ef26956b8c6af8701e5ad7d330ce3d7a72991050810081cd941c8e6025631298

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.bat
Size

25KB
MD5

d6af1f37bf427404f796c1c0389531f4
SHA1

12cd5dd5dc21bb0b241227c6227e8111a7e7cb1c
SHA256

ef26956b8c6af8701e5ad7d330ce3d7a72991050810081cd941c8e6025631298
SHA512

199a0426dfed7ab54d551c390f5a41237b63812a0ab14c4b8a7ff4b79305f332df57bebba17a6f37ee5fd5fc5d55831e86e3baf47de07e7e06531d31553077d8
SSDEEP

384:rKPdJlw8FsN2LdQjmfyHIruEDHs2OOcuEDHsax68:AFsYL7ruEDHs2guEDHsav

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4936	sc.exe
4044	sc.exe
3144	sc.exe
3092	sc.exe
744	sc.exe
4268	sc.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2356	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe
Key created	\REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search	reg.exe
Key created	\REGISTRY\USER\!USER_SID!	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2488	4272	cmd.exe	85
PID 4272 wrote to memory of 2488	4272	cmd.exe	85
PID 4272 wrote to memory of 2020	4272	cmd.exe	86
PID 4272 wrote to memory of 2020	4272	cmd.exe	86
PID 4272 wrote to memory of 3184	4272	cmd.exe	91
PID 4272 wrote to memory of 3184	4272	cmd.exe	91
PID 4272 wrote to memory of 1412	4272	cmd.exe	92
PID 4272 wrote to memory of 1412	4272	cmd.exe	92
PID 4272 wrote to memory of 5024	4272	cmd.exe	93
PID 4272 wrote to memory of 5024	4272	cmd.exe	93
PID 4272 wrote to memory of 4392	4272	cmd.exe	94
PID 4272 wrote to memory of 4392	4272	cmd.exe	94
PID 4272 wrote to memory of 2400	4272	cmd.exe	95
PID 4272 wrote to memory of 2400	4272	cmd.exe	95
PID 4272 wrote to memory of 2340	4272	cmd.exe	96
PID 4272 wrote to memory of 2340	4272	cmd.exe	96
PID 4272 wrote to memory of 4892	4272	cmd.exe	97
PID 4272 wrote to memory of 4892	4272	cmd.exe	97
PID 4272 wrote to memory of 4496	4272	cmd.exe	98
PID 4272 wrote to memory of 4496	4272	cmd.exe	98
PID 4272 wrote to memory of 3120	4272	cmd.exe	99
PID 4272 wrote to memory of 3120	4272	cmd.exe	99
PID 4272 wrote to memory of 1768	4272	cmd.exe	100
PID 4272 wrote to memory of 1768	4272	cmd.exe	100
PID 4272 wrote to memory of 4792	4272	cmd.exe	101
PID 4272 wrote to memory of 4792	4272	cmd.exe	101
PID 4272 wrote to memory of 4972	4272	cmd.exe	102
PID 4272 wrote to memory of 4972	4272	cmd.exe	102
PID 4272 wrote to memory of 4620	4272	cmd.exe	103
PID 4272 wrote to memory of 4620	4272	cmd.exe	103
PID 4272 wrote to memory of 4380	4272	cmd.exe	104
PID 4272 wrote to memory of 4380	4272	cmd.exe	104
PID 4272 wrote to memory of 972	4272	cmd.exe	105
PID 4272 wrote to memory of 972	4272	cmd.exe	105
PID 4272 wrote to memory of 748	4272	cmd.exe	106
PID 4272 wrote to memory of 748	4272	cmd.exe	106
PID 4272 wrote to memory of 948	4272	cmd.exe	107
PID 4272 wrote to memory of 948	4272	cmd.exe	107
PID 4272 wrote to memory of 4744	4272	cmd.exe	108
PID 4272 wrote to memory of 4744	4272	cmd.exe	108
PID 4272 wrote to memory of 5072	4272	cmd.exe	109
PID 4272 wrote to memory of 5072	4272	cmd.exe	109
PID 4272 wrote to memory of 1808	4272	cmd.exe	110
PID 4272 wrote to memory of 1808	4272	cmd.exe	110
PID 4272 wrote to memory of 1504	4272	cmd.exe	111
PID 4272 wrote to memory of 1504	4272	cmd.exe	111
PID 4272 wrote to memory of 1492	4272	cmd.exe	112
PID 4272 wrote to memory of 1492	4272	cmd.exe	112
PID 4272 wrote to memory of 3368	4272	cmd.exe	113
PID 4272 wrote to memory of 3368	4272	cmd.exe	113
PID 4272 wrote to memory of 3508	4272	cmd.exe	114
PID 4272 wrote to memory of 3508	4272	cmd.exe	114
PID 4272 wrote to memory of 1200	4272	cmd.exe	115
PID 4272 wrote to memory of 1200	4272	cmd.exe	115
PID 4272 wrote to memory of 3684	4272	cmd.exe	116
PID 4272 wrote to memory of 3684	4272	cmd.exe	116
PID 4272 wrote to memory of 432	4272	cmd.exe	117
PID 4272 wrote to memory of 432	4272	cmd.exe	117
PID 4272 wrote to memory of 324	4272	cmd.exe	118
PID 4272 wrote to memory of 324	4272	cmd.exe	118
PID 4272 wrote to memory of 2008	4272	cmd.exe	119
PID 4272 wrote to memory of 2008	4272	cmd.exe	119
PID 4272 wrote to memory of 2840	4272	cmd.exe	120
PID 4272 wrote to memory of 2840	4272	cmd.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\main.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:2020
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
  2⤵
  PID:3184
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
  2⤵
  PID:1412
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
  2⤵
  PID:5024
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
  2⤵
  PID:4392
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
  2⤵
  PID:2400
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
  2⤵
  PID:2340
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
  2⤵
  PID:4892
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
  2⤵
  PID:4496
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
  2⤵
  PID:3120
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
  2⤵
  PID:1768
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
  2⤵
  PID:4792
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
  2⤵
  PID:4972
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
  2⤵
  PID:4620
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
  2⤵
  PID:4380
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
  2⤵
  PID:972
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
  2⤵
  PID:748
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
  2⤵
  PID:948
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
  2⤵
  PID:4744
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
  2⤵
  PID:5072
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
  2⤵
  PID:1808
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
  2⤵
  PID:1504
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
  2⤵
  PID:1492
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
  2⤵
  PID:3368
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
  2⤵
  PID:3508
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
  2⤵
  PID:1200
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
  2⤵
  PID:3684
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
  2⤵
  PID:432
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
  2⤵
  PID:324
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
  2⤵
  PID:2008
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
  2⤵
  PID:2840
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
  2⤵
  PID:1588
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
  2⤵
  PID:2996
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
  2⤵
  PID:216
