Analysis Overview
Threat Level: Known bad
The file https://github.com/QuakedK/Oneclick was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Disables service(s)
Modifies security service
Modifies visibility of file extensions in Explorer
Modifies boot configuration data using bcdedit
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Image File Execution Options Injection
Downloads MZ/PE file
Boot or Logon Autostart Execution: Active Setup
Blocklisted process makes network request
Possible privilege escalation attempt
Stops running service(s)
Modifies system executable filetype association
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Event Triggered Execution: Component Object Model Hijacking
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Enumerates connected drives
Indicator Removal: File Deletion
Power Settings
Adds Run key to start application
Checks installed software on the system
Modifies Security services
Installs/modifies Browser Helper Object
Legitimate hosting services abused for malware hosting/C2
Checks system information in the registry
Drops file in System32 directory
Hide Artifacts: Ignore Process Interrupts
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Browser Information Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Disables Windows logging functionality
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks processor information in registry
System policy modification
Uses Volume Shadow Copy service COM API
Uses Volume Shadow Copy WMI provider
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Modifies Control Panel
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 08:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 08:56
Reported
2024-11-08 09:02
Platform
win10v2004-20241007-en
Max time kernel
310s
Max time network
367s
Command Line
Signatures
Disables service(s)
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Oneclick Tools\OOShutup10\OOSU10.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Windows\system32\reg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome" | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\130.0.6723.117\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable" | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome" | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1" | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0" | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | N/A | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Open-Shell Start Menu = "\"C:\\Program Files\\Open-Shell\\StartMenu.exe\" -autorun" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mksltw | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup | N/A | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | N/A | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | N/A | N/A |
| File opened (read-only) | \??\O: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\U: | N/A | N/A |
| File opened (read-only) | \??\Y: | N/A | N/A |
| File opened (read-only) | \??\G: | N/A | N/A |
| File opened (read-only) | \??\K: | N/A | N/A |
| File opened (read-only) | \??\P: | N/A | N/A |
| File opened (read-only) | \??\O: | N/A | N/A |
| File opened (read-only) | \??\R: | N/A | N/A |
| File opened (read-only) | \??\V: | N/A | N/A |
| File opened (read-only) | \??\Z: | N/A | N/A |
| File opened (read-only) | \??\T: | N/A | N/A |
| File opened (read-only) | \??\X: | N/A | N/A |
| File opened (read-only) | \??\A: | N/A | N/A |
| File opened (read-only) | \??\N: | N/A | N/A |
| File opened (read-only) | \??\Q: | N/A | N/A |
| File opened (read-only) | \??\W: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\R: | N/A | N/A |
| File opened (read-only) | \??\U: | N/A | N/A |
| File opened (read-only) | \??\H: | N/A | N/A |
| File opened (read-only) | \??\K: | N/A | N/A |
| File opened (read-only) | \??\H: | N/A | N/A |
| File opened (read-only) | \??\J: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\V: | N/A | N/A |
| File opened (read-only) | \??\B: | N/A | N/A |
| File opened (read-only) | \??\M: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\G: | N/A | N/A |
| File opened (read-only) | \??\I: | N/A | N/A |
| File opened (read-only) | \??\A: | N/A | N/A |
| File opened (read-only) | \??\B: | N/A | N/A |
| File opened (read-only) | \??\M: | N/A | N/A |
| File opened (read-only) | \??\E: | N/A | N/A |
| File opened (read-only) | \??\X: | N/A | N/A |
| File opened (read-only) | \??\I: | N/A | N/A |
| File opened (read-only) | \??\L: | N/A | N/A |
| File opened (read-only) | \??\N: | N/A | N/A |
| File opened (read-only) | \??\Y: | N/A | N/A |
| File opened (read-only) | \??\J: | N/A | N/A |
| File opened (read-only) | \??\L: | N/A | N/A |
| File opened (read-only) | \??\T: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\S: | N/A | N/A |
| File opened (read-only) | \??\Q: | N/A | N/A |
| File opened (read-only) | \??\D: | N/A | N/A |
| File opened (read-only) | \??\Z: | N/A | N/A |
| File opened (read-only) | \??\S: | N/A | N/A |
| File opened (read-only) | \??\F: | N/A | N/A |
| File opened (read-only) | \??\P: | N/A | N/A |
