03a234060541b686ac4265754aff43df9325c21383f90e17f831e67965d717f8

Analysis

max time kernel
188s
max time network
192s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Optimizer-16.7.exe
Size

2.5MB
MD5

7f57207f221db2b08e27d64bc9121b28
SHA1

3bfc4b12a533ee1ce62e5d348027d4ac90ab49db
SHA256

03a234060541b686ac4265754aff43df9325c21383f90e17f831e67965d717f8
SHA512

7cc44ff1c3210db2478f4e37fef23669f0425b1b1672fc5f53956890daccb84b32fa25c8da9f7ce0cd1deb9e697e46cdae0762a0af818f98b93544b8e39f8a25
SSDEEP

24576:zv5MZtiOMKNOJMv9EC8oJ8VxHuDBjk38WuBcAbwoA/BkjSHXP36RMG:zxMZtiOMK9EC8oa6CSA/Bkj0

Score

10^/10

defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	Optimizer-16.7.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 6 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe	Optimizer-16.7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe	Optimizer-16.7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software_reporter_tool.exe	Optimizer-16.7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software_reporter_tool.exe\Debugger = "%windir%\\System32\\taskkill.exe"	Optimizer-16.7.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1224	icacls.exe
3640	icacls.exe
1480	icacls.exe
6932	icacls.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1012	cmd.exe
4848	powercfg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2232	sc.exe
2392	sc.exe
2448	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2924	vssadmin.exe

Modifies Control Panel 13 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\MenuShowDelay = "0"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Mouse\MouseHoverTime = "0"	Optimizer-16.7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\UnsupportedHardwareNotificationCache\SV2 = "0"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\DockMoving = "0"	Optimizer-16.7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\AutoEndTasks = "1"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\HungAppTimeout = "1000"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\WaitToKillAppTimeout = "2000"	Optimizer-16.7.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\UnsupportedHardwareNotificationCache	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Accessibility\StickyKeys\Flags = "506"	Optimizer-16.7.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0"	Optimizer-16.7.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Privacy\TailoredExperiencesWithDiagnosticDataEnabled = "0"	Optimizer-16.7.exe
Key created	\REGISTRY\USER\.DEFAULT	Optimizer-16.7.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Privacy	Optimizer-16.7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Optimizer-16.7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	Optimizer-16.7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics	Optimizer-16.7.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133726247657533972"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\StickyKeys\Flags = "506"	Optimizer-16.7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Optimizer-16.7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	Optimizer-16.7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack	Optimizer-16.7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\ShowedToastAtLevel = "1"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\Keyboard Response\Flags = "122"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\ToggleKeys\Flags = "58"	Optimizer-16.7.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings\DownloadMode = "0"	Optimizer-16.7.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell\Image Preview	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Optimizer-16.7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Optimizer-16.7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\shell\open\command\ = "%SystemRoot%\\System32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\EditFlags = "65536"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Optimizer-16.7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Optimizer-16.7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Copy To	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\print\command\ = "%SystemRoot%\\System32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\FriendlyTypeName = "@%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll,-3055"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\FriendlyTypeName = "@%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll,-3056"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\FriendlyTypeName = "@%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll,-3055"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\shell\open\MuiVerb = "@%ProgramFiles%\\Windows Photo Viewer\\photoviewer.dll,-3043"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\shell\open	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\Move To	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\MuiVerb = "@photoviewer.dll,-3043"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	Optimizer-16.7.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Optimizer-16.7.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}	Optimizer-16.7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-72"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\ImageOptionFlags = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell\Image Preview\DropTarget\{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\EditFlags = "65536"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\shell\open\DropTarget\Clsid = "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Gif\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\shell\open\MuiVerb = "@%ProgramFiles%\\Windows Photo Viewer\\photoviewer.dll,-3043"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\shell\open\DropTarget\Clsid = "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\ImageOptionFlags = "1"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000259ae7a12004170704461746100400009000400efbe0259ae7a4559258f2e0000005b5702000000010000000000000000000000000000007c3929004100700070004400610074006100000016000000	Optimizer-16.7.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	Optimizer-16.7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Gif\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open\command\ = "%SystemRoot%\\System32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Optimizer-16.7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Optimizer-16.7.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\photoviewer.dll\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Gif\shell\open\command\ = "%SystemRoot%\\System32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	Optimizer-16.7.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Optimizer-16.7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-72"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Wdp\shell\open\command	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Gif	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Png\shell\open\DropTarget\Clsid = "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shell\Image Preview\command\ = "%SystemRoot%\\System32\\rundll32.exe \"%ProgramFiles%\\Windows Photo Viewer\\PhotoViewer.dll\", ImageView_Fullscreen %1"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\	Optimizer-16.7.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32	Optimizer-16.7.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\ImageOptionFlags = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Bitmap\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.JFIF\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhotoViewer.FileAssoc.Jpeg\shell\open\MuiVerb = "@%ProgramFiles%\\Windows Photo Viewer\\photoviewer.dll,-3043"	regedit.exe

