Analysis Overview
SHA256
123e7b087bbf51c4101e5b0ab032e86cddaa24cbb7d9fb001ff579025a1748e1
Threat Level: Known bad
The file ET-Optimizer.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies security service
Disables service(s)
Modifies boot configuration data using bcdedit
Boot or Logon Autostart Execution: Active Setup
Stops running service(s)
Event Triggered Execution: Image File Execution Options Injection
Loads dropped DLL
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Command and Scripting Interpreter: PowerShell
Power Settings
Indicator Removal: File Deletion
Indicator Removal: Clear Persistence
Modifies Security services
Modifies boot configuration data using bcdedit
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Hide Artifacts: Ignore Process Interrupts
Enumerates physical storage devices
Unsigned PE
Checks processor information in registry
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Runs net.exe
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry key
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-07 21:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 21:35
Reported
2024-11-07 21:37
Platform
win10ltsc2021-20241023-en
Max time kernel
93s
Max time network
65s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Windows\system32\reg.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,4474,19041,0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\dismhost.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\system32\cleanmgr.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Indicator Removal: File Deletion
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setupact.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setuperr.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagerr.xml | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagwrn.xml | C:\Windows\system32\cleanmgr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.EDB | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DATAST~1\DATAST~1.JFM | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DATAST~1\Logs\edb.log | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\REPORT~1.LOG | C:\Windows\System32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\dismhost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "12" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\EditFlags = "2" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\Content Type = "application/xhtml+xml" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\ContextMenuHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} | C:\Windows\System32\ie4uinit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shellex\PropertySheetHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8} | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE,-17" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-913" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,2" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\Content Type = "message/rfc822" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\EditFlags = "2" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,5" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\svgfile | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\ = "xhtmlfile" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-910" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "htmlfile" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\IE.AssocFile.HTM | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5732" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\shell\open\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\open\ddeexec\Application | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mailto\DefaultIcon | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-904" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\opennew\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\CommandId = "IE.File" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.website\ = "Microsoft.Website" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-905" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ = "Internet Shortcut" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-10046" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\DefaultIcon | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\mhtmlfile | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.website | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shellex | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-914" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\Content Type = "image/svg+xml" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell\opennew\MUIVerb = "@C:\\Windows\\system32\\ieframe.dll,-5731" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\printto\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\PropertyHandler | C:\Windows\System32\ie4uinit.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell\open\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\Open\command | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\EditFlags = "131074" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\print\command\ = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Windows\\system32\\mshtml.dll\",PrintHTML \"%1\"" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\URL Protocol | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ProcessorType=Get-WMIObject win32_Processor | select Name | findstr /c:AMD /c:Intel; $ProcessorType = $ProcessorType.Replace('(R)','').Replace('(TM)','') > CPUL.txt
C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /c:AMD /c:Intel
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /q CPUL.txt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue {current} safeboot
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue {current} safeboot
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable && schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable && schtasks /Change /TN "Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvent" /Disable && schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable && schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable && schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable && schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable && schtasks /Change /TN "NIUpdateServiceStartupTask" /Disable && schtasks /Change /TN "CCleaner Update" /Disable && schtasks /Change /TN "CCleanerCrashReportings" /Disable && schtasks /Change /TN "CCleanerSkipUAC - $env:username" /Disable && schtasks /Change /TN "updater" /Disable && schtasks /Change /TN "Adobe Acrobat Update Task" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable && schtasks /Change /TN "MiniToolPartitionWizard" /Disable && schtasks /Change /TN "AMDLinkUpdate" /Disable && schtasks /Change /TN "Microsoft\Office\Office Automatic Updates 2.0" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates Logon" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineCore" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineUA" /Disable && schtasks /DELETE /TN "AMDInstallLauncher" /f && schtasks /DELETE /TN "AMDLinkUpdate" /f && schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f && schtasks /DELETE /TN "DUpdaterTask" /f && schtasks /DELETE /TN "ModifyLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /q %temp%\NVIDIA Corporation\NV_Cache\* && del /q %programdata%\NVIDIA Corporation\NV_Cache\*
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f && REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v PreventHandwritingErrorReports /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowDeviceNameInTelemetry /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v HideRecentlyAddedApps /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v NoActiveHelp /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\StorageTelemetry" /v DeviceDumpEnabled /t REG_DWORD /d 0 /f && && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\17.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && sc stop VSStandardCollectorService150 && sc config VSStandardCollectorService150 start= disabled && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && cmd /c taskkill /f /im ccleaner.exe && cmd /c taskkill /f /im ccleaner64.exe && reg add "HKCU\Software\Piriform\CCleaner" /v "HomeScreen" /t REG_SZ /d 2 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C setx POWERSHELL_TELEMETRY_OPTOUT 1
C:\Windows\system32\setx.exe
setx POWERSHELL_TELEMETRY_OPTOUT 1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\Tracing\WPPMedia" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\WPPMedia" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\Tracing\WPPMedia" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\WPPMedia" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v Enabled /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v AcceptedPrivacyPolicy /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v HarvestContacts /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f && REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f && REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ram = (Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value $ram -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage *XboxGamingOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxGameOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /q "%temp%\NVIDIA Corporation\NV_Cache\*" && del /q "%programdata%\NVIDIA Corporation\NV_Cache\*"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /s /f /q "%userprofile%\Recent\*.*"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command erase /f /s /q "%systemdrive%\Windows\SoftwareDistribution\*.*"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Windows\SoftwareDistribution"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Microsoft\Windows\WebCache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\logs /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\webcache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %appdata%\Microsoft\Teams\Cache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Yarn\Cache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem.Out /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSRemoteControl /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackVSRTCLogs /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackPerfWatsonData /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFaultInfo /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\Microsoft\VSApplicationInsights /F /Q /S
