Malware Analysis Report

2024-11-13 18:03

Sample ID 241108-kv58kazcje
Target Oneclick-V6.7.bat
SHA256 b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
Tags
adware defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

Threat Level: Known bad

The file Oneclick-V6.7.bat was found to be: Known bad.

Malicious Activity Summary

adware defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware stealer trojan

Modifies security service

UAC bypass

Modifies visibility of file extensions in Explorer

Disables service(s)

Modifies boot configuration data using bcdedit

Stops running service(s)

Boot or Logon Autostart Execution: Active Setup

Possible privilege escalation attempt

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Modifies file permissions

Loads dropped DLL

Modifies system executable filetype association

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Power Settings

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Hide Artifacts: Ignore Process Interrupts

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Disables Windows logging functionality

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

System policy modification

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Modifies registry key

Kills process with taskkill

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Runs net.exe

Uses Task Scheduler COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

Modifies Control Panel

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-08 08:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 08:56

Reported

2024-11-08 09:01

Platform

win11-20241007-en

Max time kernel

281s

Max time network

272s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"

Signatures

Disables service(s)

evasion execution

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\system32\reg.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Program Files\Open-Shell\StartMenu.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\syswow64\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\yjdn8r C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun" C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console" N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} C:\Windows\System32\MsiExec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{cebc7bee-657a-4db8-a2c6-3ab5ebb24c84}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3973800497-2716210218-310192997-1000_StartupInfo3.xml C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.dat C:\Windows\System32\svchost.exe N/A
File created C:\Windows\SysWOW64\StartMenuHelper32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\system32\StartMenuHelper64.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.log C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{cebc7bee-657a-4db8-a2c6-3ab5ebb24c84}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3973800497-2716210218-310192997-1000_UserData.bin C:\Windows\System32\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Open-Shell\ClassicExplorer32.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\PolicyDefinitions.zip C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuHelperL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorer64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ClassicExplorerSettings.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Basic.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe59f052.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Full Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metallic.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Update.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Immersive.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Smoked Glass.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows 8.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows Aero.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenu.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\StartMenuDLL.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\DesktopToasts.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe59f071.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Windows XP Luna.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk~RFe59f042.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Classic Skin.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShell.chm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Menu Settings.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe59f003.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\Start Screen.lnk C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\Open-Shell\~tart Screen.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\ExplorerL10N.ini C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Metro.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\Skins\Midnight.skin7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Open-Shell\OpenShellReadme.rtf C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\SystemTemp N/A N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
File created C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEC98.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF0AF171C30DC5C693.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59eb81.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF39E8DDB67F44872E.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59eb7f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFC782BDA269CEE238.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFDEDD39FA4B2901B1.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e59eb7f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Disables Windows logging functionality

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\Windows\System32\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100001003500000001000000010700005e010000060000000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b7913855d5a02645be18d3ce461d6310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\syswow64\MsiExec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755299663177873" N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ClassicExplorer.DLL\AppID = "{65843E27-A491-429F-84A0-30A947E20F92}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\CurVer\ = "ClassicExplorer.ExplorerBHO.1" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ = "ExplorerBHO Class" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BC4C1B8F-0BDE-4E42-9583-E072B2A28E0D}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\ProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers\Default\ = "{5ab14324-c087-42c1-b905-a0bfdb4e9532}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\ShellEx\ContextMenuHandlers C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\Version = "67371199" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\CLSID C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID\ = "ClassicExplorer.ExplorerBand.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\FLAGS C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\CLSID\ = "{553891B7-A0D5-4526-BE18-D3CE461D6310}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBand" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "967" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ = "IClassicCopyExt" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\StartMenu = "OpenShell" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ = "ShareOverlay Class" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO.1\CLSID C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{65843E27-A491-429F-84A0-30A947E20F92}\ = "ClassicExplorer" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer\ = "ClassicExplorer.ShareOverlay.1" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ShareOverlay\CurVer\ = "ClassicExplorer.ShareOverlay.1" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\ClassicCopyExt\ = "{8C83ACB1-75C3-45D2-882C-EFA32333491C}" C:\Windows\System32\MsiExec.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\ClassicCopyExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\Implemented Categories C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E595F05F-903F-4318-8B0A-7F633B520D2B}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1678625-A011-4B7C-A1FA-D691E4CDDB79}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\TypeLib\Version = "1.0" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBHO\ = "ExplorerBHO Class" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{449D0D6E-2412-4E61-B68F-1CB625CD9E52}\VersionIndependentProgID\ = "ClassicExplorer.ExplorerBHO" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32 C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7}\ = "StartMenuHelper" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\TypeLib\ = "{BF8D124A-A4E0-402F-8152-4EF377E62586}" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\0\win32 C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ProgID\ = "ClassicExplorer.ShareOverlay.1" C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\StartMenuExt C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\syswow64\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\ProgID C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82e749ed-b971-4550-baf7-06aa2bf7e836}\InprocServer32\ = "C:\\Windows\\system32\\StartMenuHelper64.dll" C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\ProductName = "Open-Shell" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\TypeLib C:\Windows\syswow64\MsiExec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E94568AFDD495744E8CD05B486281E7F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 1300 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 1300 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1300 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1300 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1300 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1300 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 4104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1300 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1300 wrote to memory of 648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1300 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1300 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3320 wrote to memory of 3340 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3320 wrote to memory of 3340 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1300 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1300 wrote to memory of 3124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1300 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 1300 wrote to memory of 252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 1300 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 3040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1300 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1300 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 3688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 3688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1300 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 2508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 3160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1300 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1300 wrote to memory of 3088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\sc.exe

sc query "WinDefend"

C:\Windows\system32\find.exe

find "STATE"

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc qc "TrustedInstaller"

C:\Windows\system32\find.exe

find "START_TYPE"

C:\Windows\system32\find.exe

find "DISABLED"

C:\Windows\system32\sc.exe

sc config TrustedInstaller start=auto

C:\Windows\system32\net.exe

net start TrustedInstaller

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TrustedInstaller

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding

C:\Windows\system32\curl.exe

curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\tar.exe

tar -xf "C:\\Oneclick Tools.zip" --strip-components=1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f

C:\Windows\system32\powercfg.exe

powercfg.exe /hibernate off

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config HomeGroupListener start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupProvider start=demand

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config AJRouter start=disabled

C:\Windows\system32\sc.exe

sc config ALG start=demand

C:\Windows\system32\sc.exe

sc config AppIDSvc start=demand

C:\Windows\system32\sc.exe

sc config AppMgmt start=demand

C:\Windows\system32\sc.exe

sc config AppReadiness start=demand

C:\Windows\system32\sc.exe

sc config AppVClient start=disabled

C:\Windows\system32\sc.exe

sc config AppXSvc start=demand

C:\Windows\system32\sc.exe

sc config Appinfo start=demand

C:\Windows\system32\sc.exe

sc config AssignedAccessManagerSvc start=disabled

C:\Windows\system32\sc.exe

sc config AudioEndpointBuilder start=auto

C:\Windows\system32\sc.exe

sc config AudioSrv start=auto

C:\Windows\system32\sc.exe

sc config Audiosrv start=auto

C:\Windows\system32\sc.exe

sc config AxInstSV start=demand

C:\Windows\system32\sc.exe

sc config BDESVC start=demand

C:\Windows\system32\sc.exe

sc config BFE start=auto

C:\Windows\system32\sc.exe

sc config BITS start=delayed-auto

C:\Windows\system32\sc.exe

sc config BTAGService start=demand

C:\Windows\system32\sc.exe

sc config BcastDVRUserService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config BluetoothUserService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config BrokerInfrastructure start=auto

C:\Windows\system32\sc.exe

sc config Browser start=demand

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start=auto

C:\Windows\system32\sc.exe

sc config BthHFSrv start=auto

C:\Windows\system32\sc.exe

sc config CDPSvc start=demand

C:\Windows\system32\sc.exe

sc config CDPUserSvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config COMSysApp start=demand

C:\Windows\system32\sc.exe

sc config CaptureService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CertPropSvc start=demand

C:\Windows\system32\sc.exe

sc config ClipSVC start=demand

C:\Windows\system32\sc.exe

sc config ConsentUxUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CoreMessagingRegistrar start=auto

C:\Windows\system32\sc.exe

sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CryptSvc start=auto

C:\Windows\system32\sc.exe

sc config CscService start=demand

C:\Windows\system32\sc.exe

sc config DPS start=auto

C:\Windows\system32\sc.exe

sc config DcomLaunch start=auto

C:\Windows\system32\sc.exe

sc config DcpSvc start=demand

C:\Windows\system32\sc.exe

sc config DevQueryBroker start=demand

C:\Windows\system32\sc.exe

sc config DeviceAssociationBrokerSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config DeviceAssociationService start=demand

C:\Windows\system32\sc.exe

sc config DeviceInstall start=demand

C:\Windows\system32\sc.exe

sc config DevicePickerUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config Dhcp start=auto

C:\Windows\system32\sc.exe

sc config DiagTrack start=disabled

C:\Windows\system32\sc.exe

sc config DialogBlockingService start=disabled

C:\Windows\system32\sc.exe

sc config DispBrokerDesktopSvc start=auto

C:\Windows\system32\sc.exe

sc config DisplayEnhancementService start=demand

C:\Windows\system32\sc.exe

sc config DmEnrollmentSvc start=demand

C:\Windows\system32\sc.exe

sc config Dnscache start=auto

C:\Windows\system32\sc.exe

sc config DoSvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config DsSvc start=demand