Runs .reg file with regedit 2 IoCs

pid	Process
476	regedit.exe
600	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5060	Optimizer-16.7.exe
3680	chrome.exe
3680	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5060	Optimizer-16.7.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 57 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	Optimizer-16.7.exe
Token: SeTakeOwnershipPrivilege	5060	Optimizer-16.7.exe
Token: SeTakeOwnershipPrivilege	5060	Optimizer-16.7.exe
Token: SeShutdownPrivilege	4848	powercfg.exe
Token: SeCreatePagefilePrivilege	4848	powercfg.exe
Token: SeShutdownPrivilege	4848	powercfg.exe
Token: SeCreatePagefilePrivilege	4848	powercfg.exe
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5060	Optimizer-16.7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2672	5060	Optimizer-16.7.exe	80
PID 5060 wrote to memory of 2672	5060	Optimizer-16.7.exe	80
PID 2672 wrote to memory of 2232	2672	cmd.exe	82
PID 2672 wrote to memory of 2232	2672	cmd.exe	82
PID 5060 wrote to memory of 3956	5060	Optimizer-16.7.exe	83
PID 5060 wrote to memory of 3956	5060	Optimizer-16.7.exe	83
PID 3956 wrote to memory of 2568	3956	cmd.exe	85
PID 3956 wrote to memory of 2568	3956	cmd.exe	85
PID 5060 wrote to memory of 476	5060	Optimizer-16.7.exe	86
PID 5060 wrote to memory of 476	5060	Optimizer-16.7.exe	86
PID 5060 wrote to memory of 4016	5060	Optimizer-16.7.exe	87
PID 5060 wrote to memory of 4016	5060	Optimizer-16.7.exe	87
PID 4016 wrote to memory of 2016	4016	cmd.exe	89
PID 4016 wrote to memory of 2016	4016	cmd.exe	89
PID 4016 wrote to memory of 2304	4016	cmd.exe	90
PID 4016 wrote to memory of 2304	4016	cmd.exe	90
PID 4016 wrote to memory of 1788	4016	cmd.exe	91
PID 4016 wrote to memory of 1788	4016	cmd.exe	91
PID 4016 wrote to memory of 4848	4016	cmd.exe	92
PID 4016 wrote to memory of 4848	4016	cmd.exe	92
PID 5060 wrote to memory of 4484	5060	Optimizer-16.7.exe	93
PID 5060 wrote to memory of 4484	5060	Optimizer-16.7.exe	93
PID 4484 wrote to memory of 340	4484	cmd.exe	95
PID 4484 wrote to memory of 340	4484	cmd.exe	95
PID 5060 wrote to memory of 32	5060	Optimizer-16.7.exe	96
PID 5060 wrote to memory of 32	5060	Optimizer-16.7.exe	96
PID 32 wrote to memory of 2388	32	cmd.exe	98
PID 32 wrote to memory of 2388	32	cmd.exe	98
PID 5060 wrote to memory of 4980	5060	Optimizer-16.7.exe	100
PID 5060 wrote to memory of 4980	5060	Optimizer-16.7.exe	100
PID 4980 wrote to memory of 1224	4980	cmd.exe	102
PID 4980 wrote to memory of 1224	4980	cmd.exe	102
PID 5060 wrote to memory of 1944	5060	Optimizer-16.7.exe	103
PID 5060 wrote to memory of 1944	5060	Optimizer-16.7.exe	103
PID 1944 wrote to memory of 4068	1944	cmd.exe	105
PID 1944 wrote to memory of 4068	1944	cmd.exe	105
PID 1944 wrote to memory of 1720	1944	cmd.exe	106
PID 1944 wrote to memory of 1720	1944	cmd.exe	106
PID 1944 wrote to memory of 4648	1944	cmd.exe	107
PID 1944 wrote to memory of 4648	1944	cmd.exe	107
PID 1944 wrote to memory of 2796	1944	cmd.exe	108
PID 1944 wrote to memory of 2796	1944	cmd.exe	108
PID 1944 wrote to memory of 2496	1944	cmd.exe	109
PID 1944 wrote to memory of 2496	1944	cmd.exe	109
PID 1944 wrote to memory of 3296	1944	cmd.exe	110
PID 1944 wrote to memory of 3296	1944	cmd.exe	110
PID 1944 wrote to memory of 1564	1944	cmd.exe	111
PID 1944 wrote to memory of 1564	1944	cmd.exe	111
PID 1944 wrote to memory of 1508	1944	cmd.exe	112
PID 1944 wrote to memory of 1508	1944	cmd.exe	112
PID 1944 wrote to memory of 1856	1944	cmd.exe	113
PID 1944 wrote to memory of 1856	1944	cmd.exe	113
PID 1944 wrote to memory of 2120	1944	cmd.exe	114
PID 1944 wrote to memory of 2120	1944	cmd.exe	114
PID 1944 wrote to memory of 772	1944	cmd.exe	115
PID 1944 wrote to memory of 772	1944	cmd.exe	115
PID 1944 wrote to memory of 928	1944	cmd.exe	116
PID 1944 wrote to memory of 928	1944	cmd.exe	116
PID 1944 wrote to memory of 668	1944	cmd.exe	117
PID 1944 wrote to memory of 668	1944	cmd.exe	117
PID 1944 wrote to memory of 2616	1944	cmd.exe	118
PID 1944 wrote to memory of 2616	1944	cmd.exe	118
PID 1944 wrote to memory of 3948	1944	cmd.exe	119
PID 1944 wrote to memory of 3948	1944	cmd.exe	119