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
  2⤵
  PID:1368
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
  2⤵
  PID:2732
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
  2⤵
  PID:3768
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
  2⤵
  PID:2348
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
  2⤵
  PID:3272
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
  2⤵
  PID:1856
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
  2⤵
  PID:1476
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
  2⤵
  PID:3592
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
  2⤵
  PID:908
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
  2⤵
  PID:3668
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
  2⤵
  PID:3084
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
  2⤵
  PID:3112
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
  2⤵
  PID:1356
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
  2⤵
  PID:4200
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
  2⤵
  PID:3504
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
  2⤵
  PID:4268
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
  2⤵
  PID:4936
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
  2⤵
  PID:4800
- C:\Windows\system32\schtasks.exe
  schtasks /change /TN "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
  2⤵
  PID:4152
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoftd\Office\OfficeTelemetryAgentFallBack"
  2⤵
  PID:3164
- C:\Windows\system32\schtasks.exe
  schtasks /change /TN "\Microsoftd\Office\OfficeTelemetryAgentFallBack" /disable
  2⤵
  PID:1716
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Office\Office 15 Subscription Heartbeat"
  2⤵
  PID:2364
- C:\Windows\system32\schtasks.exe
  schtasks /change /TN "\Microsoft\Office\Office 15 Subscription Heartbeat" /disable
  2⤵
  PID:864
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime"
  2⤵
  PID:4192
- C:\Windows\system32\schtasks.exe
  schtasks /change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /disable
  2⤵
  PID:3020
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Time Synchronization\SynchronizeTime"
  2⤵
  PID:4072
- C:\Windows\system32\schtasks.exe
  schtasks /change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /disable
  2⤵
  PID:1212
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update"
  2⤵
  PID:1104
- C:\Windows\system32\schtasks.exe
  schtasks /change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /disable
  2⤵
  PID:4424
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
  2⤵
  PID:4996
- C:\Windows\system32\schtasks.exe
  schtasks /change /TN "\Microsoft\Windows\Device Information\Device" /disable
  2⤵
  PID:3148
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:2356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AppModel" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Cellcore" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Circular Kernel Context Logger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3988
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\CloudExperienceHostOobe" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4884
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DataMarket" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2676
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:516
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1816
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\HolographicDevice" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\iclsClient" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1252
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\iclsProxy" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1536
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\LwtNetLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4348
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Mellanox-Kernel" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4324
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-AssignedAccess-Trace" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Microsoft-Windows-Setup" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2020
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NBSMBLOGGER" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4032
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\PEAuthLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\RdrLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ReadyBoot" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatform" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2472
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SetupPlatformTel" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SocketHeciServer" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SpoolerLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4828
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:5060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TCPIPLOGGER" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2256
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TileStore" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4896
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Tpm" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\TPMProvisioningService" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:1456
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\UBPM" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3568
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WFP-IPsec Trace" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSession" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4216
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiDriverIHVSessionRepro" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:3932
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:2688
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WinPhoneCritical" /v "Start" /t REG_DWORD /d "0" /f
  2⤵
  PID:4004
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogEnable" /t REG_DWORD /d "0" /f
  2⤵
  PID:2752
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF" /v "LogLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:1600
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableThirdPartySuggestions" /t REG_DWORD /d "1" /f
  2⤵
  PID:1152
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v "DisableWindowsConsumerFeatures" /t REG_DWORD /d "1" /f
  2⤵