C:\Windows\system32\sc.exe

sc config DsmSvc start=demand

C:\Windows\system32\sc.exe

sc config DusmSvc start=auto

C:\Windows\system32\sc.exe

sc config EFS start=demand

C:\Windows\system32\sc.exe

sc config EapHost start=demand

C:\Windows\system32\sc.exe

sc config EntAppSvc start=demand

C:\Windows\system32\sc.exe

sc config EventLog start=auto

C:\Windows\system32\sc.exe

sc config EventSystem start=auto

C:\Windows\system32\sc.exe

sc config FDResPub start=demand

C:\Windows\system32\sc.exe

sc config Fax start=demand

C:\Windows\system32\sc.exe

sc config FontCache start=auto

C:\Windows\system32\sc.exe

sc config FrameServer start=demand

C:\Windows\system32\sc.exe

sc config FrameServerMonitor start=demand

C:\Windows\system32\sc.exe

sc config GraphicsPerfSvc start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupListener start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupProvider start=demand

C:\Windows\system32\sc.exe

sc config HvHost start=demand

C:\Windows\system32\sc.exe

sc config IEEtwCollectorService start=demand

C:\Windows\system32\sc.exe

sc config IKEEXT start=demand

C:\Windows\system32\sc.exe

sc config InstallService start=demand

C:\Windows\system32\sc.exe

sc config InventorySvc start=demand

C:\Windows\system32\sc.exe

sc config IpxlatCfgSvc start=demand

C:\Windows\system32\sc.exe

sc config KeyIso start=auto

C:\Windows\system32\sc.exe

sc config KtmRm start=demand

C:\Windows\system32\sc.exe

sc config LSM start=auto

C:\Windows\system32\sc.exe

sc config LanmanServer start=auto

C:\Windows\system32\sc.exe

sc config LanmanWorkstation start=auto

C:\Windows\system32\sc.exe

sc config LicenseManager start=demand

C:\Windows\system32\sc.exe

sc config LxpSvc start=demand

C:\Windows\system32\sc.exe

sc config MSDTC start=demand

C:\Windows\system32\sc.exe

sc config MSiSCSI start=demand

C:\Windows\system32\sc.exe

sc config MapsBroker start=delayed-auto

C:\Windows\system32\sc.exe

sc config McpManagementService start=demand

C:\Windows\system32\sc.exe

sc config MessagingService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config MicrosoftEdgeElevationService start=demand

C:\Windows\system32\sc.exe

sc config MixedRealityOpenXRSvc start=demand

C:\Windows\system32\sc.exe

sc config MpsSvc start=auto

C:\Windows\system32\sc.exe

sc config MsKeyboardFilter start=demand

C:\Windows\system32\sc.exe

sc config NPSMSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config NaturalAuthentication start=demand

C:\Windows\system32\sc.exe

sc config NcaSvc start=demand

C:\Windows\system32\sc.exe

sc config NcbService start=demand

C:\Windows\system32\sc.exe

sc config NcdAutoSetup start=demand

C:\Windows\system32\sc.exe

sc config NetSetupSvc start=demand

C:\Windows\system32\sc.exe

sc config NetTcpPortSharing start=disabled

C:\Windows\system32\sc.exe

sc config Netlogon start=demand

C:\Windows\system32\sc.exe

sc config Netman start=demand

C:\Windows\system32\sc.exe

sc config NgcCtnrSvc start=demand

C:\Windows\system32\sc.exe

sc config NgcSvc start=demand

C:\Windows\system32\sc.exe

sc config NlaSvc start=demand

C:\Windows\system32\sc.exe

sc config OneSyncSvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config P9RdrService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PNRPAutoReg start=demand

C:\Windows\system32\sc.exe

sc config PNRPsvc start=demand

C:\Windows\system32\sc.exe

sc config PcaSvc start=demand

C:\Windows\system32\sc.exe

sc config PeerDistSvc start=demand

C:\Windows\system32\sc.exe

sc config PenService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PerfHost start=demand

C:\Windows\system32\sc.exe

sc config PhoneSvc start=demand

C:\Windows\system32\sc.exe

sc config PimIndexMaintenanceSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PlugPlay start=demand

C:\Windows\system32\sc.exe

sc config PolicyAgent start=demand

C:\Windows\system32\sc.exe

sc config Power start=auto

C:\Windows\system32\sc.exe

sc config PrintNotify start=demand

C:\Windows\system32\sc.exe

sc config PrintWorkflowUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config ProfSvc start=auto

C:\Windows\system32\sc.exe

sc config PushToInstall start=demand

C:\Windows\system32\sc.exe

sc config QWAVE start=demand

C:\Windows\system32\sc.exe

sc config RasAuto start=demand

C:\Windows\system32\sc.exe

sc config RasMan start=demand

C:\Windows\system32\sc.exe

sc config RemoteAccess start=disabled

C:\Windows\system32\sc.exe

sc config RemoteRegistry start=disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=demand

C:\Windows\system32\sc.exe

sc config RmSvc start=demand

C:\Windows\system32\sc.exe

sc config RpcEptMapper start=auto

C:\Windows\system32\sc.exe

sc config RpcLocator start=demand

C:\Windows\system32\sc.exe

sc config RpcSs start=auto

C:\Windows\system32\sc.exe

sc config SCPolicySvc start=demand

C:\Windows\system32\sc.exe

sc config SCardSvr start=demand

C:\Windows\system32\sc.exe

sc config SDRSVC start=demand

C:\Windows\system32\sc.exe

sc config SEMgrSvc start=demand

C:\Windows\system32\sc.exe

sc config SENS start=auto

C:\Windows\system32\sc.exe

sc config SNMPTRAP start=demand

C:\Windows\system32\sc.exe

sc config SNMPTrap start=demand

C:\Windows\system32\sc.exe

sc config SSDPSRV start=demand

C:\Windows\system32\sc.exe

sc config SamSs start=auto

C:\Windows\system32\sc.exe

sc config ScDeviceEnum start=demand

C:\Windows\system32\sc.exe

sc config Schedule start=auto

C:\Windows\system32\sc.exe

sc config SecurityHealthService start=demand

C:\Windows\system32\sc.exe

sc config Sense start=demand

C:\Windows\system32\sc.exe

sc config SensorDataService start=demand

C:\Windows\system32\sc.exe

sc config SensorService start=demand

C:\Windows\system32\sc.exe

sc config SensrSvc start=demand

C:\Windows\system32\sc.exe

sc config SessionEnv start=demand

C:\Windows\system32\sc.exe

sc config SgrmBroker start=auto

C:\Windows\system32\sc.exe

sc config SharedAccess start=demand

C:\Windows\system32\sc.exe

sc config SharedRealitySvc start=demand

C:\Windows\system32\sc.exe

sc config ShellHWDetection start=auto

C:\Windows\system32\sc.exe

sc config SmsRouter start=demand

C:\Windows\system32\sc.exe

sc config Spooler start=auto

C:\Windows\system32\sc.exe

sc config SstpSvc start=demand

C:\Windows\system32\sc.exe

sc config StateRepository start=demand

C:\Windows\system32\sc.exe

sc config StiSvc start=demand

C:\Windows\system32\sc.exe

sc config StorSvc start=demand

C:\Windows\system32\sc.exe

sc config SysMain start=auto

C:\Windows\system32\sc.exe

sc config SystemEventsBroker start=auto

C:\Windows\system32\sc.exe

sc config TabletInputService start=demand

C:\Windows\system32\sc.exe

sc config TapiSrv start=demand

C:\Windows\system32\sc.exe

sc config TermService start=auto

C:\Windows\system32\sc.exe

sc config TextInputManagementService start=demand

C:\Windows\system32\sc.exe

sc config Themes start=auto

C:\Windows\system32\sc.exe

sc config TieringEngineService start=demand

C:\Windows\system32\sc.exe

sc config TimeBroker start=demand

C:\Windows\system32\sc.exe

sc config TimeBrokerSvc start=demand

C:\Windows\system32\sc.exe

sc config TokenBroker start=demand

C:\Windows\system32\sc.exe

sc config TrkWks start=auto

C:\Windows\system32\sc.exe

sc config TroubleshootingSvc start=demand

C:\Windows\system32\sc.exe

sc config TrustedInstaller start=demand

C:\Windows\system32\sc.exe

sc config UI0Detect start=demand

C:\Windows\system32\sc.exe

sc config UdkUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UevAgentService start=disabled

C:\Windows\system32\sc.exe

sc config UmRdpService start=demand

C:\Windows\system32\sc.exe

sc config UnistoreSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UserDataSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UserManager start=auto