| File opened (read-only) | \??\W: | N/A | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Indicator Removal: File Deletion
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{449D0D6E-2412-4E61-B68F-1CB625CD9E52} | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies Security services
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WdNisSvc\Start = "4" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4" | C:\Windows\system32\reg.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Checks system information in the registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-940901362-3608833189-1915618603-1000_StartupInfo3.xml | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\StartMenuHelper64.dll | N/A | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRU.chk | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRU.log | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3e96badd-a0f2-45a6-98b7-6e3fbee47ab0}\snapshot.etl | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-940901362-3608833189-1915618603-1000_UserData.bin | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\StartMenuHelper32.dll | N/A | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\SRU\SRUDB.jfm | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3e96badd-a0f2-45a6-98b7-6e3fbee47ab0}\snapshot.etl | C:\Windows\System32\svchost.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ko.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_te.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ur.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.342\psmachine.dll | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\cs\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Open-Shell\Start Menu Settings.lnk | N/A | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_th.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\kn\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\sk\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Open-Shell\ClassicExplorer64.dll | N/A | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\psuser_64.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_te.dll | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\af.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\mr.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\vulkan-1.dll | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\ur\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Open-Shell\OpenShellReadme.rtf | N/A | N/A |
| File opened for modification | C:\Program Files\Open-Shell\Start Menu Settings.lnk | N/A | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdateOnDemand.exe | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_hr.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ml.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_mr.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\sw.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\sw\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\be\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Open-Shell\ExplorerL10N.ini | N/A | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ro.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\te.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\PrivacySandboxAttestationsPreloaded\manifest.json | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\zh_TW\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\mr\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\bn\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\page_embed_script.js | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Crashpad\settings.dat | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\pl.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\libGLESv2.dll | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\notification_helper.exe | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_metadata\verified_contents.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Open-Shell\Skins\Full Glass.skin | N/A | N/A |
| File opened for modification | C:\Program Files\Open-Shell\~tart Menu Settings.tmp | N/A | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ar.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_de.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File opened for modification | C:\Program Files\Crashpad\metadata | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\vk_swiftshader.dll | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\uk\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\si\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Open-Shell\Skins\Smoked Glass.skin | N/A | N/A |