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus = "1"	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0"	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0"	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn = "1"	Optimizer-16.7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput	Optimizer-16.7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "0"	Optimizer-16.7.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Optimizer-16.7.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer-16.7.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Modifies Control Panel
- Modifies Internet Explorer Phishing Filter
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\system32\sc.exe
    sc config "RemoteRegistry" start= disabled
    3⤵
    - Launches sc.exe
    PID:2232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked" /V {7AD84985-87B4-4a16-BE58-8B72A5B390F7} /T REG_SZ /D "Play to Menu" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked" /V {7AD84985-87B4-4a16-BE58-8B72A5B390F7} /T REG_SZ /D "Play to Menu" /F
    3⤵
    PID:2568
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\RestoreClassicPhotoViewer.reg"
  2⤵
  - Modifies registry class
  - Runs .reg file with regedit
  PID:476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableXboxTasks.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\XblGameSave\XblGameSaveTask"
    3⤵
    PID:2016
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\XblGameSave\XblGameSaveTask" /disable
    3⤵
    PID:2304
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\XblGameSave\XblGameSaveTaskLogon"
    3⤵
    PID:1788
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\XblGameSave\XblGameSaveTaskLogon" /disable
    3⤵
    PID:4848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
    3⤵
    PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\system32\icacls.exe
    icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
    3⤵
    - Modifies file permissions
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:4068
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:1720
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:4648
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:2796
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:2496
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:3296
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:1564
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:1508
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:1856
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:2120
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:772
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:928
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:668
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:2616
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:3948
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
    3⤵
    PID:2176
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:4644
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:364
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:3048
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:4868
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:3272
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:4740
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:5000
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:1456
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:3156
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:1156
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:4928
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:3536
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:1516
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:4248
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:4628
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:1344
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:4072
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:1500
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:4368
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:2776
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:3740
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:4620
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:3496
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:2620
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
    3⤵
    PID:5056
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
    3⤵
    PID:4028
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:3660
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:1628
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:4488
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:2628
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:1840
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:1356
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
    3⤵
    PID:1244
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
    3⤵
    PID:3956
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
    3⤵
    PID:3620
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
    3⤵
    PID:4440
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
    3⤵
    PID:4588
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
    3⤵
    PID:476
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
    3⤵
    PID:3896
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
    3⤵
    PID:4888
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
    3⤵
    PID:3404
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
    3⤵
    PID:2540
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
    3⤵
    PID:3040
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
    3⤵
    PID:3400
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
    3⤵
    PID:1480
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
    3⤵
    PID:4064
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
    3⤵
    PID:4016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\EnableTelemetryTasks.bat""
  2⤵
  PID:3480
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /enable
    3⤵
    PID:2632
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /enable
    3⤵
    PID:32
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /enable
    3⤵
    PID:4196
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /enable
    3⤵
    PID:5004
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /enable
    3⤵
    PID:2864
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable
    3⤵
    PID:2800
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable
    3⤵
    PID:2152
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /enable"
    3⤵
    PID:2236
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /enable
    3⤵
    PID:2104
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /enable
    3⤵
    PID:1448
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /enable
    3⤵
    PID:1984
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /enable
    3⤵
    PID:1860
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /enable
    3⤵
    PID:3288
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /enable
    3⤵
    PID:2132
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /enable
    3⤵
    PID:2872
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /enable
    3⤵
    PID:1592
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /enable
    3⤵
    PID:3472
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /enable
    3⤵
    PID:4412
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /enable
    3⤵
    PID:3504
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /enable
    3⤵
    PID:3420
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /enable
    3⤵
    PID:5064
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /enable
    3⤵
    PID:4964
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /enable
    3⤵
    PID:2724
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /enable
    3⤵
    PID:2056
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /enable
    3⤵
    PID:3112
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /enable
    3⤵
    PID:1620
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /enable
    3⤵
    PID:472
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /enable
    3⤵
    PID:4252
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /enable
    3⤵
    PID:3336
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /enable
    3⤵
    PID:1928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
  2⤵
  PID:1776
- - C:\Windows\system32\icacls.exe
    icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
    3⤵
    - Modifies file permissions
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
  2⤵
  PID:5016
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:1864
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:4460
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:2928
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:4768
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:3164
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:1576
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:4780
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:3028
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:2164
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:4624
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:1604
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:3952
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:4884
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:4504
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:1636
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
    3⤵
    PID:3056
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:3384
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:4632
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:1656
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:2548
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:2716
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:2324
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:4912
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:3996
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:468
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:4908
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:4792
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:4296
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:1644
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:2704
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:2596
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:4600
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:3256
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:3740
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:4620
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:3496
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:2620
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:5056
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:3612
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:4464
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
    3⤵
    PID:3488
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
    3⤵
    PID:2232
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:4796
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:1284
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:2672
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:5028
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:1272
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:3052
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
    3⤵
    PID:3652
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
    3⤵
    PID:2568
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
    3⤵
    PID:3860
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
    3⤵
    PID:2168
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
    3⤵
    PID:4052
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
    3⤵
    PID:600