C:\Windows\system32\sc.exe

sc config UsoSvc start=demand

C:\Windows\system32\sc.exe

sc config VGAuthService start=auto

C:\Windows\system32\sc.exe

sc config VMTools start=auto

C:\Windows\system32\sc.exe

sc config VSS start=demand

C:\Windows\system32\sc.exe

sc config VacSvc start=demand

C:\Windows\system32\sc.exe

sc config VaultSvc start=auto

C:\Windows\system32\sc.exe

sc config W32Time start=demand

C:\Windows\system32\sc.exe

sc config WEPHOSTSVC start=demand

C:\Windows\system32\sc.exe

sc config WFDSConMgrSvc start=demand

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start=demand

C:\Windows\system32\sc.exe

sc config WManSvc start=demand

C:\Windows\system32\sc.exe

sc config WPDBusEnum start=demand

C:\Windows\system32\sc.exe

sc config WSService start=demand

C:\Windows\system32\sc.exe

sc config WSearch start=delayed-auto

C:\Windows\system32\sc.exe

sc config WaaSMedicSvc start=demand

C:\Windows\system32\sc.exe

sc config WalletService start=demand

C:\Windows\system32\sc.exe

sc config WarpJITSvc start=demand

C:\Windows\system32\sc.exe

sc config WbioSrvc start=demand

C:\Windows\system32\sc.exe

sc config Wcmsvc start=auto

C:\Windows\system32\sc.exe

sc config WcsPlugInService start=demand

C:\Windows\system32\sc.exe

sc config WdNisSvc start=demand

C:\Windows\system32\sc.exe

sc config WdiServiceHost start=demand

C:\Windows\system32\sc.exe

sc config WdiSystemHost start=demand

C:\Windows\system32\sc.exe

sc config WebClient start=demand

C:\Windows\system32\sc.exe

sc config Wecsvc start=demand

C:\Windows\system32\sc.exe

sc config WerSvc start=demand

C:\Windows\system32\sc.exe

sc config WiaRpc start=demand

C:\Windows\system32\sc.exe

sc config WinDefend start=auto

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start=demand

C:\Windows\system32\sc.exe

sc config WinRM start=demand

C:\Windows\system32\sc.exe

sc config Winmgmt start=auto

C:\Windows\system32\sc.exe

sc config WlanSvc start=auto

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=demand

C:\Windows\system32\sc.exe

sc config WpnService start=demand

C:\Windows\system32\sc.exe

sc config WpnUserService_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config WwanSvc start=demand

C:\Windows\system32\sc.exe

sc config XblAuthManager start=demand

C:\Windows\system32\sc.exe

sc config XblGameSave start=demand

C:\Windows\system32\sc.exe

sc config XboxGipSvc start=demand

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start=demand

C:\Windows\system32\sc.exe

sc config autotimesvc start=demand

C:\Windows\system32\sc.exe

sc config bthserv start=demand

C:\Windows\system32\sc.exe

sc config camsvc start=demand

C:\Windows\system32\sc.exe

sc config cbdhsvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config cloudidsvc start=demand

C:\Windows\system32\sc.exe

sc config dcsvc start=demand

C:\Windows\system32\sc.exe

sc config defragsvc start=demand

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start=demand

C:\Windows\system32\sc.exe

sc config diagsvc start=demand

C:\Windows\system32\sc.exe

sc config dmwappushservice start=demand

C:\Windows\system32\sc.exe

sc config dot3svc start=demand

C:\Windows\system32\sc.exe

sc config edgeupdate start=demand

C:\Windows\system32\sc.exe

sc config edgeupdatem start=demand

C:\Windows\system32\sc.exe

sc config embeddedmode start=demand

C:\Windows\system32\sc.exe

sc config fdPHost start=demand

C:\Windows\system32\sc.exe

sc config fhsvc start=demand

C:\Windows\system32\sc.exe

sc config gpsvc start=auto

C:\Windows\system32\sc.exe

sc config hidserv start=demand

C:\Windows\system32\sc.exe

sc config icssvc start=demand

C:\Windows\system32\sc.exe

sc config iphlpsvc start=auto

C:\Windows\system32\sc.exe

sc config lfsvc start=demand

C:\Windows\system32\sc.exe

sc config lltdsvc start=demand

C:\Windows\system32\sc.exe

sc config lmhosts start=demand

C:\Windows\system32\sc.exe

sc config mpssvc start=auto

C:\Windows\system32\sc.exe

sc config msiserver start=demand

C:\Windows\system32\sc.exe

sc config netprofm start=demand

C:\Windows\system32\sc.exe

sc config nsi start=auto

C:\Windows\system32\sc.exe

sc config p2pimsvc start=demand

C:\Windows\system32\sc.exe

sc config p2psvc start=demand

C:\Windows\system32\sc.exe

sc config perceptionsimulation start=demand

C:\Windows\system32\sc.exe

sc config pla start=demand

C:\Windows\system32\sc.exe

sc config seclogon start=demand

C:\Windows\system32\sc.exe

sc config shpamsvc start=disabled

C:\Windows\system32\sc.exe

sc config smphost start=demand

C:\Windows\system32\sc.exe

sc config spectrum start=demand

C:\Windows\system32\sc.exe

sc config sppsvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config ssh-agent start=disabled

C:\Windows\system32\sc.exe

sc config svsvc start=demand

C:\Windows\system32\sc.exe

sc config swprv start=demand

C:\Windows\system32\sc.exe

sc config tiledatamodelsvc start=auto

C:\Windows\system32\sc.exe

sc config tzautoupdate start=disabled

C:\Windows\system32\sc.exe

sc config uhssvc start=disabled

C:\Windows\system32\sc.exe

sc config upnphost start=demand

C:\Windows\system32\sc.exe

sc config vds start=demand

C:\Windows\system32\sc.exe

sc config vm3dservice start=demand

C:\Windows\system32\sc.exe

sc config vmicguestinterface start=demand

C:\Windows\system32\sc.exe

sc config vmicheartbeat start=demand

C:\Windows\system32\sc.exe

sc config vmickvpexchange start=demand

C:\Windows\system32\sc.exe

sc config vmicrdv start=demand

C:\Windows\system32\sc.exe

sc config vmicshutdown start=demand

C:\Windows\system32\sc.exe

sc config vmictimesync start=demand

C:\Windows\system32\sc.exe

sc config vmicvmsession start=demand

C:\Windows\system32\sc.exe

sc config vmicvss start=demand

C:\Windows\system32\sc.exe

sc config vmvss start=demand

C:\Windows\system32\sc.exe

sc config wbengine start=demand

C:\Windows\system32\sc.exe

sc config wcncsvc start=demand

C:\Windows\system32\sc.exe

sc config webthreatdefsvc start=demand

C:\Windows\system32\sc.exe

sc config webthreatdefusersvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config wercplsupport start=demand

C:\Windows\system32\sc.exe

sc config wisvc start=demand

C:\Windows\system32\sc.exe

sc config wlidsvc start=demand

C:\Windows\system32\sc.exe

sc config wlpasvc start=demand

C:\Windows\system32\sc.exe

sc config wmiApSrv start=demand

C:\Windows\system32\sc.exe

sc config workfolderssvc start=demand

C:\Windows\system32\sc.exe

sc config wscsvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config wuauserv start=demand

C:\Windows\system32\sc.exe

sc config wudfsvc start=demand

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootmenupolicy Legacy

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild

C:\Windows\system32\findstr.exe

findstr /r /c:"CurrentBuild"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"

C:\Windows\system32\Taskmgr.exe

"C:\Windows\system32\Taskmgr.exe"

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences

C:\Windows\system32\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\curl.exe

curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"

C:\Windows\system32\curl.exe

curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"

C:\Oneclick Tools\OOShutup10\OOSU10.exe

"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\sc.exe

sc config wlidsvc start= disabled

C:\Windows\system32\sc.exe

sc config DisplayEnhancementService start= disabled

C:\Windows\system32\sc.exe

sc config DiagTrack start= disabled

C:\Windows\system32\sc.exe

sc config DusmSvc start= disabled

C:\Windows\system32\sc.exe

sc config TabletInputService start= disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start= disabled

C:\Windows\system32\sc.exe

sc config Fax start= disabled

C:\Windows\system32\sc.exe

sc config SharedAccess start= disabled

C:\Windows\system32\sc.exe

sc config lfsvc start= disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start= disabled

C:\Windows\system32\sc.exe

sc config SessionEnv start= disabled

C:\Windows\system32\sc.exe

sc config MicrosoftEdgeElevationService start= disabled

C:\Windows\system32\sc.exe

sc config edgeupdate start= disabled

C:\Windows\system32\sc.exe

sc config edgeupdatem start= disabled

C:\Windows\system32\sc.exe

sc config autotimesvc start= disabled

C:\Windows\system32\sc.exe

sc config CscService start= disabled

C:\Windows\system32\sc.exe

sc config TermService start= disabled

C:\Windows\system32\sc.exe

sc config SensorDataService start= disabled

C:\Windows\system32\sc.exe

sc config SensorService start= disabled

C:\Windows\system32\sc.exe

sc config SensrSvc start= disabled

C:\Windows\system32\sc.exe

sc config shpamsvc start= disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start= disabled

C:\Windows\system32\sc.exe

sc config PhoneSvc start= disabled

C:\Windows\system32\sc.exe

sc config TapiSrv start= disabled

C:\Windows\system32\sc.exe

sc config UevAgentService start= disabled

C:\Windows\system32\sc.exe

sc config WalletService start= disabled

C:\Windows\system32\sc.exe

sc config TokenBroker start= disabled

C:\Windows\system32\sc.exe

sc config WebClient start= disabled

C:\Windows\system32\sc.exe

sc config MixedRealityOpenXRSvc start= disabled

C:\Windows\system32\sc.exe

sc config stisvc start= disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start= disabled