| File created | C:\Program Files\Open-Shell\Start Screen.lnk~RFe5ba8df.TMP | N/A | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ms.dll | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\d3dcompiler_47.dll | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\es-419.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\pt-BR.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\Locales\tr.pak | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\th\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\_locales\da\messages.json | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleCrashHandler64.exe | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| File created | C:\Program Files\chrome_Unpacker_BeginUnzipping5484_194705218\offscreendocument.html | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File created | C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe5ba8c0.TMP | N/A | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleCrashHandler.exe | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_bn.dll | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_cs.dll | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.342\goopdateres_ms.dll | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Temp\source552_451945869\Chrome-bin\130.0.6723.117\chrome.dll | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\ | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-940901362-3608833189-1915618603-1000.dat | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Installer\e5ba537.msi | N/A | N/A |
| File created | C:\Windows\Installer\SourceHash{FA86549E-94DD-4475-8EDC-504B6882E1F7} | N/A | N/A |
| File opened for modification | C:\Windows\Installer\MSIA63F.tmp | N/A | N/A |
| File opened for modification | C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico | N/A | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\ | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5ba535.msi | N/A | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | N/A | N/A |
| File created | C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\icon.ico | N/A | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Installer\e5ba535.msi | N/A | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | N/A | N/A |
| File opened for modification | C:\Windows\Installer\ | N/A | N/A |
| File created | C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe | N/A | N/A |
| File opened for modification | C:\Windows\Installer\{FA86549E-94DD-4475-8EDC-504B6882E1F7}\StartScreen.exe | N/A | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontSet-S-1-5-21-940901362-3608833189-1915618603-1000.dat | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat | C:\Windows\system32\svchost.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateOnDemand.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | N/A | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\svchost.exe | N/A |
Delays execution with timeout.exe
Disables Windows logging functionality
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" | C:\Oneclick Tools\OOShutup10\OOSU10.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{553891B7-A0D5-4526-BE18-D3CE461D6310} | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\FontSetGeneration = "3" | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | N/A | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\ConfigExpiration = "133761347687568434" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755299551677239" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2BA23CE-B832-4767-85DF-6C7847B485D8}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.342\\psmachine_64.dll" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.CredentialDialogMachine.1.0\CLSID\ = "{25461599-633D-42B1-84FB-7CD68D026E53}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hortense" | N/A | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}\Elevation\Enabled = "1" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32\ = "{A2BA23CE-B832-4767-85DF-6C7847B485D8}" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\ProgID | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32 | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\NumMethods\ = "7" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\ChromeHTML | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - French (France)" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2576496C-B58A-4995-8878-8B68F9E8D1FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\NumMethods | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\ = "Update3COMClass" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\CLSID\ = "{4EB61BAC-A3B6-4760-9581-655041EF4D69}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32\ = "{A2BA23CE-B832-4767-85DF-6C7847B485D8}" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachineFallback.1.0\CLSID\ = "{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\ChromeHTML | C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\ProgID\ = "ClassicExplorer.ShareOverlay.1" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.SystemSettings\ShellEx\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928} | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28} | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}\InprocServer32\ThreadingModel = "Apartment" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ExplorerBand.1\ = "ExplorerBand Class" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\MuiCache | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\VersionIndependentProgID\ = "GoogleUpdate.OnDemandCOMClassMachine" | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041" | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VERSIONINDEPENDENTPROGID | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\StartMenuExt | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Launcher.DesktopPackagedApplication\shellex\ContextMenuHandlers\StartMenuExt\ = "{E595F05F-903F-4318-8B0A-7F633B520D2B}" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\L1031" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\ProgID | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{553891B7-A0D5-4526-BE18-D3CE461D6310}\InprocServer32\ = "C:\\Program Files\\Open-Shell\\ClassicExplorer64.dll" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2BA23CE-B832-4767-85DF-6C7847B485D8} | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40A;C0A" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F} | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6E00B97F-A4D4-4062-98E4-4F66FC96F32F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ClassicExplorer.ClassicCopyExt.1\ = "ClassicCopyExt Class" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{62D2FBE4-89F7-48A5-A35F-DA2B8A3C54B7} | N/A | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928} | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB} | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1031" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\AI041033" | N/A | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E94568AFDD495744E8CD05B486281E7F\OpenShell | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods\ = "12" | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID | C:\Program Files (x86)\Google\Update\GoogleUpdate.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF8D124A-A4E0-402F-8152-4EF377E62586}\1.0\ = "ClassicExplorer 1.0 Type Library" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\ProxyStubClsid32 | C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C83ACB1-75C3-45D2-882C-EFA32333491C}\InprocServer32 | N/A | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" | C:\Oneclick Tools\OOShutup10\OOSU10.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/QuakedK/Oneclick
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3fda46f8,0x7ffe3fda4708,0x7ffe3fda4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat" "
C:\Windows\system32\fltMC.exe
fltmc
C:\Windows\system32\sc.exe
sc query "WinDefend"
C:\Windows\system32\find.exe
find "STATE"
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc qc "TrustedInstaller"
C:\Windows\system32\find.exe
find "START_TYPE"
C:\Windows\system32\find.exe
find "DISABLED"
C:\Windows\system32\curl.exe
curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\tar.exe
tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\3- OrcaLIte V2\OrcaLiteV2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat" "
C:\Windows\system32\taskkill.exe
taskkill /f /im ctfmon.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im backgroundTaskHost.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im TextInputHost.exe
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat" "
C:\Windows\system32\taskkill.exe
taskkill /f /im ctfmon.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im backgroundTaskHost.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im TextInputHost.exe
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\4 - Process Destroyer V2.1\Process Destroyer 2.1.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im ctfmon.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im backgroundTaskHost.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im TextInputHost.exe
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e96c-e325-11ce-bfc1-08002be10318}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{6bdd1fc6-810f-11d0-bec7-08002be2092f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{71a27cdd-812a-11d0-bec7-08002be2092f}" /v "LowerFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}" /v "UpperFilters" /t REG_MULTI_SZ /d "" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NVDisplay.ContainerLocalSystem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\BFE" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventSystem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppIDSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\seclogon" /v "Start" /t REG_DWORD /d "3" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Schedule" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\webthreatdefusersvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\hidserv" /v "Start" /t REG_DWORD /d "3" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\NgcSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\sppsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MicrosoftEdgeElevationService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SamSs" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LicenseManager" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\gpsvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\EventLog" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PlugPlay" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\CTT App Installer.bat" "
