4924
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargeSystemCache" /t REG_DWORD /d "1" /f
    3⤵
    PID:3984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "DisablePagingExecutive" /t REG_DWORD /d "1" /f
    3⤵
    PID:1204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "DpiMapIommuContiguous" /t REG_DWORD /d "1" /f
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "MoveImages" /t REG_DWORD /d "0" /f
    3⤵
    PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic os get TotalVisibleMemorySize
    3⤵
    PID:3588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get TotalVisibleMemorySize
      4⤵
      PID:4356
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "SvcHostSplitThresholdInKB" /t REG_DWORD /d "!SVCHOST!" /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
    3⤵
    PID:1116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
    3⤵
    PID:4728
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
    3⤵
    PID:3544
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
    3⤵
    PID:3484
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "1000" /f
    3⤵
    PID:1592
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
    3⤵
    PID:4416
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "1000" /f
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "TimeStampInterval" /t REG_DWORD /d "1" /f
    3⤵
    PID:3124
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability" /v "IoPriority" /t REG_DWORD /d "3" /f
    3⤵
    PID:3140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:432
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    PID:2132
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
    3⤵
    PID:4500
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DXGKrnl" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
    3⤵
    PID:2628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatency" /t REG_DWORD /d "1" /f
    3⤵
    PID:4144
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "ExitLatencyCheckEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Latency" /t REG_DWORD /d "1" /f
    3⤵
    PID:4172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceDefault" /t REG_DWORD /d "1" /f
    3⤵
    PID:2240
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceFSVP" /t REG_DWORD /d "1" /f
    3⤵
    PID:1704
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyTolerancePerfOverride" /t REG_DWORD /d "1" /f
    3⤵
    PID:1380
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceScreenOffIR" /t REG_DWORD /d "1" /f
    3⤵
    PID:1968
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "LatencyToleranceVSyncEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "RtlCapabilityCheckLatency" /t REG_DWORD /d "1" /f
    3⤵
    PID:3848
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyActivelyUsed" /t REG_DWORD /d "1" /f
    3⤵
    PID:2428
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleLongTime" /t REG_DWORD /d "1" /f
    3⤵
    PID:3088
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleMonitorOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:4396
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleNoContext" /t REG_DWORD /d "1" /f
    3⤵
    PID:3736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleShortTime" /t REG_DWORD /d "1" /f
    3⤵
    PID:2500
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultD3TransitionLatencyIdleVeryLongTime" /t REG_DWORD /d "1" /f
    3⤵
    PID:2848
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0" /t REG_DWORD /d "1" /f
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle0MonitorOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1" /t REG_DWORD /d "1" /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceIdle1MonitorOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:4564
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceMemory" /t REG_DWORD /d "1" /f
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceNoContextMonitorOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:2408
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceOther" /t REG_DWORD /d "1" /f
    3⤵
    PID:3448
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultLatencyToleranceTimerPeriod" /t REG_DWORD /d "1" /f
    3⤵
    PID:3660
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceActivelyUsed" /t REG_DWORD /d "1" /f
    3⤵
    PID:4756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceMonitorOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "DefaultMemoryRefreshLatencyToleranceNoContext" /t REG_DWORD /d "1" /f
    3⤵
    PID:2944
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "Latency" /t REG_DWORD /d "1" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MaxIAverageGraphicsLatencyInOneBucket" /t REG_DWORD /d "1" /f
    3⤵
    PID:2764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MiracastPerfTrackGraphicsLatency" /t REG_DWORD /d "1" /f
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorLatencyTolerance" /t REG_DWORD /d "1" /f
    3⤵
    PID:380
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "MonitorRefreshLatencyTolerance" /t REG_DWORD /d "1" /f
    3⤵
    PID:3256
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Power" /v "TransitionLatency" /t REG_DWORD /d "1" /f
    3⤵
    PID:820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "0" /f
    3⤵
    PID:3444
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:4948
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "DisableTaggedEnergyLogging" /t REG_DWORD /d "1" /f
    3⤵
    PID:4364
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxApplication" /t REG_DWORD /d "0" /f
    3⤵
    PID:2012
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\EnergyEstimation\TaggedEnergy" /v "TelemetryMaxTagPerApplication" /t REG_DWORD /d "0" /f
    3⤵
    PID:3228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c REG QUERY "HKLM\System\CurrentControlSet\Services" /s "EnableHIPM"| FINDSTR /V "EnableHIPM"
    3⤵
    PID:4708
  - - C:\Windows\system32\reg.exe
      REG QUERY "HKLM\System\CurrentControlSet\Services" /s "EnableHIPM"
      4⤵
      PID:5024
  - - C:\Windows\system32\findstr.exe
      FINDSTR /V "EnableHIPM"
      4⤵
      PID:4580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\GpuEnergyDr" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:1720
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:1516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:1640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:2524
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\ModernSleep" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:3640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CoalescingTimerInterval" /t REG_DWORD /d "0" /f
    3⤵
    PID:3092
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "PlatformAoAcOverride" /t REG_DWORD /d "0" /f
    3⤵
    PID:3648
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EnergyEstimationEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1424
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "EventProcessorEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3160
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "CsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1600
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
    3⤵
    PID:3056
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:2208
- - C:\Windows\system32\sfc.exe
    sfc /scannow
    3⤵
    PID:2632
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:1828
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic pagefile set /size=8192,16384
    3⤵
    PID:1256
- - C:\Windows\system32\setx.exe
    setx /M COMPOSITING 0
    3⤵
    PID:5108
- - C:\Windows\system32\powercfg.exe
    powercfg -h off
    3⤵
    - Power Settings
    PID:1212
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxCmds" /t REG_DWORD /d 128 /f
    3⤵
    PID:2936
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v "LargePageMinimum" /t REG_DWORD /d 0 /f
    3⤵
    PID:32
- - C:\Windows\system32\timeout.exe
    timeout /t 1 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1764