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %ProgramData%\Microsoft\VSApplicationInsights /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\Microsoft\VSApplicationInsights /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %AppData%stelemetry
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del /S /F /Q %windir%\Prefetch
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C %WinDir%\SysNative\ie4uinit.exe -show
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C %WinDir%\System32\ie4uinit.exe -show
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -show
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\IconCache.db /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\Explorer\iconcache_*.db" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\.jrs" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.chk" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\DISM" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\ScreenOn\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\ScreenOn\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\LogFiles\HTTPERR\*.*" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\WindowsBackup\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\PerfLogs\System\Diagnostics\*.*" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\debug\WIA\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.app.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.offline.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FontCache3.0.0.0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FontCache
C:\Windows\system32\net.exe
net stop FontCache3.0.0.0
C:\Windows\system32\net.exe
net stop FontCache
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FontCache
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FontCache3.0.0.0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\LocalService\AppData\Local\FontCache\*.dat" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\FNTCACHE.DAT" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\FNTCACHE.DAT" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net start FontCache
C:\Windows\system32\net.exe
net start FontCache
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start FontCache
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net start FontCache3.0.0.0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagwrn.xml" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagerr.xml" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\repair\setup.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\DDACLSys.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\cbs.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\WebCache\*.log" /F /Q
C:\Windows\system32\net.exe
net start FontCache3.0.0.0
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start FontCache3.0.0.0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\*.log" /F /Q
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DPX\*.log" /F /Q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.lo_" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\APPLOG\*.*" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DISM\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\setuplog.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\OEWABLog.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.bak" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.bak" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.old" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SchedLgU.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Directx.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C start cleanmgr.exe /sagerun:5
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x488
C:\Windows\system32\cleanmgr.exe
cleanmgr.exe /sagerun:5
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\dismhost.exe {14C4CB58-F164-4DE7-A822-D5B22054DFFD}
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
Files
memory/3968-0-0x00007FFC99173000-0x00007FFC99175000-memory.dmp
memory/3968-1-0x000001EAFE140000-0x000001EAFE228000-memory.dmp
memory/3968-2-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
memory/2000-3-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
memory/2000-4-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
memory/2000-10-0x000001EA46CD0000-0x000001EA46CF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ib2bveey.inv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2000-15-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
memory/2000-16-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
memory/2000-20-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CPUL.txt
| MD5 | 6774e4aff4988a85dabfb01db173d0af |
| SHA1 | 2ec6df11ef82fb3c46ba9cf585a209c932ce46e7 |
| SHA256 | 5f93814289461ec38c845c77d35fd56a0ce9d08662099164570f1ecdef3f6e38 |
| SHA512 | e6ef5c299bf5dd6fda1c45f35103306ec9410192457544859bf1643395ba145e8c700aa2596502c9061c88a3ac5015a62de928195dcb3a23f2835b89e3e8157b |
memory/3968-22-0x00007FFC99173000-0x00007FFC99175000-memory.dmp
memory/3968-23-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
memory/1644-24-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-26-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-25-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-31-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-30-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-36-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-35-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-34-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-33-0x000002A003880000-0x000002A003881000-memory.dmp
memory/1644-32-0x000002A003880000-0x000002A003881000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 87c29700d926d094566f97a4ca94661f |
| SHA1 | edbc46e5510447273bbaae1a5d13e6984b003594 |
| SHA256 | b254694891c8c9da1394c3c469cee50f145c72582e6d1cf0045cab4e72f48e7f |
| SHA512 | 0c6ba3544daa14af98f338fa24d01624f9e93f9633b2bd6b4c031f7f1ecd4265dddde4469a8b96e81d802401ec8f3ba1d0120afe53ee6fa5345f9f3f7ab94290 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3aa6fa949fa12c686336d7556599afa7 |
| SHA1 | f0d7925f5c5e3bda413cfc352691caa066e400bb |
| SHA256 | 78a45ad95410e9f30edfc3458db0f49ff03bde3a44718addbf7ecab4d0ecb30b |
| SHA512 | 0df469696594986b20a66260d19cecd8ce3ed320856daf395172e732e04bfbe2d438fb5591af1b828a44a311c196aebf052735662ed72c0669c0080c017276cc |
memory/5108-48-0x00000165F3D50000-0x00000165F3D7A000-memory.dmp
memory/5108-49-0x00000165F3D50000-0x00000165F3D74000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96d0b23764c399a15fcd9e9f24316495 |
| SHA1 | b12c744e4144390e3e0145b3b4bc20a6f492f584 |
| SHA256 | ae78ea50961c62b979c5e9899f559583d7887ca3ae427327bea7c89cf988e330 |
| SHA512 | 926909776861a0438153f5ad5f2d3e210647537e26a1b854e4f0ffbb4257ce8ba492bfea8ce3f61848d64af84721167b4aa632a3dbf4d0c0391427bdc0793715 |
memory/252-61-0x0000024839ED0000-0x0000024839EE6000-memory.dmp
memory/252-62-0x0000024839EC0000-0x0000024839ECA000-memory.dmp
memory/252-63-0x0000024839F60000-0x0000024839F86000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 95df885cef3135391d49167f2f2e561c |
| SHA1 | 400b04a60d8df1d66a4fbd9168d58856a98d7619 |
| SHA256 | 6dc9890d79e51d68a5f30b16b13aebbea7ed8ef13f1fdbcd262efc0cbc28df91 |
| SHA512 | 2e39b5f0312b1800a32d1b40ff58d1b6a71acaffeb2d246472372e53d229490adbbbdb8630865c8c04f143d41fe5c463e0eba2531d2ad3a82120602ea27f10b7 |
memory/5772-77-0x0000000000D60000-0x0000000000D80000-memory.dmp
memory/5772-78-0x000000001A440000-0x000000001A814000-memory.dmp
memory/5772-79-0x000000001AB30000-0x000000001AC66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\DismHost.exe
| MD5 | 97cb1e2fcab378421c4b91df0c9f8310 |
| SHA1 | 1227ce5f3a75bbbcba54708fcf73a131b0887a29 |
| SHA256 | e36bcf02bc11f560761e943d0fad37417078f6cbb473f85c72fcbc89e2600c58 |
| SHA512 | 1b4668daacbebbe79bedc508f81f0e5ff0545c5823f05c7a403f4e8eb58bbf866f975b8e41a9148f6455243fe180c1afa32cd6b337f7d73ba0cbdf00f7e32de6 |
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\DismCorePS.dll
| MD5 | 35a07968ec37231249f3f072ae555e3a |
| SHA1 | a6b5be5daff384d24e68c7d3d540e9edd1e95ce8 |
| SHA256 | e5f25e5a170cb3d165c3d143eae967b96ab80f88fb09176da8591b0b68c77e00 |
| SHA512 | 4806377c40eb0604410bf4760a3bf3ed99a1506af023977f6ad04090d790818034f8ffaeb6f51cf3a16a2109e0f567ddf5d182a50468481a2ed9adb2fe899261 |
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\DismProv.dll
| MD5 | ab0dbc4f05b33eaaa447e31accab8d21 |
| SHA1 | 7064962fbc7e1fdf0cbb13a44e587e28168cd299 |
| SHA256 | 6a3c3f07bddbc3079873f8799f2c19adddc59f15d6b2dba6e9314e5626bfd2a0 |
| SHA512 | a4fea2a0d5a9da86cc1f3868882a4ac661581a77f57251ea073259e0421d6f047b9da7b19e3916a970d7ecda652b4d51d0e64c7ef5d59338eb209b580be85b24 |
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\OSProvider.dll
| MD5 | 684fca651758ba405144d5fcab6ab7fe |
| SHA1 | da595c60fbc4336fd2c61b45384dc0dbc3bf599a |
| SHA256 | ae9b66a6e0b1949890241c67037cef2c59d4f4faef84849789e0fee9184f41c6 |
| SHA512 | 4f8a9c524dd4e0f2a2f6f67a1ce42a7e9590fc5715f9538d8e0c7ff0c67d4bcbe10318bebd6328ee29c6c3b9842d0e176da7e663a88d9ecdec8c6404571c3756 |
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\LogProvider.dll
| MD5 | 1176e91f4f663b03515b4d944dcdd72b |
| SHA1 | fa341a412720fd79fe1e1f6e11d850a4e103871d |