C:\Windows\system32\sc.exe

sc config icssvc start= disabled

C:\Windows\system32\sc.exe

sc config Wecsvc start= disabled

C:\Windows\system32\sc.exe

sc config XboxGipSvc start= disabled

C:\Windows\system32\sc.exe

sc config XblAuthManager start= disabled

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start= disabled

C:\Windows\system32\sc.exe

sc config XblGameSave start= disabled

C:\Windows\system32\sc.exe

sc config SEMgrSvc start= disabled

C:\Windows\system32\sc.exe

sc config iphlpsvc start= disabled

C:\Windows\system32\sc.exe

sc config Backupper Service start= disabled

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start= disabled

C:\Windows\system32\sc.exe

sc config BDESVC start= disabled

C:\Windows\system32\sc.exe

sc config cbdhsvc start= disabled

C:\Windows\system32\sc.exe

sc config CDPSvc start= disabled

C:\Windows\system32\sc.exe

sc config CDPUserSvc start= disabled

C:\Windows\system32\sc.exe

sc config DevQueryBroker start= disabled

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc start= disabled

C:\Windows\system32\sc.exe

sc config dmwappushservice start= disabled

C:\Windows\system32\sc.exe

sc config DispBrokerDesktopSvc start= disabled

C:\Windows\system32\sc.exe

sc config TrkWks start= disabled

C:\Windows\system32\sc.exe

sc config dLauncherLoopback start= disabled

C:\Windows\system32\sc.exe

sc config EFS start= disabled

C:\Windows\system32\sc.exe

sc config fdPHost start= disabled

C:\Windows\system32\sc.exe

sc config FDResPub start= disabled

C:\Windows\system32\sc.exe

sc config IKEEXT start= disabled

C:\Windows\system32\sc.exe

sc config NPSMSvc start= disabled

C:\Windows\system32\sc.exe

sc config WPDBusEnum start= disabled

C:\Windows\system32\sc.exe

sc config PcaSvc start= disabled

C:\Windows\system32\sc.exe

sc config RasMan start= disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start=disabled

C:\Windows\system32\sc.exe

sc config ShellHWDetection start= disabled

C:\Windows\system32\sc.exe

sc config SSDPSRV start= disabled

C:\Windows\system32\sc.exe

sc config SysMain start= disabled

C:\Windows\system32\sc.exe

sc config OneSyncSvc start= disabled

C:\Windows\system32\sc.exe

sc config lmhosts start= disabled

C:\Windows\system32\sc.exe

sc config UserDataSvc start= disabled

C:\Windows\system32\sc.exe

sc config UnistoreSvc start= disabled

C:\Windows\system32\sc.exe

sc config Wcmsvc start= disabled

C:\Windows\system32\sc.exe

sc config FontCache start= disabled

C:\Windows\system32\sc.exe

sc config W32Time start= disabled

C:\Windows\system32\sc.exe

sc config tzautoupdate start= disabled

C:\Windows\system32\sc.exe

sc config DsSvc start= disabled

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config diagsvc start= disabled

C:\Windows\system32\sc.exe

sc config DialogBlockingService start= disabled

C:\Windows\system32\sc.exe

sc config PimIndexMaintenanceSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config MessagingService_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config AppVClient start= disabled

C:\Windows\system32\sc.exe

sc config MsKeyboardFilter start= disabled

C:\Windows\system32\sc.exe

sc config NetTcpPortSharing start= disabled

C:\Windows\system32\sc.exe

sc config ssh-agent start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config OneSyncSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config wercplsupport start= disabled

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start= disabled

C:\Windows\system32\sc.exe

sc config WerSvc start= disabled

C:\Windows\system32\sc.exe

sc config WpnUserService_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start= disabled

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDInstallLauncher" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDLinkUpdate" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "ModifyLinkUpdate" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "SoftMakerUpdater" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "StartCN" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "StartDVR" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc stop uhssvc

C:\Windows\system32\sc.exe

sc stop upfc

C:\Windows\system32\sc.exe

sc stop PushToInstall

C:\Windows\system32\sc.exe

sc stop BITS

C:\Windows\system32\sc.exe

sc stop InstallService

C:\Windows\system32\sc.exe

sc stop uhssvc

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop LanmanServer

C:\Windows\system32\sc.exe

sc config BITS start= disabled

C:\Windows\system32\sc.exe

sc config InstallService start= disabled

C:\Windows\system32\sc.exe

sc config uhssvc start= disabled

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc config LanmanServer start= disabled

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config RemoteRegistry start= disabled

C:\Windows\system32\sc.exe

sc config RemoteAccess start= disabled

C:\Windows\system32\sc.exe

sc config WinRM start= disabled

C:\Windows\system32\sc.exe

sc config RmSvc start= disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config PrintNotify start= disabled

C:\Windows\system32\sc.exe

sc config Spooler start= disabled

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config PrintNotify start= disabled

C:\Windows\system32\sc.exe

sc config Spooler start= disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config NlaSvc start= disabled

C:\Windows\system32\sc.exe

sc config LanmanWorkstation start= disabled

C:\Windows\system32\sc.exe

sc config BFE start= demand

C:\Windows\system32\sc.exe

sc config Dnscache start= demand

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start= demand

C:\Windows\system32\sc.exe

sc config Dhcp start= auto

C:\Windows\system32\sc.exe

sc config DPS start= auto

C:\Windows\system32\sc.exe

sc config lmhosts start= disabled

C:\Windows\system32\sc.exe

sc config nsi start= auto

C:\Windows\system32\sc.exe

sc config Wcmsvc start= disabled

C:\Windows\system32\sc.exe

sc config Winmgmt start= auto

C:\Windows\system32\sc.exe

sc config WlanSvc start= demand

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config ALG start=disabled

C:\Windows\system32\sc.exe

sc config AJRouter start=disabled

C:\Windows\system32\sc.exe

sc config XblAuthManager start=disabled

C:\Windows\system32\sc.exe

sc config XblGameSave start=disabled

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start=disabled

C:\Windows\system32\sc.exe

sc config WSearch start=disabled

C:\Windows\system32\sc.exe

sc config lfsvc start=disabled

C:\Windows\system32\sc.exe

sc config RemoteRegistry start=disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=disabled

C:\Windows\system32\sc.exe

sc config SEMgrSvc start=disabled

C:\Windows\system32\sc.exe

sc config SCardSvr start=disabled

C:\Windows\system32\sc.exe

sc config Netlogon start=disabled

C:\Windows\system32\sc.exe

sc config CscService start=disabled

C:\Windows\system32\sc.exe

sc config icssvc start=disabled

C:\Windows\system32\sc.exe

sc config wisvc start=disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=disabled

C:\Windows\system32\sc.exe

sc config WalletService start=disabled

C:\Windows\system32\sc.exe

sc config Fax start=disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start=disabled

C:\Windows\system32\sc.exe

sc config iphlpsvc start=disabled

C:\Windows\system32\sc.exe

sc config wcncsvc start=disabled

C:\Windows\system32\sc.exe

sc config fhsvc start=disabled

C:\Windows\system32\sc.exe

sc config PhoneSvc start=disabled

C:\Windows\system32\sc.exe

sc config seclogon start=disabled

C:\Windows\system32\sc.exe

sc config FrameServer start=disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start=disabled

C:\Windows\system32\sc.exe

sc config StiSvc start=disabled

C:\Windows\system32\sc.exe

sc config PcaSvc start=disabled

C:\Windows\system32\sc.exe

sc config DPS start=disabled

C:\Windows\system32\sc.exe

sc config MapsBroker start=disabled

C:\Windows\system32\sc.exe

sc config bthserv start=disabled

C:\Windows\system32\sc.exe

sc config BDESVC start=disabled

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start=disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=disabled

C:\Windows\system32\sc.exe

sc config DiagTrack start=disabled

C:\Windows\system32\sc.exe

sc config CertPropSvc start=disabled

C:\Windows\system32\sc.exe

sc config WdiServiceHost start=disabled

C:\Windows\system32\sc.exe

sc config lmhosts start=disabled

C:\Windows\system32\sc.exe

sc config WdiSystemHost start=disabled

C:\Windows\system32\sc.exe

sc config TrkWks start=disabled

C:\Windows\system32\sc.exe

sc config WerSvc start=disabled

C:\Windows\system32\sc.exe

sc config TabletInputService start=disabled

C:\Windows\system32\sc.exe

sc config EntAppSvc start=disabled

C:\Windows\system32\sc.exe

sc config Spooler start=disabled

C:\Windows\system32\sc.exe

sc config BcastDVRUserService start=disabled

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start=disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start=disabled

C:\Windows\system32\sc.exe

sc config DmEnrollmentSvc start=disabled

C:\Windows\system32\sc.exe

sc config PNRPAutoReg start=disabled

C:\Windows\system32\sc.exe

sc config wlidsvc start=disabled

C:\Windows\system32\sc.exe

sc config AXInstSV start=disabled

C:\Windows\system32\sc.exe

sc config lfsvc start=disabled

C:\Windows\system32\sc.exe

sc config NcbService start=disabled

C:\Windows\system32\sc.exe

sc config DeviceAssociationService start=disabled

C:\Windows\system32\sc.exe

sc config StorSvc start=disabled

C:\Windows\system32\sc.exe

sc config TieringEngineService start=disabled

C:\Windows\system32\sc.exe

sc config DPS start=disabled

C:\Windows\system32\sc.exe

sc config Themes start=disabled

C:\Windows\system32\sc.exe

sc config AppReadiness start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config HvHost start=disabled

C:\Windows\system32\sc.exe

sc config vmickvpexchange start=disabled

C:\Windows\system32\sc.exe

sc config vmicguestinterface start=disabled

C:\Windows\system32\sc.exe

sc config vmicshutdown start=disabled

C:\Windows\system32\sc.exe

sc config vmicheartbeat start=disabled

C:\Windows\system32\sc.exe

sc config vmicvmsession start=disabled

C:\Windows\system32\sc.exe

sc config vmicrdv start=disabled

C:\Windows\system32\sc.exe

sc config vmictimesync start=disabled

C:\Windows\system32\sc.exe

sc config vmicvss start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config edgeupdate start=disabled

C:\Windows\system32\sc.exe

sc config edgeupdatem start=disabled

C:\Windows\system32\sc.exe

sc config GoogleChromeElevationService start=disabled

C:\Windows\system32\sc.exe

sc config gupdate start=disabled

C:\Windows\system32\sc.exe

sc config gupdatem start=disabled

C:\Windows\system32\sc.exe

sc config BraveElevationService start=disabled

C:\Windows\system32\sc.exe

sc config brave start=disabled

C:\Windows\system32\sc.exe

sc config bravem start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config NcbService start=disabled