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
    3⤵
    PID:3492
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
    3⤵
    PID:2784
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
    3⤵
    PID:2340
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
    3⤵
    PID:2728
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
    3⤵
    PID:964
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
    3⤵
    PID:2812
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
    3⤵
    PID:1956
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
    3⤵
    PID:1248
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
    3⤵
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\EnableTelemetryTasks.bat""
  2⤵
  PID:2052
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /enable
    3⤵
    PID:492
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /enable
    3⤵
    PID:4800
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /enable
    3⤵
    PID:340
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /enable
    3⤵
    PID:4032
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /enable
    3⤵
    PID:784
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable
    3⤵
    PID:860
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable
    3⤵
    PID:4264
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /enable"
    3⤵
    PID:4432
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /enable
    3⤵
    PID:4420
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /enable
    3⤵
    PID:2300
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /enable
    3⤵
    PID:2404
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /enable
    3⤵
    PID:2648
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /enable
    3⤵
    PID:3104
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /enable
    3⤵
    PID:1596
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /enable
    3⤵
    PID:4188
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /enable
    3⤵
    PID:2336
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /enable
    3⤵
    PID:2956
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /enable
    3⤵
    PID:4596
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /enable
    3⤵
    PID:788
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /enable
    3⤵
    PID:2484
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /enable
    3⤵
    PID:2140
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /enable
    3⤵
    PID:1732
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /enable
    3⤵
    PID:3888
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /enable
    3⤵
    PID:2144
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /enable
    3⤵
    PID:3960
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /enable
    3⤵
    PID:4660
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /enable
    3⤵
    PID:2884
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /enable
    3⤵
    PID:756
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /enable
    3⤵
    PID:1872
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /enable
    3⤵
    PID:4976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
  2⤵
  PID:4980
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /tn NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
    3⤵
    PID:4636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
  2⤵
  PID:1504
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /tn NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
    3⤵
    PID:3644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
  2⤵
  PID:4832
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /tn NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} /disable
    3⤵
    PID:4460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net.exe stop NvTelemetryContainer
  2⤵
  PID:2928
- - C:\Windows\system32\net.exe
    net.exe stop NvTelemetryContainer
    3⤵
    PID:4192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NvTelemetryContainer
      4⤵
      PID:2688
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc.exe config NvTelemetryContainer start= disabled
  2⤵
  PID:3776
- - C:\Windows\system32\sc.exe
    sc.exe config NvTelemetryContainer start= disabled
    3⤵
    - Launches sc.exe
    PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc.exe stop NvTelemetryContainer
  2⤵
  PID:4652
- - C:\Windows\system32\sc.exe
    sc.exe stop NvTelemetryContainer
    3⤵
    - Launches sc.exe
    PID:2448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
  2⤵
  PID:1052
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB"
    3⤵
    PID:3972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
  2⤵
  PID:2908
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /change /disable /tn "\Mozilla\Firefox Default Browser Agent D2CEEC440E2074BD"
    3⤵
    PID:3396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat""
  2⤵
  PID:1816
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
    3⤵
    PID:4296
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
    3⤵
    PID:1644
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
    3⤵
    PID:2704
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
    3⤵
    PID:2596
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack"
    3⤵
    PID:4600
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack" /disable
    3⤵
    PID:3256
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
    3⤵
    PID:3740
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3496
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:2620
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:5056
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3612
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4464
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3488
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:2232
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4796
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
    3⤵
    PID:1284
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
    3⤵
    PID:2672
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
    3⤵
    PID:1272
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3052
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3652
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:2568
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:3860
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:4052
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe" /s "C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg"
  2⤵
  - Runs .reg file with regedit
  PID:600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
  2⤵
  PID:4060
- - C:\Windows\system32\icacls.exe
    icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
    3⤵
    - Modifies file permissions
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
  2⤵
  PID:4064
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:2380
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:872
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:1888
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:1528
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:4472
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:4876
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:5080
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:3984
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:2296
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:1260
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:3680
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:3292
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:2576
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:2220
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:3560
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
    3⤵
    PID:2096
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:3260
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:1676
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:3352
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:1572
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:2000
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:1128
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:2824
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:4820
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:4424
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:2780
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:200
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:1176
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:2856
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:1072
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:3804
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:1296
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:1620
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:472
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:352
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:2052
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:3100
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:3116
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:1172
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:3908
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
    3⤵
    PID:1928
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
    3⤵
    PID:3644
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:2020
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:4676
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:1568
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:4460
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:3708
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:1864
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
    3⤵
    PID:3388
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
    3⤵
    PID:668
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
    3⤵
    PID:4192
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
    3⤵
    PID:2668
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
    3⤵
    PID:1520
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
    3⤵
    PID:4112
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
    3⤵
    PID:2392
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
    3⤵
    PID:3020
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
    3⤵
    PID:2176
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
    3⤵
    PID:364
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
    3⤵
    PID:2448
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
    3⤵
    PID:2468
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
    3⤵
    PID:3048
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
    3⤵
    PID:3508
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
    3⤵
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\EnableTelemetryTasks.bat""
  2⤵
  PID:1656
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /enable
    3⤵
    PID:2240
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /enable
    3⤵
    PID:2324
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /enable
    3⤵
    PID:4928
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /enable
    3⤵
    PID:2316
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /enable
    3⤵
    PID:3140
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /enable
    3⤵
    PID:4296
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /enable
    3⤵
    PID:1644
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /enable"
    3⤵
    PID:2704
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /enable
    3⤵
    PID:2596
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /enable
    3⤵
    PID:4600
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /enable
    3⤵
    PID:1372
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /enable
    3⤵
    PID:4920
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /enable
    3⤵
    PID:5048
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /enable
    3⤵