| SHA256 | a4ae8aac8660aaa255cc8318c7971273201e62954d6d36ac5d7ec738fb218258 |
| SHA512 | c31f3bbff71ebc3f29813cf55754593262884fc71327db58622da62daa92062b1e8e2f6877a71ca832f40e7127c478d931661527485e801b74dcfdfaf6670874 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 903b117c7620352dae25d878fc7a4e2c |
| SHA1 | 6c432ff0566a8d94021685f456af282f685563fd |
| SHA256 | 967ef77a1134f4da6bc65435ed16f75e2213f9e647f617cdce9d4799b22a834b |
| SHA512 | 8c12c0f4f974df5cd6a6043dfa5171f1974ddaf15520773b81bb07a97513e12460cb9f1bae237fe8efb2d4fed2ef596577fc3a4e86d55919715b4932035e2706 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
| MD5 | f49655f856acb8884cc0ace29216f511 |
| SHA1 | cb0f1f87ec0455ec349aaa950c600475ac7b7b6b |
| SHA256 | 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba |
| SHA512 | 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8 |
C:\Users\Admin\AppData\Local\Temp\C4F9278B-D6D2-4E74-8F7A-5E8B187D2AE6\CbsProvider.dll
| MD5 | 57a9a702d5f51b625a869cb6ac0ede0f |
| SHA1 | e5db4003f5a82ea666bbd70083edcb9ca38446b4 |
| SHA256 | b19a6d57b76593369e7e06cbcc5bcfd03e18adaa3934fd59c8705213fb5779ee |
| SHA512 | 818420f8196f964a2998b1176e87399f3d473237112b877c4e5662b3f601f8492fec3ec2ecd39822bfa12134cc2dd85ddc9e1409ea15ae6b58d8021c69840a85 |
memory/3968-113-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp
C:\Windows\Logs\DISM\dism.log
| MD5 | 29bf72b6067ecd15434f1746be1d1765 |
| SHA1 | 0493f185c5f4780b215d6e465b333c5f17974735 |
| SHA256 | 0182695ad9f2e771f32043c90807af46f81d4583236c6417ad3fb27196c85051 |
| SHA512 | 8a78afe45924fc7ebafd2e70c1ccfb766ee88c1a51712306833e0dac4c6d9ac864a9b9c1b557e8e14a7c779b218de4a9ce6adce95d680898f8093785c38bfbe2 |
C:\Windows\System32\LogFiles\setupcln\diagerr.xml
| MD5 | 20aa1246e4567b97a36c5c2864a4828f |
| SHA1 | da5a7f8e953da1827784ea5b55dccd21e944bd96 |
| SHA256 | bae59481c331fb2bff4d43e80e5ccf8be3efc9e94acb4bd4aa8338435a785a6b |
| SHA512 | d717532e2259d6793acd6b829878ce29182b300588116a88b0740d9b5aafabd3793bfae57a9a6672a40e248ec095808041e0a4df413b26e8035bc3d26e7c0b40 |
C:\Windows\System32\LogFiles\setupcln\setupact.log
| MD5 | a77412bf46aec8f025b3f3733a8d7ad6 |
| SHA1 | 8129ef829efe46afb4248e1fffb490279e5dc06f |
| SHA256 | 23b8e0dbf22e13e5e8af8f6f76922cc6a0f92a1cf26593b18a6c2b12c86935ee |
| SHA512 | 6ebf2835a2eea03fe0af5cbf80b036c59d61a6138823d49ddb222c56a5fb94a06608bbf7a2dc4faa5e0b0ffc7974450f43632a5ae7e4212b6f0b5e4a8dbded8f |
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml
| MD5 | 692ca5ebc9e0cef0a8d0be4df7400cee |
| SHA1 | f63dada2e5f7a1d786c93bc3d757642d93b24b59 |
| SHA256 | a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa |
| SHA512 | 429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 21:35
Reported
2024-11-07 21:37
Platform
win11-20241007-en
Max time kernel
92s
Max time network
92s
Command Line
Signatures
Disables service(s)
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,348,22000,0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\System32\ie4uinit.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe\Debugger = "%C:\\Windows%\\System32\\taskkill.exe" | C:\Windows\system32\reg.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1FE0D12B-5E96-4860-844D-E2F11A6CB56D\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ABC988B9-03A2-415B-BC53-A2796D39566A\dismhost.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Indicator Removal: File Deletion
Modifies Security services
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdBoot\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisDrv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdFilter\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setuperr.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagerr.xml | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagwrn.xml | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setupact.log | C:\Windows\system32\cleanmgr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\1FE0D12B-5E96-4860-844D-E2F11A6CB56D\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\ABC988B9-03A2-415B-BC53-A2796D39566A\dismhost.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\BrowserEmulation | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000403da12c5d31db01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb6cee2b5d31db01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bc2072d5d31db01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b425eb2c5d31db01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jfif\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034dc7f2c5d31db01 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3 | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif | C:\Windows\System32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\SearchProtocolHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394\DisplayName = "windows_ie_ac_001" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes\ShowSearchSuggestionsGlobal = "0" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter\EnabledV9 = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\ET-Optimizer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ProcessorType=Get-WMIObject win32_Processor | select Name | findstr /c:AMD /c:Intel; $ProcessorType = $ProcessorType.Replace('(R)','').Replace('(TM)','') > CPUL.txt
C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /c:AMD /c:Intel
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /q CPUL.txt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue {current} safeboot
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /deletevalue {current} safeboot
C:\Windows\system32\bcdedit.exe
bcdedit /deletevalue {current} safeboot
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge" /v WebWidgetAllowed /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powercfg -setactive scheme_min
C:\Windows\system32\powercfg.exe
powercfg -setactive scheme_min
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb61
C:\Windows\system32\powercfg.exe
powercfg -setactive e9a42b02-d5df-448d-aa00-03f14749eb61
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d
C:\Windows\system32\powercfg.exe
powercfg /S ceb6bfc7-d55c-4d56-ae37-ff264aade12d
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg /X standby-timeout-ac 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powercfg /X standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
powercfg /X standby-timeout-dc 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set timeout 3
C:\Windows\system32\bcdedit.exe
bcdedit /set timeout 3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /timeout 3
C:\Windows\system32\bcdedit.exe
bcdedit /timeout 3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f && reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t "REG_DWORD" /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v GlobalUserDisabled /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search" /v BackgroundAppGlobalToggle /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore" /v "AutoDownload" /t REG_DWORD /d 2 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v EnableWebContentEvaluation /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International\User Profile" /v HttpAcceptLanguageOptOut /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main" /v DoNotTrack /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\User\Default\SearchScopes" /v ShowSearchSuggestionsGlobal /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead" /v FPEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\MSMQ\Parameters" /v TcpNoDelay /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbxhci\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBHUB3\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NDIS\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nvlddmkm\Parameters" /v ThreadPriority /t REG_DWORD /d 31 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {current} numproc %NUMBER_OF_PROCESSORS%
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} numproc 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-WmiObject win32_Processor | findstr /r "Intel" > NOLPi.txt
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /r Intel
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f && reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Affinity /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Background Only" /t REG_SZ /d "False" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Clock Rate" /t REG_DWORD /d 10000 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d "High" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "SFIO Priority" /t REG_SZ /d "High" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Priority" /t REG_DWORD /d 6 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /f /q NOLPi.txt && del /f /q NOLP.txt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Permissions\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v SensorPermissionState /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v value /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v value /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d 2000 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C SET DEVMGR_SHOW_NONPRESENT_DEVICES=1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314559Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-314563Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353698Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WindowsInkWorkspace\AllowSuggestedAppsInWindowsInkWorkspace" /v "value" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command disable-windowsoptionalfeature -online -featureName Printing-XPSServices-Features -NoRestart; disable-windowsoptionalfeature -online -featureName Xps-Foundation-Xps-Viewer -NoRestart
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\dismhost.exe {4AE7A26C-493F-430D-B1B5-59DC743EAA80}