C:\Windows\system32\sc.exe

sc config jhi_service start=disabled

C:\Windows\system32\sc.exe

sc config WMIRegistrationService start=disabled

C:\Windows\system32\sc.exe

sc config "Intel(R) TPM Provisioning Service" start=disabled

C:\Windows\system32\sc.exe

sc config ipfsvc start=disabled

C:\Windows\system32\sc.exe

sc config igccservice start=disabled

C:\Windows\system32\sc.exe

sc config cplspcon start=disabled

C:\Windows\system32\sc.exe

sc config esifsvc start=disabled

C:\Windows\system32\sc.exe

sc config LMS start=disabled

C:\Oneclick Tools\NSudo\NSudoLG.exe

"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"

C:\Windows\system32\timeout.exe

timeout 1

C:\Oneclick Tools\NSudo\NSudoLG.exe

"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleaner Update" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerCrashReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleaner Update" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerCrashReporting" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\taskkill.exe

taskkill.exe /F /IM "OneDrive.exe"

C:\Windows\system32\taskkill.exe

taskkill.exe /F /IM "explorer.exe"

C:\Windows\system32\reg.exe

reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f

C:\Windows\system32\reg.exe

reg unload "hku\Default"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "OneDrive*" /f

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\UsoClient.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\taskkill.exe

taskkill /F /IM WidgetService.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Widgets.exe

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\smartscreen.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\taskhostw.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\taskhostw.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Needed if you''d like to Search things!' -ForegroundColor White -BackgroundColor Red"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\curl.exe

curl -s -L "https://github.com/Open-Shell/Open-Shell-Menu/releases/download/v4.4.191/OpenShellSetup_4_4_191.exe" -o "C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"

C:\Windows\system32\curl.exe

curl -s -L "https://github.com/QuakedK/Downloads/raw/main/Menu_Settings_1.xml" -o "C:\Oneclick Tools\Open Shell\Menu_Settings_1.xml"

C:\Windows\system32\timeout.exe

timeout 1

C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe

"C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe"

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Do not skip if you want to Search things' -ForegroundColor White -BackgroundColor Red"

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_191.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption /format:list

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "yjdn8r " /t REG_SZ /d "" /f

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"

C:\Windows\syswow64\MsiExec.exe

"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"

C:\Windows\System32\MsiExec.exe

"C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"

C:\Program Files\Open-Shell\StartMenu.exe

"C:\Program Files\Open-Shell\StartMenu.exe"

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *PandoraMediaInc.29680B314EFC2* | Remove-AppxPackage"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
N/A 127.0.0.1:49787 tcp
N/A 127.0.0.1:49794 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dl5.oo-software.com udp
DE 93.90.192.112:443 dl5.oo-software.com tcp
N/A 127.0.0.1:49934 tcp
N/A 127.0.0.1:49938 tcp
GB 142.250.187.206:443 drive.google.com tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
N/A 127.0.0.1:49944 tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
GB 142.250.187.227:80 www.gstatic.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:50130 tcp
N/A 127.0.0.1:50133 tcp
N/A 127.0.0.1:50137 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:50140 tcp
GB 20.26.156.210:443 api.github.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
GB 216.58.212.234:443 ogads-pa.googleapis.com tcp
GB 142.250.180.14:443 apis.google.com tcp
GB 216.58.212.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
GB 142.250.178.14:443 play.google.com tcp
GB 142.250.187.238:443 clients2.google.com tcp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
GB 216.58.201.110:443 ogs.google.com tcp
GB 172.217.16.227:443 ssl.gstatic.com tcp
GB 142.250.178.14:443 play.google.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 142.250.187.206:443 drive.google.com tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
N/A 127.0.0.1:51975 tcp
N/A 127.0.0.1:51978 tcp
N/A 127.0.0.1:52228 tcp
N/A 127.0.0.1:52231 tcp

Files

C:\Oneclick Tools.zip

MD5 d2be90c23063c07c5bf6e02c9400ac35
SHA1 c2ca99de035c17ba9b7912c26725efffe290b1db
SHA256 9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA512 13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

memory/2272-8-0x0000015A7EA90000-0x0000015A7EAB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgbcp0me.te0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 12ff85d31d9e76455b77e6658cb06bf0
SHA1 45788e71d4a7fe9fd70b2c0e9494174b01f385eb
SHA256 1c60ff7821e36304d7b4bcdd351a10da3685e9376775d8599f6d6103b688a056
SHA512 fcc4084ab70e49821a3095eeac1ef85cf02c73fdb787047f9f6b345132f069c566581921fac98fab5ddec1a550c266304cce186e1d46957946b6f66dba764d2f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b367c53270b61ce59c2510a224c7a60
SHA1 d46a8bebee55d5868e3d6f87e3ed25374919cf9f
SHA256 ffea339ec5b5dfcd03c40c3d038684c9a5d2cdfbefd5dd6574b41a2ee3548960
SHA512 4eda0a5d2ecae6d0f6605558f1f64557f1cc3acd47c5e167116a4e17c4edfe19bbd407737de0eec441f166090422b2691e6452cafb3cacf10186567c980860ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3a924916719c590c164e2306f5b3ad4
SHA1 6b99d5b4cadd988deb3f825c38d3b2ca62beed11
SHA256 a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1
SHA512 29ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3adfbaa5d5d4496e4189fef4a2e00352
SHA1 3bb83762ace5d983c75d9f9d75ab719b687c448e
SHA256 0f82ce7d51b010b0de3a32bc1477b25f13c83fb72fda14898a2334efb38c74f2
SHA512 01c226233e730a69cb6b6a5a1362550747d51088fde1ef7be49e6b1ef742a30e901d885f0c9b4e3051af545b770da6204bf6c80d3e79afec97a5a569b763b9bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6472a580676d60dd89de4d0c4ea92ff
SHA1 1b628eaf008b7b87ead73e964703b62e35953155
SHA256 1be7146c53116b9c949ef8a21935a274d03c993d2c3aa5b11d2ff41711d93c94
SHA512 2d93e363fa83015d1c5dc6fa2a0a300c9216dcf5a6b7786414b8cd0062fd994974c3a5280dea5e52668bac53635bce1220b7003e14eb83d61407a44b99da93ed

memory/1860-70-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-71-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-72-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-76-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-82-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-81-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-80-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-79-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-78-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/1860-77-0x000001ECDE2A0000-0x000001ECDE2A1000-memory.dmp

memory/2144-90-0x00000141DA7C0000-0x00000141DA7D0000-memory.dmp

memory/2144-85-0x00000141DA770000-0x00000141DA780000-memory.dmp

memory/2144-93-0x00000141DAF30000-0x00000141DAF31000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 158a72355ea99a8bc04d0b6a380cc97c
SHA1 750fff9e378ca754a4534371e54624f7e90b796f
SHA256 c9bca1d35338ab02327f105d6a49f182c266f956bf9b345690f405057728802c
SHA512 0f803f3ea81f115621805dc4d1958123a8001540355988a670a69b5e0b1ec85203bc57af31ca55d38cb3912c255af1aaea284faced7628ea9ccdd2beaac4f545

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/564-115-0x000001DAF7550000-0x000001DAF7574000-memory.dmp

memory/564-114-0x000001DAF7550000-0x000001DAF757A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 238f0a5701700be966cc85a76ecbfc19
SHA1 c69446816c9c6c0657e8705ca08459440b6e1d53
SHA256 cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b
SHA512 791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb1d69b71a38dfe81ac0d2020830faf9
SHA1 1f8baf6d137b5138ee40c725f9138e1cdd2a71fd
SHA256 5ca132239020780c2a57681b9b6960880f23c03daa982d03cb3142cb923f5001
SHA512 dba787451922e7bd2d863ba23774d80200acf58243617d0c54e5b3941fa4a47e2c7f8ba43ed91580fdc82884db7bb22bbaec0ee9ca286faab6c1d827b62896fe

C:\Oneclick Tools\OOShutup10\OOSU10.exe

MD5 4803e06db91fdb8b6d1b65c0010d2f87
SHA1 f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256 beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512 f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

memory/408-142-0x000001EFCA640000-0x000001EFCA830000-memory.dmp

memory/408-143-0x000001EFCAC50000-0x000001EFCAC7C000-memory.dmp

memory/408-144-0x000001EFCAD70000-0x000001EFCAE16000-memory.dmp

memory/408-145-0x000001EFCAC80000-0x000001EFCAC9A000-memory.dmp

memory/408-146-0x000001EFE4F90000-0x000001EFE504A000-memory.dmp

C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg

MD5 109f47ced5da3f92362c49069fc4624e
SHA1 79b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA256 2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA512 55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