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "iwr -useb https://christitus.com/win | iex"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kwznn1ey\kwznn1ey.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE26.tmp" "c:\Users\Admin\AppData\Local\Temp\kwznn1ey\CSC89514FDE3051491186F114B6EF7ECB42.TMP"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\Powershell Chrome Installer.txt
C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe
"C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\3- Browser\ChromeSetup.exe"
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8130FB42-5831-10A9-876B-159E043F7AB1}&lang=en&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateComRegisterShell64.exe"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REExN0Y2RTAtMUU4MC00OUZGLUIwOUYtRTM1REJDRkUzMkY1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezlFNDUyNkM2LTI4ODktNEM5Ni1CRkY3LUFCMEI5MkUzRkJERn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjM3MSIgbmV4dHZlcnNpb249IjEuMy4zNi4zNDIiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaWlkPSJ7ODEzMEZCNDItNTgzMS0xMEE5LTg3NkItMTU5RTA0M0Y3QUIxfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSI3NTAiLz48L2FwcD48L3JlcXVlc3Q-
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={8130FB42-5831-10A9-876B-159E043F7AB1}&lang=en&browser=4&usagestats=0&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&installdataindex=empty" /installsource taggedmi /sessionid "{DA17F6E0-1E80-49FF-B09F-E35DBCFE32F5}"
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\130.0.6723.117_chrome_installer.exe
"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\130.0.6723.117_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\gui5414.tmp"
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\gui5414.tmp"
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x268,0x26c,0x270,0x240,0x274,0x7ff796d9ec28,0x7ff796d9ec34,0x7ff796d9ec40
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16805192231368396571,16816943064668310134,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat"
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{D871AB4A-0026-4E14-AF65-FFB63B1B260B}\CR_85E7D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff796d9ec28,0x7ff796d9ec34,0x7ff796d9ec40
C:\Windows\system32\fltMC.exe
fltmc
C:\Windows\system32\sc.exe
sc query "WinDefend"
C:\Windows\system32\find.exe
find "STATE"
C:\Windows\system32\find.exe
find "RUNNING"
C:\Windows\system32\sc.exe
sc qc "TrustedInstaller"
C:\Windows\system32\find.exe
find "START_TYPE"
C:\Windows\system32\find.exe
find "DISABLED"
C:\Windows\system32\curl.exe
curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\tar.exe
tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
C:\Windows\system32\timeout.exe
timeout 2
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4zNDIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4zNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REExN0Y2RTAtMUU4MC00OUZGLUIwOUYtRTM1REJDRkUzMkY1fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezI4MEM1Mjc3LTZFODktNDBBNC1BNTM4LTI1NjFGRDE3ODkxQn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMwLjAuNjcyMy4xMTciIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9ImVuIiBicmFuZD0iIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMzEiIGlpZD0iezgxMzBGQjQyLTU4MzEtMTBBOS04NzZCLTE1OUUwNDNGN0FCMX0iIGNvaG9ydD0iMTpndS9pMTk6IiBjb2hvcnRuYW1lPSJTdGFibGUgSW5zdGFsbHMgJmFtcDsgVmVyc2lvbiBQaW5zIj48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL2VkZ2VkbC5tZS5ndnQxLmNvbS9lZGdlZGwvcmVsZWFzZTIvY2hyb21lL2FjbHM2aHQ2eGt4eW1lN2tteXBnMngycWEyNWFfMTMwLjAuNjcyMy4xMTcvMTMwLjAuNjcyMy4xMTdfY2hyb21lX2luc3RhbGxlci5leGUiIGRvd25sb2FkZWQ9IjExNTM1NzA0MCIgdG90YWw9IjExNTM1NzA0MCIgZG93bmxvYWRfdGltZV9tcz0iNzgxMSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzA3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMzU5IiBkb3dubG9hZF90aW1lX21zPSI4OTM2IiBkb3dubG9hZGVkPSIxMTUzNTcwNDAiIHRvdGFsPSIxMTUzNTcwNDAiIGluc3RhbGxfdGltZV9tcz0iMzAwMjIiLz48L2FwcD48L3JlcXVlc3Q-
C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateOnDemand.exe
"C:\Program Files (x86)\Google\Update\1.3.36.342\GoogleUpdateOnDemand.exe" -Embedding
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --from-installer
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe2d3b7c38,0x7ffe2d3b7c44,0x7ffe2d3b7c50
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=1944 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --field-trial-handle=1840,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --field-trial-handle=2344,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=2504 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=3216 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\130.0.6723.117\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4188,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4564,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4672,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4648 /prefetch:1