    PID:2196
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /enable
    3⤵
    PID:3120
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /enable
    3⤵
    PID:2136
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /enable
    3⤵
    PID:2060
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /enable
    3⤵
    PID:3484
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /enable
    3⤵
    PID:2348
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /enable
    3⤵
    PID:2248
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /enable
    3⤵
    PID:3624
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /enable
    3⤵
    PID:2184
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /enable
    3⤵
    PID:5032
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /enable
    3⤵
    PID:4536
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /enable
    3⤵
    PID:3956
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /enable
    3⤵
    PID:664
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /enable
    3⤵
    PID:4440
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /enable
    3⤵
    PID:1104
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /enable
    3⤵
    PID:2360
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /enable
    3⤵
    PID:1952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C fsutil behavior set disablelastaccess 1
  2⤵
  PID:2940
- - C:\Windows\system32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:3404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powercfg -h off
  2⤵
  - Power Settings
  PID:1012
- - C:\Windows\system32\powercfg.exe
    powercfg -h off
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\SYSTEM32\vssadmin.exe
  "vssadmin" delete shadows /for=c: /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
  2⤵
  PID:2924
- - C:\Windows\system32\icacls.exe
    icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
    3⤵
    - Modifies file permissions
    PID:6932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
  2⤵
  PID:5664
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:6940
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:6960
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:6972
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:6124
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:6068
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:6136
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:7032
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:6392
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:6396
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:6448
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:6004
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:5704
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:6060
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:6092
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:6692
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
    3⤵
    PID:6704
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:6560
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:7048
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:5572
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:6752
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:6764
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:6788
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:7060
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:7072
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:5920
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:5928
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:5956
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:7080
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:6824
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:6844
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:6868
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:7088
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:1528
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:2312
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:2132
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:5052
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:6728
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:6356
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:6520
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:5880
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
    3⤵
    PID:5228
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
    3⤵
    PID:2728
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:5324
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:6548
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:7108
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:5340
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:7120
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:6528
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
    3⤵
    PID:5816
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
    3⤵
    PID:7128
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
    3⤵
    PID:6456
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
    3⤵
    PID:6348
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
    3⤵
    PID:6492
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
    3⤵
    PID:5912
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
    3⤵
    PID:6148
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
    3⤵
    PID:7136
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
    3⤵
    PID:6200
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
    3⤵
    PID:6792
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
    3⤵
    PID:5828
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
    3⤵
    PID:5232
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
    3⤵
    PID:6272
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
    3⤵
    PID:7152
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
    3⤵
    PID:5520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff1d6cc40,0x7ffff1d6cc4c,0x7ffff1d6cc58
  2⤵
  PID:3292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2112,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4540,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4568 /prefetch:8
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4564,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3568,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4648 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4920,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4520,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4252,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5292,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5368,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5524,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5684,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5860,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6116,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6208,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6196,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6180,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6504,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6660,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7052,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=7072,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=7240,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=7408,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=7520,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7664,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7508,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7808,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7960 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7976,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8128 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=8088,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8092 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=8392,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8380 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=8004,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7944 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=8020,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7564 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=8028,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8080 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8108,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8036 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=8604,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8616 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=7872,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7692 /prefetch:1
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=8636,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8832 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=8336,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=8296,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8332 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=7640,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8272 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=7720,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7760 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=6316,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7684 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=6760,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8388,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8548 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=9336,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=8384 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=9392,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9492 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=9484,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9632 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=9528,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9780 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=9764,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9920 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=9908,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=10068 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=10208,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=10076 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=10236,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=10356 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=10380,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=10504 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=7556,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=9644 /prefetch:1
  2⤵
  PID:6336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=10780,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=10740 /prefetch:1
  2⤵
  PID:6344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=9520,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=10928 /prefetch:1
  2⤵
  PID:6352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=11136,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=11076 /prefetch:1
  2⤵
  PID:6504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=10640,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=10524 /prefetch:1
  2⤵
  PID:6556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=11360,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7992 /prefetch:1
  2⤵
  PID:6684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=6792,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=11528 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=8340,i,4380895874643073301,10848044960463997517,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=7732 /prefetch:1
  2⤵
  PID:6952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff1d6cc40,0x7ffff1d6cc4c,0x7ffff1d6cc58
  2⤵
  PID:780