C:\Oneclick Tools\NSudo\NSudoLG.exe

MD5 423129ddb24fb923f35b2dd5787b13dd
SHA1 575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA256 5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512 d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb6bbad04121efc4b28aafcfb2098c9b
SHA1 874882a3749c41301505e95510f761491c465073
SHA256 bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5
SHA512 7ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3

memory/752-162-0x0000018078BC0000-0x0000018078BDC000-memory.dmp

memory/752-163-0x0000018078BA0000-0x0000018078BAA000-memory.dmp

memory/752-164-0x0000018078F90000-0x0000018078FB6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 69c5ff50e232f3c656abc8f433cf7a13
SHA1 cc8584ae33fa8f4e9741011dab5878baaa13a663
SHA256 101e8aafd0537092bc70ee55856964d23776cc412c2c789cfa68596b9f80af54
SHA512 7de3c7ad32b7da8eee27ec101e919a01faffea85bf6b6ec52408fb9a9b77323be36a9b558b1907e7c5879121b944a2c94a5abd8bbfa3a2ed7cfc437e82967d86

memory/4056-169-0x000001CD38C70000-0x000001CD38D70000-memory.dmp

memory/4056-170-0x000001CD38C70000-0x000001CD38D70000-memory.dmp

memory/4056-184-0x000001CD3A660000-0x000001CD3A680000-memory.dmp

memory/4056-168-0x000001CD38C70000-0x000001CD38D70000-memory.dmp

memory/4056-219-0x000001CD3A970000-0x000001CD3A990000-memory.dmp

memory/4056-196-0x000001CD3A620000-0x000001CD3A640000-memory.dmp

memory/4056-220-0x000001CD3A930000-0x000001CD3A950000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70c91e55fe182a7b11ff383b0dbdd172
SHA1 b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6
SHA256 20a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f
SHA512 0f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e

memory/1000-307-0x00007FF70BC50000-0x00007FF70BD46000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 69c6694442164720640e02b705a77901
SHA1 5804d9d4fb92f22747858460450e16675bc7d5fa
SHA256 5bd4f69a26431eb0c73bd02f834c4307547a5c3d81df7fa8c1ea8a8332ef48dd
SHA512 296877c67647f3f37e87dc3d6eb817a02d54ffdf747061e588e4b2af52f505adc2f4efaa929c357c12859d62ad5ccd514eacd342054a8e19700c393042d5ff0e

C:\Oneclick Tools\Open Shell\OpenShellSetup_4_4_191.exe

MD5 e0484fd1e79a0227a5923cdc95b511ba
SHA1 bea0cb5c42adbde14e8cf50b64982e1877c7855d
SHA256 9e9c32badb52444ca8a8726aef7c220ff48de8c7916cdfdca4dff6e009ac1f0c
SHA512 80f8b0ac16dfbf7df640a69b0f05ec9e002e09ed1d7c84d231db00422972c5a02ddef616570d4e7488f697c28933bbf27e5175db61b8cbd2403203b6e30bf431

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bfc02ee40e30ee8b3668a1a8cd74542
SHA1 d05325b60c6e4c1bd331e89319efe02f2271b268
SHA256 3798b25b810408a6e503f3bfc54da533f57bffd83250d3b24b2730e34f66348f
SHA512 6c871a3e8017f37a65b002f88318b787d0d24d1cfb107bc66b22032857a960b6805975436b00bfcdf7874d74c8a774eb1376aaa895e38778af1f12a162cabc0a

C:\ProgramData\OpenShellSetup64_4_4_191.msi

MD5 cc25bc2f1b5dec7e9e7ab3289ed92cc7
SHA1 449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2
SHA256 25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313
SHA512 e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a

memory/4056-334-0x00007FF72EE90000-0x00007FF72EE97000-memory.dmp

\??\Volume{27bfae7d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7fa12de1-5d73-4572-a31a-9f6184dfa945}_OnDiskSnapshotProp

MD5 986617fc90abf9aa398c605675cd0495
SHA1 cf47f0f823b668da32f44f05aedfc70eb9dc10fe
SHA256 c4ecf667d1d00d52be4c8c3930e1a99c6e0c5d45804654d8972d2f234361c8de
SHA512 57ec8c6edc697149c495871b05356493c77d0eff4e3ee0f5d147bbc62d98fcee047ef4f92bfae31f3f3a8f08b243825d56b1071a4ad72a1e23200e5416734bdc

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 cafda5c0b3767e66a1c0989e7f1e1f7f
SHA1 d12fe0bddb1337f3f49c19b3f28a6edfc6df8466
SHA256 446b24777ba20589c217763a91fa93df1e8db8fd44d139166edb7c60177c266f
SHA512 d62636957d280890d3ba1fc729d36fed119b51d8a1ff5fd113ee9af88560696e36a3396ac0951b50eb6adb1470aef22df8da66a9e146613d4d9099694683b955

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe59efa6.TMP

MD5 38cc738b7f3d88cd58fbf19fdb2e9697
SHA1 b39903e05e77055959cff4264f12536ca3b4ab31
SHA256 32eeac963766ade3a2aae0f1d9fa83899e4585e74cc3c26d5e923ed3661914df
SHA512 86c1de686326a1324c0f7db4bc5a6323f29e80a5533535dad23ba35e45bbbc68afcde8896620a20d6b61482c9b695677b159fae21ceebfe16b0d788bbcdac1e0

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 b5bdd085c8a7fc95449280f75263c972
SHA1 078da115f401282fe965b114c189ccc6edeba378
SHA256 26a15f3f97d96a2a9638bf074329efe65e45d3771d4b1d8e354ce086d8455203
SHA512 b2183d261662dcef2cc5276e1c2412a021e3c293465b401926e0f1aee3cfa1b5b5e5cadbb4091f791730e15183c19ba2ebed7aed385ecdf42ee5aa8d23490738

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk

MD5 fa74aab37d847bb0207fca8198cbb2dc
SHA1 2577d80a0405ae05d21bc859b6f52ea82f8ae200
SHA256 f4739df11c7c6dd92dff9fcb4169febe4418b6bdb3ebea4f0f900a3065db23dd
SHA512 d3a770fa68ddc5575e9fb6f3f93cd43761a2e2a2b99886a99d090284e4d913fa70e647cbc191a6df0cbabf00560afdfc04be54a235997578176864fb0fe54024

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe59eff4.TMP

MD5 10c92c77cc1395d18c7a07e71faebe0e
SHA1 000345129ad947f9241e3329cad27a46ec86c1bc
SHA256 a04442bc12a3932d6c105c3086db5168751174dd47b5daa2df42071aa37724ae
SHA512 5390e137211acb74548509595d6b45ef3786442b2ccc8c4ad5f3932b37cbfdd92fc2e2a7a0a017b3e8534fafb567ba9f37d98346eebb0e129df5c2bdb1e08a0b

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk

MD5 d12515cc553ee41a8291201a622e7d55
SHA1 e098abfd71981657961e87921e8ddb947e060647
SHA256 0de3b5807d46569b90a00113bcd566ea0ab2854b3b4724cf4c2f120b7f4a3c03
SHA512 3c01b21ab657bb4dc9d2c897ce0ae67695fab9b0bc8924ea52345b1bcfdc75ad13a5998f2d081330b3724e4b98779f24376836d8faedb4595dcf0ae7e90336b9

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe59f003.TMP

MD5 dd5bc19c671c32b99bfeb7f6db16770d
SHA1 443de77b886a644aa3905c27e7ef09759459d828
SHA256 083f68f0ccec00b932c4f6d2e4df1c08415465d6fd92ba5381462ab4737f8ff6
SHA512 4c357c2604e903aa848cca4494d7fed83fd5c924c0ef563c04d6e55dc59b0dec8c747554a0e364bddc3cc4349f0c17f1d4b70921f2abd00b6f5c3bda2ead350e

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk

MD5 e43162b88dfb442d8da8d325e253e7d8
SHA1 9ea73d93c4364144f10e50480c604f32271cf785
SHA256 be401ba1d25f5e973c3b723b9b6c30b323a65a162e9e7d324cc1898fa074e3c9
SHA512 a39fab5869609466e22045a0170ae87ec6efccc57f040d1011e511807aa65523155ec86344566e4facea1a657a072582b647a4636bb2a8df2e8eff7b38074e73

C:\Program Files\Open-Shell\Start Menu Settings.lnk

MD5 f63c8bb4c3554919fcefdb1849b9c901
SHA1 a12d430bff937e92e34de55cb04cf39edaa9c99c
SHA256 67a46f6a82f2940358fe388ce83ca825e359601617932917f2b5981d27ecf23d
SHA512 7348f0b45e4cd2f277684f241f65ac7ef281b0f9bfcdc5aecd41073b21c4cd52845db6e6826c3ede2c674ce710bcacbf9f03d9dca0fe5f1d3617f2905e6a131a

C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe59f003.TMP

MD5 b4d1d9706a6488b120b078bc04bb34f1
SHA1 f5c6fec8f0ba4973c434fa16230f121d95e87d29
SHA256 91e0fc512cbcbd050a88a6184bd62559843338e0f46db2c0b0b74602c3a8ee5b
SHA512 790d8cae62b412d1be68f43234e063f49469dee6f6f29a09e6d737515293d618dc7e9bd4e78099e66c305a3b5a0b735154bedf5e8564065f5312a07bc63dc9d3

C:\Program Files\Open-Shell\StartMenu.exe

MD5 9aca92d31344210995d18ac75f7df752
SHA1 fec9f414f3c399f8384ad6a32d0b60adde85d8d9
SHA256 df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf
SHA512 ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc

C:\Program Files\Open-Shell\Start Screen.lnk~RFe59f042.TMP

MD5 4cb08d24eb6178df99ab8c1673f1c16b
SHA1 8d2ddf706ccf658facaec7de290c71f0edac1136
SHA256 f16fbfeeb7aa45d159916f95e7f9deb6e9b486a2e3998990e8bf7504bbc62a73
SHA512 205f047cde3c041c07d552062f58d19f4a4d92642953a9c9ad5002b6cd2b99f14d494b84e3a6bac3912110b0fab8641abbdcfd49e4b2fafcce31b43b6dddc944

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 b64442dbe017c36ab3c63bb064a14602
SHA1 b0eaec6d43c72f73d5ee0f160021e3432a10b167
SHA256 8ae2be024bfdb3c2077d049218f7a056dd1683986294896103090661a07739af
SHA512 69fb685ce6c44286cbe09bebd28460d58c701bc136ba7370854f8dd99b944a49d534bc9056ed956ed19021b6aad64be90a65ad50e53a7977dbe98f2f87d13e4b