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=4884,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5176,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5512,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5516 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5388,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5600 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
C:\Windows\system32\powercfg.exe
powercfg.exe /hibernate off
C:\Windows\system32\timeout.exe
timeout 1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=5676,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5312,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:2
C:\Windows\system32\sc.exe
sc config HomeGroupListener start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupProvider start=demand
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config AJRouter start=disabled
C:\Windows\system32\sc.exe
sc config ALG start=demand
C:\Windows\system32\sc.exe
sc config AppIDSvc start=demand
C:\Windows\system32\sc.exe
sc config AppMgmt start=demand
C:\Windows\system32\sc.exe
sc config AppReadiness start=demand
C:\Windows\system32\sc.exe
sc config AppVClient start=disabled
C:\Windows\system32\sc.exe
sc config AppXSvc start=demand
C:\Windows\system32\sc.exe
sc config Appinfo start=demand
C:\Windows\system32\sc.exe
sc config AssignedAccessManagerSvc start=disabled
C:\Windows\system32\sc.exe
sc config AudioEndpointBuilder start=auto
C:\Windows\system32\sc.exe
sc config AudioSrv start=auto
C:\Windows\system32\sc.exe
sc config Audiosrv start=auto
C:\Windows\system32\sc.exe
sc config AxInstSV start=demand
C:\Windows\system32\sc.exe
sc config BDESVC start=demand
C:\Windows\system32\sc.exe
sc config BFE start=auto
C:\Windows\system32\sc.exe
sc config BITS start=delayed-auto
C:\Windows\system32\sc.exe
sc config BTAGService start=demand
C:\Windows\system32\sc.exe
sc config BcastDVRUserService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config BluetoothUserService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config BrokerInfrastructure start=auto
C:\Windows\system32\sc.exe
sc config Browser start=demand
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start=auto
C:\Windows\system32\sc.exe
sc config BthHFSrv start=auto
C:\Windows\system32\sc.exe
sc config CDPSvc start=demand
C:\Windows\system32\sc.exe
sc config CDPUserSvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config COMSysApp start=demand
C:\Windows\system32\sc.exe
sc config CaptureService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CertPropSvc start=demand
C:\Windows\system32\sc.exe
sc config ClipSVC start=demand
C:\Windows\system32\sc.exe
sc config ConsentUxUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CoreMessagingRegistrar start=auto
C:\Windows\system32\sc.exe
sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config CryptSvc start=auto
C:\Windows\system32\sc.exe
sc config CscService start=demand
C:\Windows\system32\sc.exe
sc config DPS start=auto
C:\Windows\system32\sc.exe
sc config DcomLaunch start=auto
C:\Windows\system32\sc.exe
sc config DcpSvc start=demand
C:\Windows\system32\sc.exe
sc config DevQueryBroker start=demand
C:\Windows\system32\sc.exe
sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config DeviceAssociationService start=demand
C:\Windows\system32\sc.exe
sc config DeviceInstall start=demand
C:\Windows\system32\sc.exe
sc config DevicePickerUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config Dhcp start=auto
C:\Windows\system32\sc.exe
sc config DiagTrack start=disabled
C:\Windows\system32\sc.exe
sc config DialogBlockingService start=disabled
C:\Windows\system32\sc.exe
sc config DispBrokerDesktopSvc start=auto
C:\Windows\system32\sc.exe
sc config DisplayEnhancementService start=demand
C:\Windows\system32\sc.exe
sc config DmEnrollmentSvc start=demand
C:\Windows\system32\sc.exe
sc config Dnscache start=auto
C:\Windows\system32\sc.exe
sc config DoSvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config DsSvc start=demand
C:\Windows\system32\sc.exe
sc config DsmSvc start=demand
C:\Windows\system32\sc.exe
sc config DusmSvc start=auto
C:\Windows\system32\sc.exe
sc config EFS start=demand
C:\Windows\system32\sc.exe
sc config EapHost start=demand
C:\Windows\system32\sc.exe
sc config EntAppSvc start=demand
C:\Windows\system32\sc.exe
sc config EventLog start=auto
C:\Windows\system32\sc.exe
sc config EventSystem start=auto
C:\Windows\system32\sc.exe
sc config FDResPub start=demand
C:\Windows\system32\sc.exe
sc config Fax start=demand
C:\Windows\system32\sc.exe
sc config FontCache start=auto
C:\Windows\system32\sc.exe
sc config FrameServer start=demand
C:\Windows\system32\sc.exe
sc config FrameServerMonitor start=demand
C:\Windows\system32\sc.exe
sc config GraphicsPerfSvc start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupListener start=demand
C:\Windows\system32\sc.exe
sc config HomeGroupProvider start=demand
C:\Windows\system32\sc.exe
sc config HvHost start=demand
C:\Windows\system32\sc.exe
sc config IEEtwCollectorService start=demand
C:\Windows\system32\sc.exe
sc config IKEEXT start=demand
C:\Windows\system32\sc.exe