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
958ec9d245aa0e4bd5d05bbdb37475f4

SHA1
80e6d2c6a85922cb83b9fea874320e9c53740bd9

SHA256
a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d

SHA512
82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdeeca48f8268c0909fcd620f08a10e6

SHA1
e3f86ca11e1292be9d4b9c623ab330b9c54b8a11

SHA256
bce489fa9182961ea88bc677bcfa02265d9f08d8174ff9877bb78a3cb3a5e23f

SHA512
7cbe28df1d5c5b3076cc1f444087a32e6461d7d9b1bd355cd835caa52d2b746cb76e09ad055034f335518fe3ce187ccf384a03bd36b048fce3b6749c0f73efc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a1a2994c0a0901a48a0c1cf403e0af05

SHA1
6f197178359387ac0dcdfbc01140a04fc604223e

SHA256
737bcbd14d31802e2d253dbb6c95e425b62b308345d7ec654abf1ab1da4b934e

SHA512
42ba075df3f1b669e4443b84df2e0201745eb9b46716cfa3d2ca4099adb174cb79c9b0629815f5d71f3bd739c8339e18672ff328901fd294b61d6ae7438ced28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
eed3bf25327a9c6a47c3ca5174513881

SHA1
d7872ed7ab56c8b738591fd6fb974a7bdd935577

SHA256
a8de0e2b5c685dae0ca6d9e54ca71d945352948ae45c4e342dab35b95939cc0a

SHA512
30d93c5701234a19103d4c1cb3d5f7e7cf005317d74af5a62681c9c63bb6deea26f9275cd2ebb07aa0ddce6a66d5849aa6ab93343909f206445bdff91a62ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
3f5c479d4c1eed8812f896377a025a9e

SHA1
7c39fc5a3eb00e08fdfb616057373a162d3013b3

SHA256
6729dd035dea6e809a3780308fda01b42b628c84e88f81a9876cd01a02b8dfc1

SHA512
9944c2524b2e8a135d1d4a7caf0cd65bd13790b09da6ee2336e343a769d127a8c96476051a1a0550be27afca676c095f999aa374a0a31fb18fc942ae2e8f61e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
bb607120e847d63fd125f6ef0d2e0f17

SHA1
bba9987ac7832bee209667502ed9f4773092a02f

SHA256
ec26f337c8d16c6d6e93d60d06a57cda8920bf574aafc5019f470505e811cbc4

SHA512
d983c1b85ef2c16bc1c50dbad6458bac50159cbd832c0d5511b8a03d8f530c5d12d256cf6d2718ee5dd2e0c8f74d5241a1b681e6ab4eee3a4e78593424fcc914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
2baca1d9031dc4021bb09f39c7938f15