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 b562f585f436925cb13f95a59ecbb6ef
SHA1 db3797d861bd8d338ba0b8f56c34ae8ae715e9d0
SHA256 f70bf848a23448d7d0b2b85c287ca61fa2a9e2e4a8b8ce16834803e657dcd5f5
SHA512 f08f627a73d0d114dc183e816795c531dc985272da0b8784769aa744f8979e5a6d7214156fbc0306fd06cd573cc80a8715c629057f309db388014220250ba3c1

C:\Program Files\Open-Shell\Start Screen.lnk

MD5 9c9528fa6730e61a121502e20703bf83
SHA1 e21af9b21215f05bf235e48ae7b503c11b2c5f47
SHA256 0fd7a56115054db9b33d4b33ac5b13ad421b02519e750789aba117552b2d1c65
SHA512 d2bc868d1a25bffc52f8c27b4ad55b115357de69ad4f0bac4d4f6a8471071897d669f907e20e6b320fd1ce05e0544d412428d01925b4aea687f8487751df325a

C:\Program Files\Open-Shell\ClassicExplorer32.dll

MD5 a805193aed76942c667a798f9dd721fc
SHA1 3d2f702b16cb22d5918f6d51585a871fb3b3f900
SHA256 97eaeeee63423d4b11f0331666609483c946fb378810a140a830e8acfa80fc89
SHA512 0a86f2913e28131e1d8005d07aa712f733dbc19003fa9bf7af0761ff4e6c8e544b593147e53020f32282787621c5bb5848d909c5d4fa8e27bc7df6c9b73a021e

C:\Program Files\Open-Shell\ExplorerL10N.ini

MD5 6ed13b9c1719b252e735ba7e33280e67
SHA1 f3753deab4d99dbee4821a8a70fe6e978e1a45f6
SHA256 b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab
SHA512 f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

C:\Program Files\Open-Shell\ClassicExplorer64.dll

MD5 950ff69adc1b8eec1bd8d502615b0ba6
SHA1 edb3916b7ada6aa0e765c6f70c39e182b8d45dfd
SHA256 9f2e29f9ea1c71b434d9a473c5c8107ec7738d7c6f3bd98587ed2733869bc64e
SHA512 f053d5db64fc7e0b206ac4ee07a343c6ae46dcec0105689bee4b152a297750c52980d04ab02acedaa60723b38da746b4850a08b8e127f5919e51be86e423b711

C:\Windows\SysWOW64\StartMenuHelper32.dll

MD5 b7c7f2bf76b2220839af735e2b58fefc
SHA1 16631df5f62096b039fc1996066805721b622407
SHA256 a96b405675d89eb855c856ea9f97d8a082f90e3254d5981efa88a282feafd875
SHA512 6df5bdf1a752f3cf801075d7a5cbc690b2e0f142e46d72ec789eb3402065e3e481818e8bc221ffdddcdfdc634eaadeffe415593c23c4a4639aebb45a25487fed

C:\Program Files\Open-Shell\StartMenuHelperL10N.ini

MD5 29221f620ea6b5893add15dd6c307684
SHA1 97c31bb9585a0896e1fcea8efa3f05ff16823da2
SHA256 53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84
SHA512 b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

C:\Windows\system32\StartMenuHelper64.dll

MD5 22c9a786f3ff34275c80876b8ac5cc10
SHA1 beb6f4f28b98910b2031c37d7cec385543045614
SHA256 b043e4de9b6d255deae363118f893cd92e690badb9a16c3b5faa07e4a2805cca
SHA512 92f2db5cc4d92a3d9dc433af7d8104341dd85079ca9a6d772b374caf546a06935501bbcb0e72af0679470924529d58d1e5c4198fe1cf995311c546630ef99397

C:\Config.Msi\e59eb80.rbs

MD5 7eef2fdada1173b30f213379739171a6
SHA1 da287c86f954b44c821257c733eb95460e7b3300
SHA256 2a072d6b3dc4466d4a5d8956966d7bd3e844edd7266889a72a4f66de6b8d6225
SHA512 0ce789bfaf5d72fc776a234651a90ae7591dade00774191f3115c9831a9cbdb5df55c1e77c181181125b6e2c311c1dc5f34212340b375697a191fdff7e36983b

C:\Program Files\Open-Shell\StartMenuDLL.dll

MD5 e29ab21b4d9266502677b9837ad23346
SHA1 939e7bb40623f04dd3d75f4685a543437512771a
SHA256 808861ed17396b3d82d3c38769710390d84ab3ef89d6dfbd60765939938e7185
SHA512 7047f4d4c0cbb5ed001b3de5aee937048682b1a9e116bfb732dc0d2a28bb640fd3e3d9e30f0b7281faf7e79abe71c2280af3e365981a000a3a36e0bfbb0b6dcd

C:\Program Files\Open-Shell\StartMenuL10N.ini

MD5 673bb428b6d3fab8cba07890cad09d0e
SHA1 45039820289bdb485bb761e9b267f6de9e18a26c
SHA256 ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33
SHA512 2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 47669dd6c0d2e753ccd0992c138db0a7
SHA1 b789f0ba0657e39159f98e5fb2754025849a0063
SHA256 57804ceb4deb38eee4fad459587ed272337b185c2e6212dca7b6a3b87ae03aeb
SHA512 0b0d8a3c2cd4fd8813b385631cb8006d946b25ed82089425cde481326a4067195daa9b35fd0a0140e3f439da369355f1a773503af69c60291af07fe9550fa741

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6983528783d0ea3e72113cfcfd8daaf5
SHA1 ddade19bbafbfe7b2a9951284f537bb30d33a672
SHA256 05557c990cf97ddb737175d1a6daf36258909f450269ad6f7b8b628edee9f056
SHA512 2de5b664f109f9c425c2da85f65e055b6f254bc42e365065898935a4e1341dde268bee6092a665568a46dcefaf6c0802ba91fb7fd6ae7f4171dbfed8cbfc7e8b

C:\Program Files\Open-Shell\ClassicExplorerSettings.exe

MD5 c3c68d52fc3318e324021dab87e60779
SHA1 6855eabb6c38ff953c8c678473c6dd4ab9315f30
SHA256 fed5e80a82f9a4a687fccdc0c610902e4b5b75faf5a9588a22918711f103689a
SHA512 e506e39e036263db610f8fa33f35f9d708d4d52c16f801e58348ea8cc095ee8a0056f80b9d9c0bf8fde3ff76e61c2933504727e9dce1fafda91fde71c196635d

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Readme.lnk

MD5 f330832216a4b3ba859b977e55af3d08
SHA1 d44ba20ab38f337088404f54ae804c6b4b1dbc66
SHA256 886589391a1c5513eef868aa6605f91eb89c3a13c80ca8346c125587df52886d
SHA512 60c065cd4f2024177c70ecdcec4ed177ee9647a9bbdb10b16d7cc8c2339843e0d93f90a34eec2cd2d1c9d3ac7dcd6f69e8f03e6860fd1738f1b8f44c4f1337ee

C:\Program Files\Open-Shell\Update.exe

MD5 6165bb2e4d2215f5ec4d074b6c06b72b
SHA1 03e13ac321eadfae93a9e72f80f30bbba811b5d8
SHA256 078ab5206082b7b498e3a921913cc54e8022c79c314d37baee5290f1b451e202
SHA512 60ad9ba86160d92f46e2b6b04a65484a55c61eadf5d02b084ac5a3fe2fd8f8f2f867baeeb854b3cd3403bea83ce29e17b02057696122caff0b021f2b0f144997

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Help.lnk

MD5 6bb002b4a2b1af0b166076680c1cc209
SHA1 e7f29115bcec07819efb75b27515371ae76684d5
SHA256 e96e9fb4ff150f9d4abbd911d0bd50a6302bcddfe242d51d33d7aa72b614ba55
SHA512 0af59006e5d5bec41312020e422c011187fa0731213f45721deb1d2146c31cf0e930cf9020aa78fb6f82727503e35130bf9b8f643de2cac094eaa6cbb73845b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 00feb474e97fe6745ba9cbc75fde811d
SHA1 d7cd2eca8be292ada130156aa207f2122c5204d2
SHA256 1f1ab4997c0836e6289cb807014ac3b70413b2bfcc798ae5ce2985d7c50db0f2
SHA512 2c54a293153c54bafcf712468b60d65bd0e6e2aa4f40ac2d4c4fe6ef553ecc9354b636e229369186156b4eabf798e1eca42c63fccbcb1deaec5eb9a606d684cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61466c046c6556310708299cb1abe443
SHA1 770116cd2daeaff1c54ec9e7425885c05e310c8b
SHA256 b8e6d7b5fa92a774c17eaa681a827d203fc68022c8a877a00156bd8a63315922
SHA512 7b0a6741891d38cf56ebee1295d8173fe65f376e3a7851802b6d3dc2f0b8b8863a6591987bc1f06755dc4da53bc95c406fb5590be08c52adc3b4b69daee56b56

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1624adf60378c66868c872e39f5a9adb
SHA1 ec9ab5ebc48b336f7af299817d4e17d9d12940df
SHA256 ab50b005219cc477e64bb1af4c7dea95d87ba604ae82f5c4a04aecbace49d788
SHA512 c66aa3871cb0fae2fbd12cb453009c685559c7869c855e1f59f20c0dd72d29f4176c3d651a1b04d6e8156bd9eeed7b56ee2bce2eb29c6706a7e04d1e3b8d9cad