sc config InstallService start=demand
C:\Windows\system32\sc.exe
sc config InventorySvc start=demand
C:\Windows\system32\sc.exe
sc config IpxlatCfgSvc start=demand
C:\Windows\system32\sc.exe
sc config KeyIso start=auto
C:\Windows\system32\sc.exe
sc config KtmRm start=demand
C:\Windows\system32\sc.exe
sc config LSM start=auto
C:\Windows\system32\sc.exe
sc config LanmanServer start=auto
C:\Windows\system32\sc.exe
sc config LanmanWorkstation start=auto
C:\Windows\system32\sc.exe
sc config LicenseManager start=demand
C:\Windows\system32\sc.exe
sc config LxpSvc start=demand
C:\Windows\system32\sc.exe
sc config MSDTC start=demand
C:\Windows\system32\sc.exe
sc config MSiSCSI start=demand
C:\Windows\system32\sc.exe
sc config MapsBroker start=delayed-auto
C:\Windows\system32\sc.exe
sc config McpManagementService start=demand
C:\Windows\system32\sc.exe
sc config MessagingService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config MicrosoftEdgeElevationService start=demand
C:\Windows\system32\sc.exe
sc config MixedRealityOpenXRSvc start=demand
C:\Windows\system32\sc.exe
sc config MpsSvc start=auto
C:\Windows\system32\sc.exe
sc config MsKeyboardFilter start=demand
C:\Windows\system32\sc.exe
sc config NPSMSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config NaturalAuthentication start=demand
C:\Windows\system32\sc.exe
sc config NcaSvc start=demand
C:\Windows\system32\sc.exe
sc config NcbService start=demand
C:\Windows\system32\sc.exe
sc config NcdAutoSetup start=demand
C:\Windows\system32\sc.exe
sc config NetSetupSvc start=demand
C:\Windows\system32\sc.exe
sc config NetTcpPortSharing start=disabled
C:\Windows\system32\sc.exe
sc config Netlogon start=demand
C:\Windows\system32\sc.exe
sc config Netman start=demand
C:\Windows\system32\sc.exe
sc config NgcCtnrSvc start=demand
C:\Windows\system32\sc.exe
sc config NgcSvc start=demand
C:\Windows\system32\sc.exe
sc config NlaSvc start=demand
C:\Windows\system32\sc.exe
sc config OneSyncSvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config P9RdrService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PNRPAutoReg start=demand
C:\Windows\system32\sc.exe
sc config PNRPsvc start=demand
C:\Windows\system32\sc.exe
sc config PcaSvc start=demand
C:\Windows\system32\sc.exe
sc config PeerDistSvc start=demand
C:\Windows\system32\sc.exe
sc config PenService_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PerfHost start=demand
C:\Windows\system32\sc.exe
sc config PhoneSvc start=demand
C:\Windows\system32\sc.exe
sc config PimIndexMaintenanceSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config PlugPlay start=demand
C:\Windows\system32\sc.exe
sc config PolicyAgent start=demand
C:\Windows\system32\sc.exe
sc config Power start=auto
C:\Windows\system32\sc.exe
sc config PrintNotify start=demand
C:\Windows\system32\sc.exe
sc config PrintWorkflowUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config ProfSvc start=auto
C:\Windows\system32\sc.exe
sc config PushToInstall start=demand
C:\Windows\system32\sc.exe
sc config QWAVE start=demand
C:\Windows\system32\sc.exe
sc config RasAuto start=demand
C:\Windows\system32\sc.exe
sc config RasMan start=demand
C:\Windows\system32\sc.exe
sc config RemoteAccess start=disabled
C:\Windows\system32\sc.exe
sc config RemoteRegistry start=disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=demand
C:\Windows\system32\sc.exe
sc config RmSvc start=demand
C:\Windows\system32\sc.exe
sc config RpcEptMapper start=auto
C:\Windows\system32\sc.exe
sc config RpcLocator start=demand
C:\Windows\system32\sc.exe
sc config RpcSs start=auto
C:\Windows\system32\sc.exe
sc config SCPolicySvc start=demand
C:\Windows\system32\sc.exe
sc config SCardSvr start=demand
C:\Windows\system32\sc.exe
sc config SDRSVC start=demand
C:\Windows\system32\sc.exe
sc config SEMgrSvc start=demand
C:\Windows\system32\sc.exe
sc config SENS start=auto
C:\Windows\system32\sc.exe
sc config SNMPTRAP start=demand
C:\Windows\system32\sc.exe
sc config SNMPTrap start=demand
C:\Windows\system32\sc.exe
sc config SSDPSRV start=demand
C:\Windows\system32\sc.exe
sc config SamSs start=auto
C:\Windows\system32\sc.exe
sc config ScDeviceEnum start=demand
C:\Windows\system32\sc.exe
sc config Schedule start=auto
C:\Windows\system32\sc.exe
sc config SecurityHealthService start=demand
C:\Windows\system32\sc.exe
sc config Sense start=demand
C:\Windows\system32\sc.exe
sc config SensorDataService start=demand
C:\Windows\system32\sc.exe
sc config SensorService start=demand
C:\Windows\system32\sc.exe
sc config SensrSvc start=demand
C:\Windows\system32\sc.exe
sc config SessionEnv start=demand
C:\Windows\system32\sc.exe
sc config SgrmBroker start=auto
C:\Windows\system32\sc.exe
sc config SharedAccess start=demand
C:\Windows\system32\sc.exe
sc config SharedRealitySvc start=demand
C:\Windows\system32\sc.exe
sc config ShellHWDetection start=auto
C:\Windows\system32\sc.exe
sc config SmsRouter start=demand
C:\Windows\system32\sc.exe
sc config Spooler start=auto
C:\Windows\system32\sc.exe
sc config SstpSvc start=demand
C:\Windows\system32\sc.exe
sc config StateRepository start=demand
C:\Windows\system32\sc.exe