C:\Users\Admin\AppData\Local\Temp\1FE0D12B-5E96-4860-844D-E2F11A6CB56D\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\1FE0D12B-5E96-4860-844D-E2F11A6CB56D\dismhost.exe {712A0B27-990D-48AD-A3CF-5FEDFE86708E}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-ProcessMitigation -System -Disable CFG
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop DiagTrack
C:\Windows\system32\sc.exe
sc stop DiagTrack
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config DiagTrack start= disabled
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop diagnosticshub.standardcollector.service
C:\Windows\system32\sc.exe
sc stop diagnosticshub.standardcollector.service
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config diagnosticshub.standardcollector.service start= disabled
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop dmwappushservice
C:\Windows\system32\sc.exe
sc stop dmwappushservice
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config dmwappushservice start= disabled
C:\Windows\system32\sc.exe
sc config dmwappushservice start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop RemoteRegistry
C:\Windows\system32\sc.exe
sc stop RemoteRegistry
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config RemoteRegistry start= disabled
C:\Windows\system32\sc.exe
sc config RemoteRegistry start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop RemoteAccess
C:\Windows\system32\sc.exe
sc stop RemoteAccess
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config RemoteAccess start= disabled
C:\Windows\system32\sc.exe
sc config RemoteAccess start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop SCardSvr
C:\Windows\system32\sc.exe
sc stop SCardSvr
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config SCardSvr start= disabled
C:\Windows\system32\sc.exe
sc config SCardSvr start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop SCPolicySvc
C:\Windows\system32\sc.exe
sc stop SCPolicySvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config SCPolicySvc start= disabled
C:\Windows\system32\sc.exe
sc config SCPolicySvc start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop fax
C:\Windows\system32\sc.exe
sc stop fax
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config fax start= disabled
C:\Windows\system32\sc.exe
sc config fax start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop WerSvc
C:\Windows\system32\sc.exe
sc stop WerSvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config WerSvc start= disabled
C:\Windows\system32\sc.exe
sc config WerSvc start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop NvTelemetryContainer
C:\Windows\system32\sc.exe
sc stop NvTelemetryContainer
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config NvTelemetryContainer start= disabled
C:\Windows\system32\sc.exe
sc config NvTelemetryContainer start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop gadjservice
C:\Windows\system32\sc.exe
sc stop gadjservice
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config gadjservice start= disabled
C:\Windows\system32\sc.exe
sc config gadjservice start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop AdobeARMservice
C:\Windows\system32\sc.exe
sc stop AdobeARMservice
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config AdobeARMservice start= disabled
C:\Windows\system32\sc.exe
sc config AdobeARMservice start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop PSI_SVC_2
C:\Windows\system32\sc.exe
sc stop PSI_SVC_2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config PSI_SVC_2 start= disabled
C:\Windows\system32\sc.exe
sc config PSI_SVC_2 start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop lfsvc
C:\Windows\system32\sc.exe
sc stop lfsvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config lfsvc start= disabled
C:\Windows\system32\sc.exe
sc config lfsvc start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop WalletService
C:\Windows\system32\sc.exe
sc stop WalletService
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config WalletService start= disabled
C:\Windows\system32\sc.exe
sc config WalletService start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop RetailDemo
C:\Windows\system32\sc.exe
sc stop RetailDemo
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config RetailDemo start= disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop SEMgrSvc
C:\Windows\system32\sc.exe
sc stop SEMgrSvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config SEMgrSvc start= disabled
C:\Windows\system32\sc.exe
sc config SEMgrSvc start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop diagsvc
C:\Windows\system32\sc.exe
sc stop diagsvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config diagsvc start= disabled
C:\Windows\system32\sc.exe
sc config diagsvc start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop AJRouter
C:\Windows\system32\sc.exe
sc stop AJRouter
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config AJRouter start= disabled
C:\Windows\system32\sc.exe
sc config AJRouter start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop amdfendr
C:\Windows\system32\sc.exe
sc stop amdfendr
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config amdfendr start= disabled
C:\Windows\system32\sc.exe
sc config amdfendr start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc stop amdfendrmgr
C:\Windows\system32\sc.exe
sc stop amdfendrmgr
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config amdfendrmgr start= disabled
C:\Windows\system32\sc.exe
sc config amdfendrmgr start= disabled
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config BITS start= demand
C:\Windows\system32\sc.exe
sc config BITS start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config SamSs start= demand
C:\Windows\system32\sc.exe
sc config SamSs start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config TapiSrv start= demand
C:\Windows\system32\sc.exe
sc config TapiSrv start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config seclogon start= demand
C:\Windows\system32\sc.exe
sc config seclogon start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config wuauserv start= demand
C:\Windows\system32\sc.exe
sc config wuauserv start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config PhoneSvc start= demand
C:\Windows\system32\sc.exe
sc config PhoneSvc start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config lmhosts start= demand
C:\Windows\system32\sc.exe
sc config lmhosts start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config iphlpsvc start= demand
C:\Windows\system32\sc.exe
sc config iphlpsvc start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config gupdate start= demand
C:\Windows\system32\sc.exe
sc config gupdate start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config gupdatem start= demand
C:\Windows\system32\sc.exe
sc config gupdatem start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config edgeupdate start= demand
C:\Windows\system32\sc.exe
sc config edgeupdate start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config edgeupdatem start= demand
C:\Windows\system32\sc.exe
sc config edgeupdatem start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config MapsBroker start= demand
C:\Windows\system32\sc.exe
sc config MapsBroker start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config PnkBstrA start= demand
C:\Windows\system32\sc.exe
sc config PnkBstrA start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config brave start= demand
C:\Windows\system32\sc.exe
sc config brave start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config bravem start= demand
C:\Windows\system32\sc.exe
sc config bravem start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config asus start= demand
C:\Windows\system32\sc.exe
sc config asus start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config asusm start= demand
C:\Windows\system32\sc.exe
sc config asusm start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config adobeupdateservice start= demand
C:\Windows\system32\sc.exe
sc config adobeupdateservice start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config adobeflashplayerupdatesvc start= demand
C:\Windows\system32\sc.exe
sc config adobeflashplayerupdatesvc start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config WSearch start= demand
C:\Windows\system32\sc.exe
sc config WSearch start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C sc config CCleanerPerformanceOptimizerService start= demand
C:\Windows\system32\sc.exe
sc config CCleanerPerformanceOptimizerService start= demand
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable && schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable && schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable && schtasks /Change /TN "Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvent" /Disable && schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable && schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /Disable && schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /Disable && schtasks /Change /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /Disable && schtasks /Change /TN "Microsoft\Office\Office 15 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Office\Office 16 Subscription Heartbeat" /Disable && schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable && schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable && schtasks /Change /TN "NIUpdateServiceStartupTask" /Disable && schtasks /Change /TN "CCleaner Update" /Disable && schtasks /Change /TN "CCleanerCrashReportings" /Disable && schtasks /Change /TN "CCleanerSkipUAC - $env:username" /Disable && schtasks /Change /TN "updater" /Disable && schtasks /Change /TN "Adobe Acrobat Update Task" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable && schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable && schtasks /Change /TN "MiniToolPartitionWizard" /Disable && schtasks /Change /TN "AMDLinkUpdate" /Disable && schtasks /Change /TN "Microsoft\Office\Office Automatic Updates 2.0" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates" /Disable && schtasks /Change /TN "Microsoft\Office\Office Feature Updates Logon" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineCore" /Disable && schtasks /Change /TN "GoogleUpdateTaskMachineUA" /Disable && schtasks /DELETE /TN "AMDInstallLauncher" /f && schtasks /DELETE /TN "AMDLinkUpdate" /f && schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f && schtasks /DELETE /TN "DUpdaterTask" /f && schtasks /DELETE /TN "ModifyLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /Disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /q %temp%\NVIDIA Corporation\NV_Cache\* && del /q %programdata%\NVIDIA Corporation\NV_Cache\*