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2264

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D0
1⤵
PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Optimizer\Optimizer.log

Filesize
803B

MD5
793c5f930605b0eae4ad087aeae3c780

SHA1
afadaa56ab81ce675fdd12750e36254a265ab736

SHA256
0753154dab118d004043fd70417fe2dde227794f1847865ec78d891d1ca336c7

SHA512
2829a996800dc8b8d8dc10fa8050db86aa0aba65d605502f89fbf5320d8967670a94fa2c2afa59c84294875a67633bd8e1527d51dffc7234362cf23fed5cf99b

Download Submit
C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.bat

Filesize
2KB

MD5
fed75b5cb9d9f4ec5ee22b8fd304ccf7

SHA1
1b4bdac9ac71fdee3bae90e52fcec60c88d7fa9d

SHA256
d884c0d04ba09b113d9439d2f8c0b7ed322111ae2e3ed802f6a95278ff8e0ac2

SHA512
36bed8311050f8c79e766678c59bb65177630279af8b4d2302aaf6146157887e1fb744785ac7f3290519778a592fb4d90fb7b7b9420e7346efdfec1085bf34e9

Download Submit
C:\ProgramData\Optimizer\Required\DisableOfficeTelemetryTasks.reg

Filesize
648B

MD5
7f7b192506491e4105e2ae1cf5ea9067

SHA1
5dafd2516bd4a4b3d230624f8ea590f640e2c381

SHA256
41cf9db9e395349b94ec7a1ee99db68062f27bf95c3b364aa6b035dc39ff1dc0

SHA512
5fcfbec12316f24bdbadb3d4a018945de9afb849fcfc026e601728b1dce107eaf1b8ce56d5e646461006a45bb305f16e3160d760649f7716b70a3e2fd195763f

Download Submit
C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat

Filesize
5KB

MD5
cb03c3144aaff8fb1c3497c403c2b60f

SHA1
ba4380abb20eaaeb638cdb142452def731817212

SHA256
abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3

SHA512
d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660

Download Submit
C:\ProgramData\Optimizer\Required\DisableXboxTasks.bat

Filesize
274B

MD5
39618d49de20114a6e4412507c4ad156

SHA1
324ce0b434e8d80da59606e7bc9e59b0fb2a1419

SHA256
aff075485c4139ec19fa8c3ea1f9afdcd4c3b6894bb93a56474273e027a7162f

SHA512
71c442edda586bdc83581cda6a509cf6f264961257521a86b0007a60495d56ebcb263b56ad2a14e6d79f8dc132c246a4ecf1595ac036895fc4001a1f47c2e9fe