SHA1
1949c7446251b389e9b7a4c262b86422f2d89641

SHA256
74edd5761365373c4f2b7e690246ae1007c52934d2dfbd97854bef55c04b27c5

SHA512
b048824dc489e74cd7269d2ff66aeafe0a653ef907e6ce2beb1cf4b08c0fbcdc34dd0a19322dca198252186f7c67e17b12846b99f6e3739042ec5f0097ac500b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
fba50cc155f619b9d2470de9c1ec4540

SHA1
307896006f40dec73f07c9c6f2059d269468266f

SHA256
00c269c5792ec86448c7973f436d6c8b92d7d2372689656e9e3df7b98504ed4a

SHA512
32c096157ad47bea11d87d436d7f270e3a703710b499ce6e82ef20fab6a34a4520cedd5c841e82cbd5843da7e1e5e790ff9bb8716bb0102d015b4e84baffdf90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
411f224a072f1f288eccfcfd5ba3d233

SHA1
4b5d292ac16ece58f55b23733ba87fd972f6ab6e

SHA256
e5b12e82fa4029ad813c262cb4831dac3cadacc5797373158e9f675468d7e117

SHA512
8557ce837b0e38cc1ae3148c83439d920047db83d695cfd3ab48dbe00d12a99542d3528d35469e12fc518d401b0c8d4e8c4866c406e7c59fcfe93dcaccee8298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
18f7d10b011f463505d0381f42cadd1f

SHA1
cf390454ee59c09916e1d3555b2f9aa084467abb

SHA256
0d21580c4f7a53896522abd62366771d109222c1c66c7d482b87da4429a76776

SHA512
75f90e2e2156916ec21659074066b556b281bb9ffa425782657cc115e241b90729bbbe6167157c1d329c3779bc68a97a0716a74a619afe457f9baf87615e5937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
254B

MD5
f6066cb314a763cef1c50a8e17a31565

SHA1
56cf667e4eae2e834d6e6ac1a6e59cd0267ea586

SHA256
13a8eb1c67934115a2693826f0836ae67d698e53fb56fdc91140731f1a4b0b9e

SHA512
83361200235d24bcabc395b299520139121f32f889c64a0ef5a757d1e5f4770f8b3e872fbb068b96e34d7a9774e883ea12a1eeeb648ddc15d0189015a318580a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1924b957886369d55cc2f8f4217ccd1a

SHA1
d0c371527fd5b351b3447f3c157243be741f8978

SHA256
4d349b372f74675710eb9e067563d07125c03466c4c4e4967b03b2f595afdb30

SHA512
2decf9b5b95bffdc7a531fe716641bed90245f4d0242b21e3e42d40b595024b4a7e3a926176c3b347c35288c0f7d255c6bbd59af5b71b3e446cacfe556a59b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54d83041a4a0174b1409f2db4bbe71a3

SHA1
82887f611b066e4944dd95a4dbfdc17a41f6b1ce

SHA256
04ab0e7ea712fe04ebfc367c0e60087cc9ce964c53addaa3d4510aa60f59c16c

SHA512
f861d5d6d924874e01c203a508a9bfab45f2a3bce101afcef2a2705d66041049b23e79bd4a1cf6cdd22dfd2131d71d535d1c5709a4ed4bfe2e846a9cc536572c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e14f2e356bc846b2cd82d175d551294e

SHA1
1399446944a4d6335dfe94e95e7cdc7481989d1a

SHA256
b1ac542f741b3463677d656eea7d6f71f53db0bdeb6d376ada5ad034a884e98c

SHA512
0b33651e5081b6d58264a94c6d3e9ddbb44759389a39980ba90a3e979b0d594db19a0a7a1bbdcbed9909376e7e46a5e59064c02eb26a167c3ab57e5b6be618f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10609c868499c37ffab8ebdde31e2bdf