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\NvControlPanel2\Client" /v OptInOrOutPreference /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID44231 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID64640 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\NVIDIA Corporation\Global\FTS" /v EnableRID66610 /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NvTelemetryContainer" /v Start /t REG_DWORD /d 4 /f && REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoInstrumentation /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports" /v PreventHandwritingErrorReports /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowDeviceNameInTelemetry /t REG_DWORD /d 0 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v EnabledV9 /t REG_DWORD /d 0 /f && REG ADD "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v HideRecentlyAddedApps /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0" /v NoActiveHelp /t REG_DWORD /d 1 /f && REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\StorageTelemetry" /v DeviceDumpEnabled /t REG_DWORD /d 0 /f && && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger\SQMLogger" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d 0 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\dmwappushservice" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKLM\SYSTEM\ControlSet001\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\17.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && reg add "HKCU\SOFTWARE\Microsoft\Office\17.0\Common" /v "QMEnabled" /t REG_DWORD /d 0 /f && sc stop VSStandardCollectorService150 && sc config VSStandardCollectorService150 start= disabled && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Wow6432Node\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\14.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\15.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\16.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VSCommon\17.0\SQM" /v "OptIn" /t REG_DWORD /d 0 /f && reg add "HKLM\Software\Microsoft\VisualStudio\Telemetry" /v "TurnOffSwitch" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableFeedbackDialog" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableEmailInput" /t REG_DWORD /d 1 /f && reg add "HKLM\Software\Policies\Microsoft\VisualStudio\Feedback" /v "DisableScreenshotCapture" /t REG_DWORD /d 1 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "ChromeCleanupReportingEnabled" /t REG_SZ /d 0 /f && reg add "HKLM\SOFTWARE\Policies\Google\Chrome" /v "MetricsReportingEnabled" /t REG_SZ /d 0 /f && cmd /c taskkill /f /im ccleaner.exe && cmd /c taskkill /f /im ccleaner64.exe && reg add "HKCU\Software\Piriform\CCleaner" /v "HomeScreen" /t REG_SZ /d 2 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "Monitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "HelpImproveCCleaner" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "SystemMonitoring" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateAuto" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "UpdateCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "CheckTrialOffer" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickClean" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C setx POWERSHELL_TELEMETRY_OPTOUT 1
C:\Windows\system32\setx.exe
setx POWERSHELL_TELEMETRY_OPTOUT 1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\Tracing\WPPMedia" /f && reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%%SYSTEMDRIVE%%\TEMP\WPPMedia" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "TraceLevelThreshold" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "EnableTracing" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "EnableTracing" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\Tracing\WPPMedia" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Tracing\WPPMediaPerApp\Skype\ETW" /v "WPPFilePath" /t REG_SZ /d "%C:%\TEMP\WPPMedia" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Mozilla\Firefox /v "DisableTelemetry" /t REG_DWORD /d "2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f && reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f && reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CPSS\Store\AdvertisingInfo" /v "Value" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f && reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitInkCollection /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization" /v RestrictImplicitTextCollection /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting" /v "DisableGenericReports" /t REG_DWORD /d "2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "2" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "LocalSettingOverrideSpynetReporting" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f && REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f && REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f && REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v VisualFXSetting /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Desktop" /v UserPreferencesMask /t REG_BINARY /d 9012078010000000 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v DefaultApplied /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackDocs" /t REG_DWORD /d 0 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $ram = (Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb; Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value $ram -Force
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage *XboxGamingOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxGameOverlay* | Remove-AppxPackage; Get-AppxPackage *XboxSpeechToTextOverlay* | Remove-AppxPackage
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /q "%temp%\NVIDIA Corporation\NV_Cache\*" && del /q "%programdata%\NVIDIA Corporation\NV_Cache\*"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del /s /f /q "%userprofile%\Recent\*.*"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command erase /f /s /q "%systemdrive%\Windows\SoftwareDistribution\*.*"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C rmdir /s /q "%systemdrive%\Windows\SoftwareDistribution"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Microsoft\Windows\WebCache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\logs /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %programdata%\GOG.com\Galaxy\webcache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %appdata%\Microsoft\Teams\Cache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %localappdata%\Yarn\Cache /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem.Out /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSTelem /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSRemoteControl /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackVSRTCLogs /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFeedbackPerfWatsonData /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\VSFaultInfo /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %Temp%\Microsoft\VSApplicationInsights /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %ProgramData%\Microsoft\VSApplicationInsights /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\Microsoft\VSApplicationInsights /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %AppData%stelemetry
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del /S /F /Q %windir%\Prefetch
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C %WinDir%\SysNative\ie4uinit.exe -show
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C %WinDir%\System32\ie4uinit.exe -show
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -show
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del %LocalAppData%\IconCache.db /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\Explorer\iconcache_*.db" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\.jrs" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\catroot2\*.chk" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\DISM" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\ScreenOn\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\SleepStudy\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\ScreenOn\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\SleepStudy\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\LogFiles\HTTPERR\*.*" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\WindowsBackup\*.etl" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\CBS\*.cab" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\PerfLogs\System\Diagnostics\*.*" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\debug\WIA\*.log" /F /Q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.app.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\inf\setupapi.offline.log" /F /Q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FontCache3.0.0.0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net stop FontCache
C:\Windows\system32\net.exe
net stop FontCache3.0.0.0
C:\Windows\system32\net.exe
net stop FontCache
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FontCache3.0.0.0
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop FontCache