  PID:2060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Credssp" /v "DebugLogLevel" /t REG_DWORD /d "0" /f
  2⤵
  PID:1532
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
  2⤵
  PID:4944
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f
  2⤵
  PID:2248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnableFeeds" /t REG_DWORD /d "0" /f
  2⤵
  PID:3936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
  2⤵
  PID:4968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:1560
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d "0" /f
  2⤵
  PID:3304
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2932
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f
  2⤵
  PID:4868
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f
  2⤵
  PID:1520
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2724
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1672
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5064
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
  2⤵
  PID:4444
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3824
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4572
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3336
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc stop DiagTrack
  2⤵
  - Launches sc.exe
  PID:4044
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  - Launches sc.exe
  PID:3144
- C:\Windows\system32\sc.exe
  sc stop dmwappushservice
  2⤵
  - Launches sc.exe
  PID:3092
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  - Launches sc.exe
  PID:744
- C:\Windows\system32\sc.exe
  sc stop diagnosticshub.standardcollector.service
  2⤵
  - Launches sc.exe
  PID:4268
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  - Launches sc.exe
  PID:4936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4800
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "DoReport" /t REG_DWORD /d "0" /f
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "LoggingDisabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:3164
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting" /v "DoReport" /t REG_DWORD /d "0" /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:2364
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:864
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4192
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3020
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4072
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1212
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4424
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3148
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
  2⤵
  PID:2648
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:3564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:1608
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:32
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3856
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4452
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f
  2⤵
  PID:4540
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4544
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0"
  2⤵
  PID:984
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:4332
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:5024
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4392
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2400
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
  2⤵
  PID:2340
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:3384
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:1768
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4792
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:4216
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4620
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:4380
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:972
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:748
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:948
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f
  2⤵
  PID:4744
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5072
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
  2⤵
  PID:1532
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
  2⤵
  PID:1504
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
  2⤵
  PID:1492
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
  2⤵
  PID:3368
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
  2⤵
  PID:5044
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
  2⤵
  PID:2840
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
  2⤵
  PID:1588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2996
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2124
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2016
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f
  2⤵
  PID:2968
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2592
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3760
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:3836
- C:\Windows\system32\reg.exe
  Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:4748
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:764
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3380
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
  2⤵
  PID:3500
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
  2⤵
  PID:3420
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
  2⤵
  PID:4680
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2076
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:4044
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:4448
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f
  2⤵
  PID:3488
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f
  2⤵
  PID:4060
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:4992
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisableDiagnosticTracing" /t REG_DWORD /d "1" /f
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3100
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
  2⤵
  PID:3660
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
  2⤵
  PID:4668
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
  2⤵
  PID:740
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
  2⤵
  PID:728
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
  2⤵
  PID:4608
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
  2⤵
  PID:3404
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
  2⤵
  PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
  2⤵
  PID:3856