SHA1
30c6c972b791bcb7299998c330cda1d31fcf19b7

SHA256
24e3e0975992f27060ffcc9d31d1a8534dfcbf9158eea553f2a8e1b570045ca1

SHA512
12b9df88929886eae5fd39e7df24bc5b9538b5a91f1cd26931049ed5767e1d24312b29350373291395a55ce93ec336943aecce75eb0e849ae2cc3e163e741dff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76b6602baf13f64cdce3d56404dadcd6

SHA1
909917f99aa5d7d8013b96e58c00c4495d404765

SHA256
5d7a236040ba4186ea55b084d2a411d51cda704420d5cbd20b6f36a9347655b5

SHA512
29f192ed14c3dff0f95dd43cc441dcce374af8938d572e93b2cbba822ebecc321db61f5caa9efda3d452fa264ebb2c018db88471fd94fd788cd9c65b068bd3f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
a151512b80c2bf7d4f1c0dfbea2e0215

SHA1
7d3e8276ae43e5acaddc570f6e2e594902c01494

SHA256
781234b7e4b5f983770c7e7b3140bbcda0e43b51a162118b4254dd2a33ca93fd

SHA512
a28db5a0929339a77fd9bcbd574a4ce6bedc70becb4123cde405ca9b90faf5d6649789af7e7ae91956b953184e148c9f08be696f19ca42753e8e5f22e80c5432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
e069fd4636f3e11586ea712ba55e4e3c

SHA1
bc319b895527cebe483c2118b789853104de7b48

SHA256
8f7a2639859132cb20dd452339f2d1b47e1ca0eeb703bb9abc33b97dffef884c

SHA512
753ea6a4b8756d78949a2c5e68a66527472f95e7c144da2e9e3aa3d3cdf4339a39548cdf998e4de01b99fbd6a8c6803214ac10212cda7391d12e11c329a904e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13371347688978481

Filesize
461B

MD5
842c59f666001600589a991a4a227de9

SHA1
9c7dd0a42009dbb6f1cb4d7ba03f252886f40633

SHA256
6e4b1bb9b65bc5dfc0058eee6b5d5f878efe2a9eca07812fdce2a94dea151045

SHA512
a17d93b8f687ac94ec28ac7164bd4d17814b2aba7fe3450527a92b7695d5564b2f84af326d0229bba9fcd3b67ada0b09741d058d1aa4ed857e6dd7fb834b2e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13371347689181481

Filesize
933B

MD5
ce2d66c0774f54e9a65faffba24b7da9

SHA1
7563feb8cdf799e2ad2489ad9d424e479717687c

SHA256
6e6fbbeddde378932ac9838faa11e2fa2065f23e9107c654895eee1ab26a5ddd

SHA512
28311a556d1bb4488236463a0cc1ed3db3691423c1fb41ad58592618a69e95d230effe725dc45c283094ce4c92788619430d264febe9958430f80dd2e71c73f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0fb3bbd2bcdc8a6d93046c6b8beee072

SHA1
cb1cd3720f7947c9477d058cd93a083b55590560

SHA256
45b053baed8cac86a76e0d57b0b16bf0cdf160d237d6f108ac22521c317eaac2

SHA512
3ed25d6815c7d070675f907b4e88674bfc2f0e527fc068e94f2cd831b8d7166a2ea57413b488df54f9d955b0c878fbe873619beb8eb169d2d40012ee1da061d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
4e9bbe48ddfc00f1da5c167cd26e0f21

SHA1
f53c0b43f5235f564050d9baea1d92bf3b390caa

SHA256
e4238f0a13ea0d974ae2cb5a186ffaa4ce69c5c63ddaa9987abae88dcd0805bd

SHA512
60c0318499db908752df3a0f24bbbb2fec46ea425ffbd9c2fc10e10b37ab2fb2a3ff89511079db37f248bc1889396dd6a7382f5d922b80f99c935c541ec84505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
f109a2eff9d3515a3731f1a5f4a8f1de

SHA1
2a2d3f316606e3a90ee90c5033530f96d246213e

SHA256
29c4edfe66c706518ababd9925fb62c04cd40188d6e50ef448c5ee3c10247124

SHA512
9282be4aa051d5b5f819101ce8887892d6f1089f1d63fce45b9ba89dfb447e9501e791157dd94092e515aa87a82f7595f04e5e31be81db2d69dd350eafc7d855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
3KB