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\LocalService\AppData\Local\FontCache\*.dat" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SysNative\FNTCACHE.DAT" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\System32\FNTCACHE.DAT" /F /Q /S
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net start FontCache
C:\Windows\system32\net.exe
net start FontCache
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start FontCache
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C net start FontCache3.0.0.0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagwrn.xml" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\UnattendGC\diagerr.xml" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\repair\setup.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\DDACLSys.log" /F /Q
C:\Windows\system32\net.exe
net start FontCache3.0.0.0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Panther\cbs.log" /F /Q
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start FontCache3.0.0.0
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%LocalAppData%\Microsoft\Windows\WebCache\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\*.log" /F /Q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DPX\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.lo_" /F /Q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\APPLOG\*.*" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Logs\DISM\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\setuplog.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\OEWABLog.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\system32\wbem\Logs\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.bak" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\UserMode\*.bak" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Debug\*.log" /F /Q
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\security\logs\*.old" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\SchedLgU.txt" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%WinDir%\Directx.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C Del "%SystemDrive%\*.log" /F /Q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C start cleanmgr.exe /sagerun:5
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f && reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
C:\Windows\system32\cleanmgr.exe
cleanmgr.exe /sagerun:5
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command winget uninstall "windows web experience pack" --accept-source-agreements
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxPackage -AllUsers | Where-Object {$_.Name -like "*WebExperience*"} | Remove-AppxPackage -AllUsers -ErrorAction SilentlyContinue
C:\Users\Admin\AppData\Local\Temp\ABC988B9-03A2-415B-BC53-A2796D39566A\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\ABC988B9-03A2-415B-BC53-A2796D39566A\dismhost.exe {A38FEE0F-21ED-4667-B3C3-07144464A379}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Get-AppxProvisionedPackage -online | Where-Object {$_.Name -like "*WebExperience*"}| Remove-AppxProvisionedPackage -online –Verbose
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\MsSecFlt" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmAgent" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C for /f %%i in ('reg query "HKLM\SYSTEM\ControlSet001\Services" /s /k "webthreatdefusersvc" /f 2^>nul ^| find /i "webthreatdefusersvc" ') do (reg add "%%i" /v "Start" /t REG_DWORD /d "4" /f)
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%%windir%%\System32\taskkill.exe" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartscreen.exe" /v "Debugger" /t REG_SZ /d "%C:\Windows%\System32\taskkill.exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "6152" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "ModRiskFileTypes" /t REG_SZ /d ".bat;.exe;.reg;.vbs;.chm;.msi;.js;.cmd" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControl" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen" /v "EnableSmartScreen" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F4 0x00000000000004F8
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Windows\System32\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 828 2684 2612 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 828 2760 2756 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
Network
| Country | Destination | Domain | Proto |
| GB | 104.86.110.114:443 | tcp | |
| GB | 104.86.110.114:443 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| GB | 92.123.128.136:443 | r.bing.com | tcp |
| GB | 92.123.128.136:443 | r.bing.com | tcp |
| GB | 92.123.128.136:443 | r.bing.com | tcp |
| GB | 92.123.128.136:443 | r.bing.com | tcp |
| GB | 92.123.128.136:443 | r.bing.com | tcp |
| GB | 92.123.128.136:443 | r.bing.com | tcp |
| US | 20.189.173.2:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/4424-0-0x00007FFDF3043000-0x00007FFDF3045000-memory.dmp
memory/4424-1-0x000001A5E6270000-0x000001A5E6358000-memory.dmp
memory/4424-2-0x00007FFDF3040000-0x00007FFDF3B02000-memory.dmp
memory/4144-3-0x00007FFDF3040000-0x00007FFDF3B02000-memory.dmp
memory/4144-4-0x00007FFDF3040000-0x00007FFDF3B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_av53zhri.k4z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4144-10-0x00000260FEFF0000-0x00000260FF012000-memory.dmp
memory/4144-14-0x00007FFDF3040000-0x00007FFDF3B02000-memory.dmp
memory/4144-18-0x00007FFDF3040000-0x00007FFDF3B02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CPUL.txt
| MD5 | 6774e4aff4988a85dabfb01db173d0af |
| SHA1 | 2ec6df11ef82fb3c46ba9cf585a209c932ce46e7 |
| SHA256 | 5f93814289461ec38c845c77d35fd56a0ce9d08662099164570f1ecdef3f6e38 |
| SHA512 | e6ef5c299bf5dd6fda1c45f35103306ec9410192457544859bf1643395ba145e8c700aa2596502c9061c88a3ac5015a62de928195dcb3a23f2835b89e3e8157b |
memory/4424-20-0x00007FFDF3043000-0x00007FFDF3045000-memory.dmp
memory/4424-21-0x00007FFDF3040000-0x00007FFDF3B02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 22e796539d05c5390c21787da1fb4c2b |
| SHA1 | 55320ebdedd3069b2aaf1a258462600d9ef53a58 |
| SHA256 | 7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92 |
| SHA512 | d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 21280c05ed05bd2e1368b2a52129a921 |
| SHA1 | 72826c81e56772691db06a12fa19ded6ba4172cf |
| SHA256 | 447ee7dc87bdc787efdb4117bfb6aa9b9ad87d8a5087b327bc38caedc8e72578 |
| SHA512 | de35113b065a600743810eb5e2914f44eeafbeb9b6690a4d53221e19772bc0045e17a196b1a7c725d0e7ddeff7b39f135c557b85e1aaa10ec8691ed5b333878c |
C:\Users\Admin\AppData\Local\Temp\NOLPi.txt
| MD5 | 71a9108cbbc23c52cf95143706a66310 |
| SHA1 | 863dbfdc85863ec1808b9a2274f30a4dbe4c83c6 |
| SHA256 | 4f19737f9b12c3b1097f515ceeeff5b45d5542ca54b513f12eedd3e6f9c02032 |
| SHA512 | f2f198cd7ff7cc8351ddf35820224287c7cf1c723309339496fe91cfb90589391499921f283cda38670fb18fc73e0d9defb4ab3b1539112cf3eaf3a0997a6662 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d968d0eb0c1489fe11c8a7c29808b571 |
| SHA1 | 53b2e31d3c5665bce83ce3328093eca076b56d66 |
| SHA256 | 720167696f8edb616c0206275f2cee2bc4c395611db58a8a50d51e9a50c1080e |
| SHA512 | f80ab6a704db3d0a333c4e2823035d322ce2cb30ff69e94d790981b4da6e407ad8513bf71e7841ed53b29e8bcfa50ca2d26f1dd4000c7a96fe546c0eccabef43 |
memory/1748-44-0x000001ED63E30000-0x000001ED63E56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\DismHost.exe
| MD5 | 17275206102d1cf6f17346fd73300030 |
| SHA1 | bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166 |
| SHA256 | dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6 |
| SHA512 | ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\DismCorePS.dll
| MD5 | 7f751738de9ac0f2544b2722f3a19eb0 |
| SHA1 | 7187c57cd1bd378ef73ba9ad686a758b892c89dc |
| SHA256 | db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc |
| SHA512 | 0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\dismprov.dll
| MD5 | 2ac64cc617d144ae4f37677b5cdbb9b6 |
| SHA1 | 13fe83d7489d302de9ccefbf02c7737e7f9442f9 |
| SHA256 | 006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44 |
| SHA512 | acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\OSProvider.dll
| MD5 | e9833a54c1a1bfdab3e5189f3f740ff9 |
| SHA1 | ffb999c781161d9a694a841728995fda5b6da6d3 |
| SHA256 | ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85 |
| SHA512 | 0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\LogProvider.dll
| MD5 | c63f6b6d4498f2ec95de15645c48e086 |
| SHA1 | 29f71180feed44f023da9b119ba112f2e23e6a10 |
| SHA256 | 56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde |
| SHA512 | 3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc |
C:\Windows\Logs\DISM\dism.log
| MD5 | fbc18ea4a3485747b4b58820950af051 |
| SHA1 | 10e2f35a1201c8c0c80d8ddc48370eb978a0e48b |
| SHA256 | 7621d31dbf5fe6ef8475d03f38fa9b00ba12f083d1f22d0411e4fde719fb9f69 |
| SHA512 | e909124cd8299217a061472570f111b8ad0356ee8ea8d7ab67c1568f0232d19fdd2211f17332daefb2a107787d7588115190514ddec68f205f6a42792860225e |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\CbsProvider.dll
| MD5 | f51151b2d8d84cddbedbeffebdc6ec6a |
| SHA1 | adc9c19aa0663e65997f54835228968e13532198 |
| SHA256 | 7fe4e4924fbbfdf6d772cb9d0a4963d49f6aa18b3c86a2e8df6ca49e22f79884 |
| SHA512 | 802b58617be5e92bfc0c7f8c8d7443128d81908ae99d9a4ce0a785f858dc7832c70dc305f2ad39c9f57db01c05f483f6bf949ad8811fc6fb255c5aee88c729b3 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\DismCore.dll
| MD5 | c73ee8f61bce89d1edad64d16fedcdd6 |
| SHA1 | e8fe02e68fd278fd4af501e350d412a5a91b269f |
| SHA256 | b1045fc7dce8fcf5612f82f8f97f8d243008e4c6b7389187e6babc554dd1e413 |
| SHA512 | 8a5960e6bf35cf07e555558db13c89bf940c92d206adae0eb6e28404b7e499500a8158d29f3400f0b24ab8cedbacb75a28b0138be2e029b70a5cc66cce7cef25 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\DmiProvider.dll
| MD5 | e54120aa50f14e0d3d257e77db46ece5 |
| SHA1 | 922203542962ec5f938dcb3c876f060ecf17f9dc |
| SHA256 | b5fb1a5eb4090598d5f878cdd37ed8eca82962d85995dd2280b8849fba816b54 |