Download Submit
C:\ProgramData\Optimizer\Required\EnableTelemetryTasks.bat

Filesize
2KB

MD5
4700fe640f1a6bd4a966095fd30d68c3

SHA1
04a5a9adac324c342f5252c0e918a0dff8b44c55

SHA256
71c1f51369f77ee8c61d26d672b674b633fb3d33a5957bccc8577d73ca8ebb5d

SHA512
882b7ef37515497bec5a6227b5acfd0258adc5f4fd66fd34ce4868d2927de7080a95326afefed4708eea031f8a1197ad0b5344ff882b2fa1059bc4ff345e0be6

Download Submit
C:\ProgramData\Optimizer\Required\RestoreClassicPhotoViewer.reg

Filesize
13KB

MD5
a6717648be41dd11686dd969708c6006

SHA1
7d4b1b67e102eebd7207a3aaeade56f8384b29b9

SHA256
c44fe1f158db74cc7db7d54303ae65a6497a60b3a44bfcfc67f13a3a540039cd

SHA512
47a3c614eefd9a90202ad3e7703b22f23baaacdfc10272bd6040e216c5a41603a99edfd3f6bcd6c449ea9f4b761d952a7400e4ce8f824f36e58ba148cf43e18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
355a34426afd246dae98ee75b90b79c2

SHA1
3011156636ac09b2665b8521d662f391c906e912

SHA256
f073bb41e3fb1650fdaa5ab3a2fe7f3db91f53b9457d65d58eb29bcc853d58e0

SHA512
e848fd8ff071e49f584c9cf27c4c6b3bddc522e18ce636fce5802fcc1da8c36c90d331ae5097b60e795f0f967141b2c4293d39632e10334cba3fdc0f9cd1bc34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3cc14aebaa40505f4c1986f63586147d

SHA1
a14618b26d99d31d3612deed5a0f0a7c2393d654

SHA256
8249f45e549d20ed878c4466b87fcc3c807ae47073c6f12cbc1469e908d4e7ac

SHA512
0dd1f51afc3a707dec53447b5992e10ce8388835440a70891da05adda5d242e61dfaee06882d235a3f5b10edeace675ef98bb21ea5f2a0d4064d462ae7934cc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
16KB

MD5
9c6b5ce6b3452e98573e6409c34dd73c

SHA1
de607fadef62e36945a409a838eb8fc36d819b42

SHA256
cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc

SHA512
4cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
63KB

MD5
a5cc79fbd666432c461daec09604f082

SHA1
9a3df93d85aca657c5c8b60f9b4063128319647e

SHA256
9a7f91177674363a59d898f41192d993f0dab2ce2c93a180b6d1042ea4b9e279

SHA512
f93ebbb16738cae18477a0bd833098abee3a77880b8623ae2a462ee8e209487045121700e013dd0da1c7c3f5c9f24a56f02a5cba837df4ac1f33c9f6e3522c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
66ecad58b6ae7311c930b37f9c063370

SHA1
3e73660795b1d25610651734631968a9a86e26cb

SHA256
f0bc8aea5a55756c1ee611986f744cb173655daa95261ed753755ce6e1a20a5a

SHA512
cf4bd4bce832816a4558e5d76f9d8c8fe50f0767625e56b62608c9834ee7783b3a6b04094778f55de33d2ae26657e16920e9b82b74d7b606b28e59e2ac35e038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cdb93c0cc9f792f9495efbe7696fd068

SHA1
f7ee93c705a7a1ada7666f0839946e7b202da66b

SHA256
d2092a4e22b246987b3a609a9afed61a7bfb64bd57cb7b83ebf23afef3096507

SHA512
27535ddd6366d2e9258d4ee1252f450fdb81692269126aa261941e638361995cd1d0b5baa92ceb6306dffe33df7848ae1c2e824628e99e0366d45344ecd1a7f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
f6e488ba2147619c358b0489da7acc99

SHA1
c2fc8424de2f118f2d0dc233b882f94d75f19643

SHA256
96ac9942bf22850853a78e94d70b456316dc9a6bed71360cebafaf5e4808f1f4

SHA512
39c16d4c008c7f9c28ad6961cfe9d9900054e3023b013810405e3a4501c673e2b80ca734f31445a59c2bd0298233b73393f0d501cd531aca808256e854cc2d83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
df5a7622327efe61d34c8a9076e0aeab

SHA1
6c69a3ce3ac1583287ead32f9758958eff690cad

SHA256
4c0de5b72af31dab5252d7baf5aa8c574acb6f926caea17f487a078e99d25cb2

SHA512
57c5f35d1c38da271a4bfdc3b13db1adfb665ee91641f0a77c0c5d12d4264826bd2af2db057d74eadd91758eff25c6a015d134df082eec31f6d2df7589071ab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e5f27c953ae4039ff0afa20cefde8eb