MD5
3b50fae726c31ae8ddc7c5ce0ca81c03

SHA1
157eb8eb7d693743116572474f088a873a72dd99

SHA256
4de2ab1d67490eb3cf49d4d25c93579c325245eb55f605735d910ea823400595

SHA512
15b070b8a4f6ce982865a3a5550afcef732671f82759adc5690720b8d5dcf2bbd2114e1f90f90a3472bf511364e187b4731f3ee0e457e269ad086570096f1ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
8b0a993962221ad1fd7e1c7e0abe2f2c

SHA1
521cd1a5ada162004a165feb2f2a1824de201cba

SHA256
c538431aaada6aa36712f1c3e52ae5d5313f2b8a017e57440aa38368728bb86c

SHA512
329693d6438cc27d848b7b520e60704c408d4ba78ba4e07258bfe0230ad0d8f7bd7b4a5ae88d446ff665a7bb4e286387a1dc134a9f0ed339a48573a2bee0f91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
b9b683281a5efe10b0e8af8ba178c361

SHA1
f6eb5db297db43862953946be26d8fde1246e9f4

SHA256
d90cdd8c6e83dbb5a9cb246baa539d06944906807a63f48b2ce5a6a84eab513f

SHA512
05c97c80ea499d4b9b2a872dda6a3acf79e6752c0829a244a24b12c7a8685a909b99e572c40f01e44147367a4cbc256004dc6260a4e2e69d39c3711d854713fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
577fbe3291ec083aca603b8f1e4430ef

SHA1
76235d2575b488c798758cbcbe14b394cbe867c0

SHA256
a06c6bf465fbe53caa74e57b4f172c49a30b3f94f86e943604688354bfa5e899

SHA512
f09feb9afdea5587acbad79508f2e03d0708d57f3a7a3cb59fe937c98cc24e94ed764c3e33a48506946eb3be0f0cad10d349a51497ff3e03857d0431032e9692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
9590d6add4b9e4405e13c4a7bb352a59

SHA1
3a3f82276b8599f941b4092004fd46bc3185fd05

SHA256
97434b29426d0ed7704adb279c268781537eaf6043718ab26cd26fa07de38eaf

SHA512
e8e3e46e1a85e4920f8fb9adf77f4c384edc41de5bebedbb46a12b978bd2e6a745d2aaa145c5e2f552d50c08c84dc0261747e0422c40363cb6f150a59390146b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b7eb778aca92930cc36bb4d86656164c

SHA1
7be1ff4b2855b507f4bed1285314c7c03319669d

SHA256
97bcdfbf9523c78157a5921e8cdaaa81a8b2c5b0e3070ba49178471ea610c00b

SHA512
a6761d1270dc909826685c42a74c4bf7ea9be6b6aa712a952f32f32757bbf14f76e27b901caef31670155ce8e9bf3b2b76c270dfd2008bc0df92c451fb40a131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
eb10c7b4dca1a6eea286384d215bb27b

SHA1
0b940ecd3847ce06488535e7aaddfa3c33cec4c0

SHA256
911a2096d1f114975b3bf572be93240e488069c4237b7522c3c8a9528422c8d0

SHA512
128003176c69fa63a7bf47509830820b95613af0b18180b163a1a073d30a65d48ce5730a46054c39eb9a85bc9c97c7c6b628329f745ee77f0640bdb871d851b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
721e7b4941310d9d458fa54977ead08d

SHA1
3dbd55a01aa25b2a2a3cf6123bb340a1bf4256e4

SHA256
1c9d9fbc51330f66e70dd68debf58f858937a586001bb61082f9ea4c6619cddc

SHA512
bb72ef239d31030d0ea080799066ee3245e49a7c6ca10c3b3189c17dfa67e871c8b3f438929da3de89c8279ee6410b8bde20aa2c9fc661a6cec5bf9b6a506369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d28a7c46bd9f49605a02bad3d5b4c3ed

SHA1
e1b6d622681d32a8a4c21a510efd1a3091111aa9

SHA256
dd7367e6153556f66d30cca5b7e0bec76b22d8c1c6d1a7368cb0ec28a3c5a4a4

SHA512
2f603856950d860ffd704b65978b081f46a543bf32febbc1c41f47da1afd3545e0b30c03bfb2ca4309ed691c9111069b8c3b42ddba2f3b055476270ac8b35704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
95d7d396c5a608bef4e941e19a9c9127