| SHA512 | fbce5d707f6a66d451165608520be9d7174a8c22eb9827dfe94d98718e2c961f15ac45583b1743f3b8078b3fe675992d4b97bfc5e4b893b60328d94665f71dc9 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\FolderProvider.dll
| MD5 | 0e6d074c223b6706c29de2e9d6d9d05c |
| SHA1 | c4758d6e444b5f943c9ae8570c6d1945d7b2ab8f |
| SHA256 | 3129bd336b26f9da626189a2386c362584204a5d24ec0733be3cf0c8f5d855e2 |
| SHA512 | fa48aa14b7e66749a34a7195944966b670649935f1eef9d6f17cf7d9893dc83339fed4bcfeb5c5be0be8f4c0a250cf71e4e0bbc6456017890b8b5ef0ee2d885b |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\IntlProvider.dll
| MD5 | 34035aed2021763bec1a7112d53732f1 |
| SHA1 | 7132595f73755c3ae20a01b6863ac9518f7b75a4 |
| SHA256 | aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731 |
| SHA512 | ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\ProvProvider.dll
| MD5 | 2ef388f7769205ca319630dd328dcef1 |
| SHA1 | 6dc9ed84e72af4d3e7793c07cfb244626470f3b6 |
| SHA256 | 4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf |
| SHA512 | b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\SysprepProvider.dll
| MD5 | 4dfa1eeec0822bfcfb95e4fa8ec6c143 |
| SHA1 | 54251e697e289020a72e1fd412e34713f2e292cf |
| SHA256 | 901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494 |
| SHA512 | 5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\WimProvider.dll.mui
| MD5 | ef7effbb94bc74ede42ce85907a36a8c |
| SHA1 | 786c63cfdc435af2ab2a76141d0fc275ff3635d5 |
| SHA256 | 3b2f633c55fbbb9c5e22cdbf43a8612ec7a7169a3a8bb97504744f2da2b88d21 |
| SHA512 | 15d954a426dfff1aae1932bcde911d009613cd9eddb4c7322a43f46804c53771ec7770911ea8c9de359f99b7668e5610f77716d45871b14abe4d23f14635114a |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\WimProvider.dll
| MD5 | bcf8735528bb89555fc687b1ed358844 |
| SHA1 | 5ef5b24631d2f447c58b0973f61cb02118ae4adc |
| SHA256 | 78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c |
| SHA512 | 8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\VhdProvider.dll.mui
| MD5 | e191302bd04b4a25c7ea73b406ce009b |
| SHA1 | 07af4defdd810079f7a467f67671e1fc3cd679f5 |
| SHA256 | 06d9653c004a9e87ec34e759b43dfd7785ee82dc19644466f3d679f2f65de19b |
| SHA512 | 453ffd89fdf2ee0046fe01da9cfbadbce6816dcfc40f1d2c81b39ba76a86d745d7773b2cbd4ace7f26af0e633a217a822800c99bae29c64aacc32dfd16506f5b |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\VhdProvider.dll
| MD5 | 8a655555544b2915b5d8676cbf3d77ab |
| SHA1 | 5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2 |
| SHA256 | d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27 |
| SHA512 | c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\UnattendProvider.dll.mui
| MD5 | db3d73d9f037452586e7a78f72ecdb4d |
| SHA1 | 655410a4034bcb4282e1620a666b31b9800786af |
| SHA256 | 5a4b560084daa772aa9bec7aa7abe1d09ae25b17eb780ab07d34b68eb04787d0 |
| SHA512 | 0e77079a2deca0db320a6371774ac6989ea35dcba82fdd80146961381b12da7b2fe006636b6ead6d79651308d3fafb8afb99b660610ab2b4d97e898ee1b5d1c9 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\UnattendProvider.dll
| MD5 | 7c61284580a6bc4a4c9c92a39bd9ea08 |
| SHA1 | 4579294e3f3b6c03b03b15c249b9cac66e730d2a |
| SHA256 | 3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8 |
| SHA512 | b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\TransmogProvider.dll.mui
| MD5 | 77c25ed6331316ae69c991eaf48c61f5 |
| SHA1 | aee136b521992cfe3dd37bfca3682b865404d86a |
| SHA256 | a1dd6b743961ddb20c3ff40f9227008d97ea7dc6e6ccde0918dc37f8bb79fe2d |
| SHA512 | 76eee57583215ad4cbd9a2dffd15f8f4e2f3a36acb5c86b6f28f4cf3cec7fc6483a7a155c7b7e7cfe7f0a19e26c4b4bcfd5d20ad0fd81b8d47f1694eee51de68 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\TransmogProvider.dll
| MD5 | c1c56a9c6ea636dbca49cfcc45a188c3 |
| SHA1 | d852e49978a08e662804bf3d7ec93d8f6401a174 |
| SHA256 | b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf |
| SHA512 | f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\SysprepProvider.dll.mui
| MD5 | a71ef2e202f70dfe443001aaa0eb4cde |
| SHA1 | bd3e1662696f413584ef4c704e98c99369724b24 |
| SHA256 | e3d22713daa426992f2efffafda6dc59ee32502c4f10a0330770de2a3144d654 |
| SHA512 | f39e2ee6b956b4a373fb22198b1cd0c248372c9d7e3ac2e4eb34b9a1e9417c02e323d369a889e37596c54050c871a4c437398138989ba0db3b6b76326ffa361b |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\SmiProvider.dll.mui
| MD5 | d316bf2ee142352ab8a66e634599d542 |
| SHA1 | f1d94c822af18899a622400a14cef1cded21983a |
| SHA256 | 631f0b431e7296a03ae309d573f1c1c09467d1c0badea7456b1bebe44cd2eae0 |
| SHA512 | 133b90143b40c19eec6ce1cf2d196391d159e0be040240d780abf8f090be32c9b39b879da11c2c605677bf01e6d88f7e97b1c92d7c6a27359a9e44988fcc5097 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\SmiProvider.dll
| MD5 | 46e3e59dbf300ae56292dea398197837 |
| SHA1 | 78636b25fdb32c8fcdf5fe73cac611213f13a8be |
| SHA256 | 5a0f1279013d1d379cb3a3e30f1d5be22549728cd9dc92ed5643eacf46199339 |
| SHA512 | e0584da3c302ea6ffa85932fa185500543f15237d029fdc4b084aee971ec13967f9e83cad250bea36b31f1a3efb1cc556da7dd231e5b06884809d0af51ebdf8c |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\SetupPlatformProvider.dll.mui
| MD5 | 2e9a8c5abecfa6e5c412222df813cbc2 |
| SHA1 | 7c5874ef08d9af001eabee9c70e32a2a7f375448 |
| SHA256 | e708b5b5628f236cd1d41b864a3ef8ee401cb6f7b5f12c1cd8b76d2277c101f3 |
| SHA512 | c03f0120386d7b3ca0bc93652bace096090d9f0e23e83a8345e390405a2a46bb75f07f2b1d8988b7820b74d3d01f9634e13405337dbb4623e16c7909675b071d |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\SetupPlatformProvider.dll
| MD5 | 3c9f121f5e3a6f1eafafdd8a1223a197 |
| SHA1 | 5921441e91b96e05c7ecbb75224eaeeedc37fc56 |
| SHA256 | 9f86bdfd3ddb0e67820d7418334bc76b701dce9ad8414bb14480830e4656bbd8 |
| SHA512 | cfe36a2035855ce94b6ecfa5b87f92c98f46f63ef5fe228d315244add9323f810b4c9244338974f88903d2817184c634a3133496b3a36ca2d3123c3a585f9603 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\ServicingCommon.dll
| MD5 | 07231bdae9d15bfca7d97f571de3a521 |
| SHA1 | 04aec0f1afcf7732bc4cd1f7aab36e460c325ba6 |
| SHA256 | be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935 |
| SHA512 | 2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\ProvProvider.dll.mui
| MD5 | bc35aae56857c817097331a65d7769d1 |
| SHA1 | cb992cb30dc75b93f547c13f8b9be1278e7394da |
| SHA256 | 7fb6900ebb304df91cdc53d50687eed5269e74615cca7e76f4598721294022dc |
| SHA512 | 5be9fb550f6cd8508d49ae6bde29b1fb6a951fefa16f5f8fc3a515f557d35f413dde71c9637292f5f8e282c66d9134b02f41267544874c976635f9b4e06e8c8d |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\OSProvider.dll.mui
| MD5 | 1ee141f9431a2af3dd512b04055610c2 |
| SHA1 | f8ef46dc21fec452cda8d73dad14c055613f28b1 |
| SHA256 | b8573936e990b8e55290a943490dbfe94bc49f58a4d9de1836bd7ff7dffe7ff6 |
| SHA512 | 40eed3683efdb9f6528e11e80ab35a3103387d36033faaedc22024ac594fb5eab787a5e4a0825d092fc91c2f3ead73d3dd6f4629bd0baedd56b189d391c4a083 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\OfflineSetupProvider.dll.mui
| MD5 | ae0676524e95d0e7e4370722efa3a773 |
| SHA1 | f8205f04661335dab1e8fc23e24ea1cf96511737 |
| SHA256 | 9f93067d93529189ca6f64c44de2e813d30b0b8a20181a6e56180d4951c0bc61 |
| SHA512 | 83a754db5fa94471be16a660b9a2284f1a46de02a23f8c675d002ca64e365b5e9d52e3660a463bcfa0e430f98285fac451508a93b1a7cfded1e5b67d83f5a7c3 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\OfflineSetupProvider.dll
| MD5 | 3437087e6819614a8d54c9bc59a23139 |
| SHA1 | ae84efe44b02bacdb9da876e18715100a18362be |
| SHA256 | 8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74 |
| SHA512 | 018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\MsiProvider.dll.mui
| MD5 | cea3a44e41797d33cc2a834f7cc8a412 |
| SHA1 | 203f532d6b1874ca42936a7bfc197572bc51c6e5 |
| SHA256 | 572e5f8c5ce65404714f328d86a1386102995498d71538dc0db45a9d60cd692d |
| SHA512 | 90f2b7a9ad08e7c01ea53e3b2501d28f864e4cce3ff082e1d021d8170d23625c44b7dfa371db38b47f63628d50231d06c848734c091e7c641b2a33fd2c93c58e |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\MsiProvider.dll
| MD5 | eb171b7a41a7dd48940f7521da61feb0 |
| SHA1 | 9f2a5ddac7b78615f5a7af753d835aaa41e788fc |
| SHA256 | 56a8527d267116af39864feca528be5b7a88c3b5df94750154b2efcf2fda5d55 |
| SHA512 | 5917266aed1a79ee4cb16bb532ccae99782d0ee8af27cb42a6b39496c3de61c12a30ce524a1a66cc063101ebcfac957d1b129aae0b491c0587f40171ba6bae12 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\LogProvider.dll.mui
| MD5 | a6886158d0b23f0198efb318211fd7d7 |
| SHA1 | 86d859973a14599d5aa18afa24296c3668dea127 |
| SHA256 | e7df3f5235b90541090811aa896596ee4e4dcd515adc79c83f0b6a7a84a97adb |
| SHA512 | 7d5890947105db2fde29ab9b85ebd435b4576027479b440b09576c86b840e6484f86a4f29be859d04fc840dabb0c227d3e1f3f8bd8e37fee7d94631c3fe8f60e |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\IntlProvider.dll.mui
| MD5 | 60506e35e0d0b89a2a606634223e491a |
| SHA1 | 4f05b7eb26746dc50c0bda286d2c9cf213177cd2 |
| SHA256 | a3458c824e987b2327a3853601206e21a66ac075e63c294e31277724fc0afa86 |
| SHA512 | 1b87dc05963c7fc6dd48453e86d7b230757e2de3c171fa489605317558bab7c1ecf515b2194fec7f6a322b26ad0d73965539bebeacf43082c27dc16c353db80d |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\ImagingProvider.dll.mui
| MD5 | b86f01d8b143161859fd34ccf7882530 |
| SHA1 | ad843023f035b83fadf1caf305892d9e6d31500b |
| SHA256 | cb1a0d62b5b8368926833d4dceb594ecd20c661ed0d8ac111615699aa3fe2442 |
| SHA512 | bb4f7f8012930d3e548f8d70f698c3e272b470055dd13a7f728a7fd8f732e891e559307ffa1f4e25091f8b73f8321906d3a773b21350324452ad0aeeb8b222f3 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\ImagingProvider.dll
| MD5 | 4c6d681704e3070df2a9d3f42d3a58a2 |
| SHA1 | a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81 |
| SHA256 | f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137 |
| SHA512 | daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\IBSProvider.dll.mui
| MD5 | fb17429f4d39fe142e5b682f180a9e7d |
| SHA1 | 165e81224b64775364e8f5e4bfc952b65d5a5b56 |
| SHA256 | a48e621724c5a977373d10de1420d7e5a8b902b2a3896d9b00b53ae8adffe071 |