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c7bc4342555b23e09ede6f68f4576502
SHA1 46628362f569140210fba0798854e3dbaa61ab46
SHA256 1a969b27d2d7a726cf5fa435ad52582bb97d4dbea626a161752bcf3155fdc037
SHA512 af46b1e90838c2c903b1fe91674c03b7fd694257fd888ce4df68178f04911620ce09942af9427d35b0d371c713a411bdcead3a899c89b5ce6ab16850622cb7b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b04b0fca96913d10874a5a52390b575b
SHA1 5701469979579da2cb79a5317ef919ea596ef065
SHA256 723e6b5e98d4ec34df030fbf460ffb8b728e6cfd9982867ae6d03700e0dcd8a5
SHA512 c36acae46306813344b0665b76b20553eed19a591ad0a687697fff1890b9f3d50696b4b67065d680ed4a2f5f9620bd7756709edded70e10468c71909a6e273ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9ba362d115132ca321e847435af8f0f4
SHA1 31196b7d7a2ef738bbfdd0fd3b7ba6718e7c9aa3
SHA256 3e7a17ab53761ff561c5b64a4ca99bb8f210aa865714dbd24c6e4839dd160702
SHA512 04aecf1d94ebc24b3ae641c6c151999bde6c2ad877a7274d19d656db40b1fc016502dc8e3f61659d5dea1182e89435a6891f658419c91b2df4791b33a14e8b97

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 48b0bcfb2fd635484d03659c428dc094
SHA1 f182e3c1c4a02036ca525ddf4a1075e52418f30f
SHA256 72f032d8ce5a0b1b412adfe48bdb292523b4efadcd789dcfa72b9ff137dedd9f
SHA512 5ab9cfe8a70b576eed6ab39b293af48b2be7156ca6388f5226186da5ca4ccd6df47396b2131362bfb9414aea06ed673bceac4009377a6a6292bcff180c0988b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5f601d6edc73cc35f2ae7362c97e104
SHA1 278102329feb830730a86c76e9cc22cd629acb4e
SHA256 7a915e699cbc9a7b5d242013125137737d3f4d2978e91117d562eb5e1ec6dfb7
SHA512 711ee708bd6aac67bfd26ba0089814db49f1405310ab819cbe88fd4413eb690446c59278995147b0089a9b85aa761283911df7020c600c4edef214841ed9dd2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1c4ef625cf7048e125356bc43122fc35
SHA1 890b43e5a6612ad1dbf0774b6f42f3d370254281
SHA256 dc857a7a5e6a2b6f3d14614e289938c4df8d75505ba0ae09110dd1c3b0ba0139
SHA512 0cf348a74cce20e2860d6bedf4353a23739a4e6e246927e3f977352953cb9d1db10cbb5bdb28e7440779ad71779d392644ffc4e2da7b94d5fc5d09014e54a60c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 615eed56bbdc19aaa96df71670093290
SHA1 0255083e13b695cdf8ad13fd963a73dfe62220c9
SHA256 24f739f4194708f41d0d633c5bf47d4ff98e46a38bd4e4f657145fe239283bb0
SHA512 b2457c877ae9fa7d56b9b0c927ac1bf17f3d149cb0d3877efa730c02ffb35a4efe57c91d19268111b28ad2ebf7c166d06297cd5084a086515388578c41677ca1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 45fdc4084a7ff868a689a6aa743f816d
SHA1 202dbc190ed0dc393c543b0cf4c4b35f797d91bd
SHA256 3cee9652934d49f1159af85b96d8e1d2e134c55c4376f9ddd684196b9ec4af97
SHA512 cea8c4540575d95246b6636097ae8a7a45c496d77c3710639703c490ba611374b9205d52acd8b24713612fa88da3e57b49d741d8619e3357077ac45c8d99e35c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 270c4074fd0ea036e6767c03fdda910f
SHA1 7cfab94130d6dcbc8687ceee1a7fac3867be1280
SHA256 d0e378a191abca5ae7a9a574ef18bcabbcc0aa73becedb3abe70e51a0de33868
SHA512 caeff478945d5acf63b6485cdfd9d936ad6d01c4a087da976e7f7dd94962278af8fba5b1a077181ea50161333bc2991b0c68333f6ef75416bb868e86105070db

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b4aa40f4603995842fa879395a2a763b
SHA1 ebe6fdca58eceac95d2b6625678e4e7b9fc63088
SHA256 f88546d1b808dea4f7517e905c615d4d577b034b443888455fac615414a3730f
SHA512 a9b283c4b8ce34d106c1dd4979417159bcf181c8c7394266b101e64b2e74a013b5995edd19d0b064f3aa57ecf7b307a247c930fb46e7d1728823475831927aa8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/2144-1360-0x00000141E0380000-0x00000141E0381000-memory.dmp

memory/2144-1361-0x00000141E0370000-0x00000141E0371000-memory.dmp

memory/2144-1366-0x00000141DAF30000-0x00000141DAF31000-memory.dmp

memory/2144-1369-0x00000141DAE80000-0x00000141DAE81000-memory.dmp

memory/2144-1364-0x00000141DAF30000-0x00000141DAF31000-memory.dmp

memory/2144-1363-0x00000141DAF40000-0x00000141DAF41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scoped_dir2504_682778312\fbd355ab-acad-4aa5-88e1-921d0b79624c.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Temp\scoped_dir2504_682778312\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 2fd1096d387cf32d8f141ac37d0486e2
SHA1 e1b395599fac98a908c418e08c1d21fe91baa784
SHA256 2a76642cf392db582c2bbf12b45978162e2dd1d04d2384cd3b64cc0483b05728
SHA512 4366cf9cf48517cd0a3494b9111fee38df54850dfc2974f9daeb91dfa29e68ce5e9da661e40157fb2f18742fc6da5227d96e78b63eb552f6d5778362200b48e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 42a73e6a9723ff0d370fcf691697e5d1
SHA1 470f546e9c71cd2ec258d81c600095c8b5e6164d
SHA256 0d5ba4d985546ae31451e2f9e086e45f1ee2b5e1388a0af61a439611b6ddc9c3
SHA512 c78a541b0c2b1014055ffe5bb94dd19881fcbe53c90f117a28f33cd47966863c0108504ff6fd81320a62225fe881240c446345fb42046165d63e39501b227fe9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 52330119e612078bad29e61de3432f6c
SHA1 df2899c534d32cb4d548c5079ed2d18361b2e326
SHA256 3e8f99cf8a6fb6fbb58e57d3449ae3b3e86a5fdd074ace741a2b532ff2ed0b12
SHA512 d6599e40e41455285b67d4cc5797a343555c3e48f4d81ccae8ac2c68cdb18a225a5459e079d91fe74d2fa319ee488876ae8b60885e8b15c11e4351a4f0c469b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b83a9f3c76d4500540bf2bb9cc0d75d6
SHA1 820f7bc032843178b5b58773ed2d5d4c615d5b42
SHA256 dc88d3673083da32ad5effe43b28e62e946881bc52f307adeebcb1d8efdb6b3d
SHA512 55b7707a92af16078ee75f4c56e9b0dc08e3a1b85feb72a153669a8f3a39eb8aa55accb8b4340b0eceb670fc977b3d7e5bc1e16a82efa6c94c5d077fc74e451f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7ec62768cad9b5cd8f0738a48c0c1ea2
SHA1 cb53fca6be8f162aa90ee18c023378a099f3ff0e
SHA256 a6a9deee128ceaadad49d4c1b6be9eb1c3560be1328fe55f96a2008fba023b0c
SHA512 3bd7b8f68973450cc4f73cb2f56a799347c15f31733e2ac596c43de3e303eb9ff8ca451746f4ac2cb9adaa1f41794ffbf46dbbb8c1172e98fbabd2b15407ba9f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 5ba73f621756353cbfd2c8dee7f88a72
SHA1 d3e5ee6fa6ae004eab2ad5407a2970324203c55f
SHA256 ccb50dbe90c3da56434ac669f56bfc3585cb284460bc87c69fe3d8a4c22f06f8
SHA512 fe6060d81339d8e67075e10569ee6f68ef5dcb19ef9657b62f05f52cb6552407cba7f01a2c104957421d2da3930872306a8645d3652c86f5ee58553f3d53d688

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 43825e9e7ebe36d649edad32fa7fbf2d
SHA1 c85b51527a3eb024e4c38771c7788d8aebbb6904
SHA256 a7db46d2319547a9fa922a30036f1871637c5b1fb89a4ed3c83db71662ab71d8
SHA512 dadaa38ab3d8a8d52ecc217f9cbe20d83787f1cc4730499bf5d1ff3052abf925f56820ce05d4493a19a8d864b0c6fc7b7b7d8a9114b7731eef7c55241d026409

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 cada701c3fb446fa61aa82982795f2f1
SHA1 8c2177dde9faeda3e4e2f9009103c465baca9d29
SHA256 dc235e4c785f82447d92b80f99370cded155a94c7569d080c4af2c13e1c72107
SHA512 adcf0e55192f34cf42db59ae07c636baba4e3f06ef96a9fb1a4cb19f8bb37f5b309ac5e028fe950efef0af5b4bbb57ff479e00b003de7fafa3b40c4c19198436

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 8a60e32ab7ae7f271d92069cd0ee7a50
SHA1 de5e8719b1ef86d784f42fceb803f98a67ed4b77
SHA256 582be3fe0d0ff38ea01d0d92b21e77d07ed11c5333dcc4e08d6de2c77f7c4617
SHA512 532779c0c57ce15e6a5cbe7d16c13b6f8fd2b11319e27c54f02716821ffc3fb95796deda9b7bb23172577e09210d052ce2253fb0bc2b12d973561a241801b00c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58