SHA1
1e3f12912573cf90a13bdfbc4e437b8ab496e760

SHA256
32f862a399e5e47290ff02a0f38755ee77c677ceb7fcbb770365dd565af97b26

SHA512
2150838234351b11c87c48c8ac685f07721dce155821f7fc2f2eb8a21f0cc1d41d568d0fc22f42c0dba8e9fd5a07324c6c83475db64abaadcb6ce68613e1f1be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
6c6ac288c27be1d2769e57c29e5fc37a

SHA1
d2929385b326cf17dc9f9a23512085d01e65f7cc

SHA256
f9459d502b850fd70592d6523f8ca8d2b22cab951bb10bb6daa42aa31a8b9a3a

SHA512
4db58bcb36b0fd9ac05d9118519179c42edbc6eb70b449f10cac10c8942e0f48c5208d1cb9e7133f52ef7dd145cafd5e40a09f05f279d5dbf9734a8e26c54f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
65adf97f1a6eee7e6b565caeb5bcf187

SHA1
0a142dedb81aeff7d5b653f96ba29765b8731610

SHA256
9d8393aaa168a2f24dffddbf67eafc84d681842f25e1e9c299b1a72d2837b29b

SHA512
d188a708c834497a9202c97faa9d1c923f2b4a7db26b22fd23d954b4e73a1f66f8b7a4965ddeff08e803d1db4bda4ce30f5b31e1c5f9da8d09d7d75b1f868a3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
596523cc8a63c54ae5c8b303e475ce2f

SHA1
8bf44af7af796117be71abdefb6c1c2f7d2efab5

SHA256
6288b7d6b664911c338df6967d5c4fec861f0fc7749456b378765087c079bd50

SHA512
c93fa3e0477d3c808852d9288429f2b7098ec35b8c4b20448c3551bfc0a4c475eee8c5ab7757552ca59b2388e484c94359bbaa8d3d6ee8b23347f707f9eca943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2fe933810a0f80350d54e39935b5ab11

SHA1
463fad74689c8787338b76185b485e1f3e140bce

SHA256
47ee577ef46e957dfddc2f6bb6dab125dc5eb07d2c3a77911e41ca49e05908d9

SHA512
cf62082a4296e87ccb5095da2c4eb733bdb12eecd03266103b4cdf277a41aaa2470cb50c3714e8ca08d0b72dd1d727368760e38f0c3e9e1b15de018ed7892129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bfe8049871aafb828bff75d56689b863

SHA1
512fb14e1aaf15433fa6f9a3b326e392d3b423df

SHA256
89b18f8ff087c7497bb7bef3e1ddd99efde953ca8920c4ed7130b6c40acc2c99

SHA512
98c89228374d7c34fca96e4adcd3a147033fdf80c38fea7c6cbfc3a1a426058fb931006c77401b4ba00502644053e8349c0c704a21aa6b7893167c448030749b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c3e6c92472af39b0b27d2672c7f89103

SHA1
10718ddc7df565339d3cb095286b71bae314d44b

SHA256
ccc57812f133368ce006b95a6a37ca96b9d28ebe57d8d4f499b5a5cfb049fd46

SHA512
9420fc136de10fa96c31ea457c33565f4b5000584cb1a53a5d5fcb64770233cfa4dcde61c1e2cfca5056fa63fff071abfcbafc3085d5071b9333ab7ff614c2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5bf5c59cd85d291be59a24a4c7e0b1da

SHA1
69d88d407d704746b0a5668a71a1c71c5a6d1452

SHA256
fffdd0cfabf2a6b27093c9224befec2170f84e73443b8daaaaf440ba947b062d

SHA512
2e8fedaf4decbfcf337425ab211dc4371d1b72e965334ed186671b964820a1618a029a6def7ba3f17edcd94094bb0cfda876bd588d3c103c2dd2d3d21b780144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
161e75f8a235ad62808aefb4261377c4