| SHA512 | 374c6223cef75443fe35198d352e7b27b6958f69cc035e01a0b560085bacd19ad7f61ed890f6055c238f41cccbbb8f4a9b674c6903edcf347a1c26eab03ce00b |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\IBSProvider.dll
| MD5 | f6b7301c18f651567a5f816c2eb7384d |
| SHA1 | 40cd6efc28aa7efe86b265af208b0e49bec09ae4 |
| SHA256 | 8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61 |
| SHA512 | 4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\GenericProvider.dll.mui
| MD5 | 9f2f931b1976909b88fb24e24334a4d2 |
| SHA1 | 43a5bb922ec1ccd751405dd44cf2ee57706484ca |
| SHA256 | 21eb6be50350e296f140c7a877923c7b8b6824d0ae983c899f3543a2fe26e681 |
| SHA512 | 9b60018330e1ec830e3c23ce49c1b0a4106dcd5251dd69a5ed8373f7f3341a120977efac37bc4644c59ae06733e5ebd97fe6d1198dd0ba711cecba1bec3c9613 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\GenericProvider.dll
| MD5 | 20fb116831396d9477e352d42097741c |
| SHA1 | 7e063ac9bc173a81dc56dc5864f912041e2c725a |
| SHA256 | 6a940ba16154c4a1729b8560b03efb5f2558d66b10da4a5ec26c1299ea713bc4 |
| SHA512 | 851843da748555eba735e1f5457044f24f225bd029534019814a6d1baf2e0bd1f171d297c362cfed5977274b266e823b7ad131ae2512568f7a5f2e3ea498b69a |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\FolderProvider.dll.mui
| MD5 | b6968d5f3d3cf05ad37edb013c929494 |
| SHA1 | 66b4b6e47add2b5dff62efc9003782d0dd39b255 |
| SHA256 | 0e4f5bdc9ba2430ff266e89f6e44017604c14e72e5427cafcb6074c855169524 |
| SHA512 | d566f1f017216a1259877c5c36bcc277197e2e61b6a05cae135023da2b07ecac96e3800c11fa60fdc6835bbe5620b3d967a1f9d3a9c4535a3f99996d09d1cb65 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\FfuProvider.dll.mui
| MD5 | 445554611dc7e6011492db086ba6e64e |
| SHA1 | 829493e8554113942ebe5035ea7d8a6e70c29041 |
| SHA256 | 8625973391145207eb8dcc0d9f8f7fb555808fa58d2a07237f68b1d9e08dfa11 |
| SHA512 | 6e69a532bb92d03a507e897130f3765049e1ec7893c7174c3a82332f575f78cfd301d1d502c3b124f8b9d915016fd94a50821a7dd295e125232bb3b064f34b0b |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\FfuProvider.dll
| MD5 | a41b0e08419de4d9874893b813dccb5c |
| SHA1 | 2390e00f2c2bc9779e99a669193666688064ea77 |
| SHA256 | 57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3 |
| SHA512 | bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\EdgeProvider.dll.mui
| MD5 | 305a69cdd335dcca15d48f044c89badd |
| SHA1 | 97db8ee824b8e5d2787cfa1004747b4e8a6ca9d9 |
| SHA256 | a82cd208624572c3258795a4d097b48ec2dcf1bcbc817445025f059768719e65 |
| SHA512 | 3e13bd38ac4a8411391bd65791a9a82f191b699e857c02c6a86ca464c64f814a11f280f142c2cfb1231cadad0c160a933216b9623561942deaedaa9b6b03bb5e |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\EdgeProvider.dll
| MD5 | c22cc16103ee51ba59b765c6b449bddb |
| SHA1 | b0683f837e1e44c46c9a050e0a3753893ece24ad |
| SHA256 | eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b |
| SHA512 | 2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\DmiProvider.dll.mui
| MD5 | 3b3ac59021e9dc8918647b454a1f5024 |
| SHA1 | cf36a48398e2823f7d9b684d9aacf3a0a4d54d06 |
| SHA256 | a5cd6429d6be85895c4589e08cb33075041a13d93fca69084ffeb4213bb0d4ff |
| SHA512 | 4eeaaaf3d8a466c0b1723ae97e1ecd1c3f6b8751ddc1ec314a04192e088a38ee5f29f16541ef27a56f2f26c6d146c7f9fc581680ec69ff02843580be525a2b7f |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\dismprov.dll.mui
| MD5 | bff1ff3b5a6dba20ce82214fd626dc2b |
| SHA1 | affa7a6f6f1bec42dafe0ca868463eddffcc17e0 |
| SHA256 | f307033265151affded4af3dbc2527bc16479468af740ea913f84a2a3a557c46 |
| SHA512 | 20dfc62f92fc8ab8c7f757a078103414c4e359b744a603f8b655dcd2340677fa7d5fd2acf3c544a3409d31194df788e764c262ea7c625019276e1d00d3f6de19 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\DismCore.dll.mui
| MD5 | 0a4338fdfb1adaa6592b8f1023ced5cf |
| SHA1 | b96bd2067f43e5142e19f9c66e4db7d317d9cd2e |
| SHA256 | 0b6ac5a720dc9163dea36e565c82da1e375041688e6594de15d97652ab7aca80 |
| SHA512 | cf8cbb592dc5f09a95892d897680d4ca4f59e74afaeea2701d7258ace84c4c1182e032e7dd76cbd52a77ea08c8d3858e9b5f900691a6d80c728f5e56701382db |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\CbsProvider.dll.mui
| MD5 | 8644aa200968ce8dfe182f775e1d65c4 |
| SHA1 | 060149f78e374f2983abde607066f2e07e9b0861 |
| SHA256 | 46b59cfae0ea50c722718cdb8c07b3f5d6f02174cc599cd19a157eb6016c6030 |
| SHA512 | 29b4299ae749587c4fc9fd4b9cf3bbe3e9677088b159a40506a2cbd5796808e7432e7af08f0a2eef6c26bacb39b23afa65d0143c72774f38d55dedaef36eba1d |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\AssocProvider.dll.mui
| MD5 | 3a26818c500fb74f13342f44c5213114 |
| SHA1 | af1bfc2ca2a1dcbc7037f61f80a949b67a2c9602 |
| SHA256 | 421bbff0c63377b5fd85591530f4c28d0109bc1ff39162a42eb294f0d0e7c6bb |
| SHA512 | afa1d62788d24cd6d739ad78cff19e455b776a71904af1400a44e54e56b55b149eca456db9c686c3a0b515d7fd49d96dc77b217ec769e879b0937bedad53de7f |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\AssocProvider.dll
| MD5 | 702f9c8fb68fd19514c106e749ec357d |
| SHA1 | 7c141106e4ae8f3a0e5f75d8277ec830fc79eccc |
| SHA256 | 21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358 |
| SHA512 | 2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9 |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\en-US\AppxProvider.dll.mui
| MD5 | f70750a86cda23a3ced4a7ecf03feebd |
| SHA1 | 1c2d9d79974338ce21561b916130e696236fbb48 |
| SHA256 | 8038c5177461aef977ac6e526ac0851bf7eff5928972462657176ff6b6d06050 |
| SHA512 | cfb6b5cdb451b12e7aee6e69ab743b91bec8bd417d4d2384def03010851fef0d7f2a65ff6349c4e62e564b44e742597aeb108e71a962a48020b1988a6c6f1a9a |
C:\Users\Admin\AppData\Local\Temp\1C6F6A26-5B0D-4716-8715-CE087AC4C25E\AppxProvider.dll
| MD5 | a31cb807bf0ab4ddbbe2b6bb96ae6cd1 |
| SHA1 | cf63765b41aee9cd7ae76c04dfbb6151e909b3c9 |
| SHA256 | 37f45e6fc1e531279dcffed70c420df7b073504efe43bbb99a33a9ec24b75a47 |
| SHA512 | 6a83378c7e88fe04dde20685889d76fd7efdf4e02342a952ba2e6ab0fa354e3293560986e5fded00718e4c14417970db0c06e6384277ae1e50021bb4dc87fad3 |
memory/4796-715-0x00000221E0E80000-0x00000221E0E9E000-memory.dmp
memory/4780-725-0x000002254EE40000-0x000002254EE6A000-memory.dmp
memory/4780-726-0x000002254EE40000-0x000002254EE64000-memory.dmp
memory/4992-738-0x000001D6478A0000-0x000001D6478C6000-memory.dmp
memory/4992-737-0x000001D6474A0000-0x000001D6474AA000-memory.dmp
memory/4992-736-0x000001D6474B0000-0x000001D6474CC000-memory.dmp
memory/1888-751-0x000000001A1D0000-0x000000001A1F0000-memory.dmp
memory/1888-752-0x000000001A600000-0x000000001A9D4000-memory.dmp
memory/1888-753-0x000000001AD10000-0x000000001AE46000-memory.dmp
memory/4588-901-0x0000021266350000-0x0000021266366000-memory.dmp
C:\Windows\Logs\DISM\dism.log
| MD5 | 8605a8aa55e3e9aee78f040010ac622f |
| SHA1 | b16b21ddd6cbf65a4bcff1f4c48d81bd326b6a51 |
| SHA256 | 24c45be667804f995107435504c39cad116cf569020664742a1bc4c27b5d9451 |
| SHA512 | 62808545375a9f87964494b01f00f9b0115902b09d946fb4b85563799bc44d1c0bc3b0208e75cc5aaabb6e92b3140c57fc7c843583c1c0e1ef810c243b22b750 |
memory/4432-980-0x000001E948520000-0x000001E948536000-memory.dmp
memory/1092-990-0x000002B47CEB0000-0x000002B47CEC6000-memory.dmp
memory/4424-992-0x00007FFDF3040000-0x00007FFDF3B02000-memory.dmp
memory/1092-1008-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1010-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1009-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1014-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1020-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1019-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1018-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1017-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1016-0x000002E498130000-0x000002E498131000-memory.dmp
memory/1092-1015-0x000002E498130000-0x000002E498131000-memory.dmp
memory/2512-1021-0x00000163042A0000-0x00000163042B0000-memory.dmp
memory/2512-1038-0x00000163043B0000-0x00000163043C0000-memory.dmp
memory/2512-1053-0x0000016308A90000-0x0000016308A98000-memory.dmp
C:\Windows\System32\LogFiles\setupcln\setupact.log
| MD5 | 9b7f61e2245664d4667e55f416c25868 |
| SHA1 | 9207a101c32dffc42c66448a2cd7bf63ad29ca4a |
| SHA256 | 2aadecacb713a076171a387d7a10a87bcb25a1476436a30e4d96b48e67ae3240 |
| SHA512 | ddd6aa7fba336c19f2759be85f62a4ae46107ff8b5da54ea28a6153f04d95dc074db57c8dad056e07571d07d20cec910dd56473d9905bafd516a6afbb0290d1a |
C:\Windows\System32\LogFiles\setupcln\diagerr.xml
| MD5 | 0d0cfe44e35efc35d8f909d46d777daa |
| SHA1 | ee9688ac92fc98ff3585455ed5efb9562eeb572d |
| SHA256 | 1d1a8f744d9ab87301f1ceab751659d961fabb8eb67230010d529c17a9b7b6b4 |
| SHA512 | fb9589a54f3c60ab6b7b89354b59b7e3c7cfb5f5431ab9f62ee4f5378f76b3d59d2b5e9b3f2498e8731eec2b227bbc4857259a30eef614abcc1308dae69317ad |
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml
| MD5 | 692ca5ebc9e0cef0a8d0be4df7400cee |
| SHA1 | f63dada2e5f7a1d786c93bc3d757642d93b24b59 |
| SHA256 | a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa |
| SHA512 | 429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb |
memory/3296-1249-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1250-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1251-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1254-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1252-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1253-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1255-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1256-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1258-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1259-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1260-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1257-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1263-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1264-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1262-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1261-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1265-0x000001EBDA540000-0x000001EBDA550000-memory.dmp
memory/3296-1266-0x000001EBDA540000-0x000001EBDA550000-memory.dmp