SHA1
85fd911bee5515ba435a7708e194907b387a16d8

SHA256
562d587ae6b157da9d97b068773c16a0a485deecfccb11d6cd6e566c7d406d59

SHA512
17c05ec06a8a90d42cdf8082652cd80d60e7bb5db6ec8e76b4668185c4ba71bcebbbdb025b50f4eb954f8e103d94e288b2cf2be5806d7dcd6ee9445c44975e57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6fcf798d75c252f73a67669661dd838f

SHA1
c9953c7d150e57602f13170454f195eb47c31206

SHA256
6cb5229335f704a54ed46ced305cb21cd1e563413ef72f75b53222835998c85f

SHA512
0c4c36d73c2e4a4d3f9bb490493e4d66626c3ccd482dc1fe44bcb336bcc76c811111c1c3c312ee750804e6b570b3697114c2210ad7b944651a81fb250dadb46a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b16cbb2279f29a4c31d2b32417b86d0c

SHA1
dcb77afb68f712ddf8b37ac4b244f57592c5183d

SHA256
9bb8673b418b6bb852b682f40e98056aeebe2a59d472b11c4cd426ce72297e0b

SHA512
d688989cad6694dc3cc0ef674f8218d9ae222b47dc806b8a3f9a4eaeb93e2cd2ef85197b488111c47f9a3a34d72943a5dd0dc1c102f588e5ff82aacad4609c3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5ee9770742cbe557217e0045072fcc6f

SHA1
6e33e23e3d42a96cc63009770e3ad8f882f417d0

SHA256
2c597e9fb67ae25d84c91a397d3b1285041b13065f24cf8ce1f3ceef5a21340b

SHA512
9933c0533bf77a7eed9d965d043ba24a34dc062fd862c3a72a48bf0356205f9ce4ec79860341872183a93de8d56d34ee448852aee520c1834b3087603108e25c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
79218a57ec840bdf00944165866ce55d

SHA1
3bc718da0488fd3d54efe2d743d8d285a6e85db7

SHA256
a234fc36cafbace96643e772999a12d4f2b59d74f6209452bae18d4260c2090f

SHA512
c7badc6e0bd9318063bc977a8595843d9559d0e50a8dc64169ef076d579baee9ac42293506cfb8b833de1e8ea1aba557b5db398275bd76635bfb86c5b69798d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
46ce231a41cd799f5bf1b591dc62531d

SHA1
93f3f35247e5700aae96caa101b22b7e5efb5264

SHA256
1b812d809868465d352db7b6d5a6e0cddffc1b46f9bb3b7e46046a89342419b9

SHA512
deb5d7b05a1d9eb82d71adc0521e45a14bae30ebf10168ca8fb74fd04d706e88f56499758e9ab77680d3dd599743ae0a95126f50ad10bcb905bd38f70a093008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
476be8eca1a6811860267b68af2987d5

SHA1
7d6acf2ac45a8d02ca2a07a92bc3b161fa1a1b9d

SHA256
6d756b1d2e392cc0c60089a73fd9925061be5eb64a578c977ce0bb35d0cf80d2

SHA512
bffdb394d7775b05465d637bf6469302d4fd7257634f76970d75f6c3b09deb4c17163e8ce58f96d8bdee91c6a7227be9e968bbc749e83943fdfca8cbfaa8f73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iai2e1mp.jgm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/5060-30-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-29-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-44-0x000002276D850000-0x000002276D85A000-memory.dmp

Filesize
40KB

Download
memory/5060-32-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-45-0x000002276D8C0000-0x000002276D8E6000-memory.dmp

Filesize
152KB

Download
memory/5060-31-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-65-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-61-0x000002276DF60000-0x000002276DF72000-memory.dmp

Filesize
72KB

Download
memory/5060-0-0x00007FFFF9AF3000-0x00007FFFF9AF5000-memory.dmp

Filesize
8KB

Download
memory/5060-43-0x000002276D830000-0x000002276D84C000-memory.dmp

Filesize
112KB

Download
memory/5060-63-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-28-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-27-0x000002276ABF0000-0x000002276AC0E000-memory.dmp

Filesize
120KB

Download
memory/5060-25-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-24-0x0000022752380000-0x00000227523A2000-memory.dmp

Filesize
136KB

Download
memory/5060-23-0x000002276B270000-0x000002276B2E6000-memory.dmp

Filesize
472KB

Download
memory/5060-67-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download
memory/5060-2-0x00000227508F0000-0x00000227509A2000-memory.dmp

Filesize
712KB

Download
memory/5060-1-0x0000022750260000-0x00000227504DA000-memory.dmp

Filesize
2.5MB

Download
memory/5060-64-0x00007FFFF9AF0000-0x00007FFFFA5B2000-memory.dmp

Filesize
10.8MB

Download