SHA1
def6c314d397eb572b16d8324753db81ffcd21c1

SHA256
084fbaac729edd436ba9659246e9d924a2a6b1c680976ee30d86ac8fb7d8f121

SHA512
ab6c0b9ba6cb8fb26b2c41191bdc4d685068fb0dcc301321762c473abb7fad12e1f592c817b7159ec1365fe04a09baaef5922b928971fcf70d82a71bb883c4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
76fe8275482a88e84ce236ccaad1503c

SHA1
0c69cf02b2c7b24ab195ef537c57513df81b4471

SHA256
cea80f869c31209fe17fbb5247144ae1d29631e9db1a600733a4c31e2b7accf1

SHA512
1c5654603b24298513ff5f6f42f1f7105285e78f1a19846c7e5fac7535c8bd98280520748172c5ba2e78f2ca646b7b3b957453a6ab20ebf26818485b1776e524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be0d8aec16db1e5ba3be351ab756e313

SHA1
86af6491cd572e5c631a576af8b43fce98ebbc7a

SHA256
1ba72a06d32193770603add59929d8694b09f5f3795cab7e6f2f9c68338a4c36

SHA512
0b5503ecd7a0d483fd54caeae1269e0e8a14df2ec388f8f7a8810c18d516c86612974289bcc278e89a340d507d793a78aabdec1b76c4269a06cc75d1f1bb866f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
206266b8ef3b42b39408f57033248e8a

SHA1
cc5d8913a451953b441f23ebe6db2b0a81846c8e

SHA256
b41ec4e9e539bdf5e0fe2d37a2c544c2a06df1ec424ea0f7421c259152c683df

SHA512
4885ad860477d060f1fbf7df9f8e219d91f6e12d79c6d117695a6643745b42bd491bd2e96074db4df8be2a8aaa852be6f3e938f7e227309872121b297cd5c6f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDCF.tmp\CDE0.tmp\CDE1.bat

Filesize
94KB

MD5
0342deb32350aad69aee10ed785cf081

SHA1
be5788c25ca3a0a42311eb52e6755ad2df5f4700

SHA256
eaf43b3644a3624e3560f4cc538fdffab9d8461a5626968972172c4443ec04aa

SHA512
8d1842eedc87f8b0d49fe01b127dc1ab8dfbf5ee33dd5920ee4e6ee428ffb6130922951d20a25067a37bac58891aa06e83d97f51763c93cb10748c0b46b79507

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_opbxekvf.gfi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\PC ZONE FREE UTILITY V1.exe

Filesize
276KB

MD5
038b650ea8fa86341904193436dae791

SHA1
204a4cd4258c9db5e9ab4ae038e25d9c288791ed

SHA256
e64696fd2027f8611c05f177df114846e24f194eb7b40bce87b3c7b94ea26135

SHA512
14d465d0962ab554f876e8dde65f58a74ec57b44c847821e4ee42263cd8bd423a8394ebbafba9b5465ef6059382eac41e2c5609b0d7542b4c805fae0196f8256

Download Submit
C:\Users\Admin\Downloads\PC ZONE FREE UTILITY V1.rar

Filesize
208KB

MD5
a291bd8ead4f979a6de74d34b303e2ab

SHA1
372d39c6e69394ffc291809b3d22ba639233cfb3

SHA256
bfee5106441fb74dc88e4d8e5e472f98f14a854cacb16988986cb2336bb45493

SHA512
8201187a3b7916e258eb6d1caefbd9608c158dc88b5de53f2ea0a4c4fde0b97885f35543310be6c8e8faee9cb843d2e69e8c84095bec9eb1b76d0ae0572ed09f

Download Submit
memory/3048-645-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-647-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-641-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-642-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-635-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-637-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-636-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-643-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-646-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/3048-644-0x000001A419AA0000-0x000001A419AA1000-memory.dmp

Filesize
4KB

Download
memory/4032-302-0x00000163EFE60000-0x00000163EFE86000-memory.dmp

Filesize
152KB

Download
memory/4032-290-0x00000163EF040000-0x00000163EF062000-memory.dmp

Filesize
136KB

Download
memory/4032-301-0x00000163EF0A0000-0x00000163EF0AA000-memory.dmp

Filesize
40KB

Download
memory/4032-300-0x00000163EF0B0000-0x00000163EF0C6000-memory.dmp

Filesize
88KB

Download