sc config StiSvc start=demand
C:\Windows\system32\sc.exe
sc config StorSvc start=demand
C:\Windows\system32\sc.exe
sc config SysMain start=auto
C:\Windows\system32\sc.exe
sc config SystemEventsBroker start=auto
C:\Windows\system32\sc.exe
sc config TabletInputService start=demand
C:\Windows\system32\sc.exe
sc config TapiSrv start=demand
C:\Windows\system32\sc.exe
sc config TermService start=auto
C:\Windows\system32\sc.exe
sc config TextInputManagementService start=demand
C:\Windows\system32\sc.exe
sc config Themes start=auto
C:\Windows\system32\sc.exe
sc config TieringEngineService start=demand
C:\Windows\system32\sc.exe
sc config TimeBroker start=demand
C:\Windows\system32\sc.exe
sc config TimeBrokerSvc start=demand
C:\Windows\system32\sc.exe
sc config TokenBroker start=demand
C:\Windows\system32\sc.exe
sc config TrkWks start=auto
C:\Windows\system32\sc.exe
sc config TroubleshootingSvc start=demand
C:\Windows\system32\sc.exe
sc config TrustedInstaller start=demand
C:\Windows\system32\sc.exe
sc config UI0Detect start=demand
C:\Windows\system32\sc.exe
sc config UdkUserSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UevAgentService start=disabled
C:\Windows\system32\sc.exe
sc config UmRdpService start=demand
C:\Windows\system32\sc.exe
sc config UnistoreSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UserDataSvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config UserManager start=auto
C:\Windows\system32\sc.exe
sc config UsoSvc start=demand
C:\Windows\system32\sc.exe
sc config VGAuthService start=auto
C:\Windows\system32\sc.exe
sc config VMTools start=auto
C:\Windows\system32\sc.exe
sc config VSS start=demand
C:\Windows\system32\sc.exe
sc config VacSvc start=demand
C:\Windows\system32\sc.exe
sc config VaultSvc start=auto
C:\Windows\system32\sc.exe
sc config W32Time start=demand
C:\Windows\system32\sc.exe
sc config WEPHOSTSVC start=demand
C:\Windows\system32\sc.exe
sc config WFDSConMgrSvc start=demand
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start=demand
C:\Windows\system32\sc.exe
sc config WManSvc start=demand
C:\Windows\system32\sc.exe
sc config WPDBusEnum start=demand
C:\Windows\system32\sc.exe
sc config WSService start=demand
C:\Windows\system32\sc.exe
sc config WSearch start=delayed-auto
C:\Windows\system32\sc.exe
sc config WaaSMedicSvc start=demand
C:\Windows\system32\sc.exe
sc config WalletService start=demand
C:\Windows\system32\sc.exe
sc config WarpJITSvc start=demand
C:\Windows\system32\sc.exe
sc config WbioSrvc start=demand
C:\Windows\system32\sc.exe
sc config Wcmsvc start=auto
C:\Windows\system32\sc.exe
sc config WcsPlugInService start=demand
C:\Windows\system32\sc.exe
sc config WdNisSvc start=demand
C:\Windows\system32\sc.exe
sc config WdiServiceHost start=demand
C:\Windows\system32\sc.exe
sc config WdiSystemHost start=demand
C:\Windows\system32\sc.exe
sc config WebClient start=demand
C:\Windows\system32\sc.exe
sc config Wecsvc start=demand
C:\Windows\system32\sc.exe
sc config WerSvc start=demand
C:\Windows\system32\sc.exe
sc config WiaRpc start=demand
C:\Windows\system32\sc.exe
sc config WinDefend start=auto
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start=demand
C:\Windows\system32\sc.exe
sc config WinRM start=demand
C:\Windows\system32\sc.exe
sc config Winmgmt start=auto
C:\Windows\system32\sc.exe
sc config WlanSvc start=auto
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=demand
C:\Windows\system32\sc.exe
sc config WpnService start=demand
C:\Windows\system32\sc.exe
sc config WpnUserService_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config WwanSvc start=demand
C:\Windows\system32\sc.exe
sc config XblAuthManager start=demand
C:\Windows\system32\sc.exe
sc config XblGameSave start=demand
C:\Windows\system32\sc.exe
sc config XboxGipSvc start=demand
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start=demand
C:\Windows\system32\sc.exe
sc config autotimesvc start=demand
C:\Windows\system32\sc.exe
sc config bthserv start=demand
C:\Windows\system32\sc.exe
sc config camsvc start=demand
C:\Windows\system32\sc.exe
sc config cbdhsvc_dc2a4 start=demand
C:\Windows\system32\sc.exe
sc config cloudidsvc start=demand
C:\Windows\system32\sc.exe
sc config dcsvc start=demand
C:\Windows\system32\sc.exe
sc config defragsvc start=demand
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start=demand
C:\Windows\system32\sc.exe
sc config diagsvc start=demand
C:\Windows\system32\sc.exe
sc config dmwappushservice start=demand
C:\Windows\system32\sc.exe
sc config dot3svc start=demand
C:\Windows\system32\sc.exe
sc config edgeupdate start=demand
C:\Windows\system32\sc.exe
sc config edgeupdatem start=demand
C:\Windows\system32\sc.exe
sc config embeddedmode start=demand
C:\Windows\system32\sc.exe
sc config fdPHost start=demand
C:\Windows\system32\sc.exe
sc config fhsvc start=demand
C:\Windows\system32\sc.exe
sc config gpsvc start=auto
C:\Windows\system32\sc.exe
sc config hidserv start=demand
C:\Windows\system32\sc.exe
sc config icssvc start=demand
C:\Windows\system32\sc.exe
sc config iphlpsvc start=auto
C:\Windows\system32\sc.exe
sc config lfsvc start=demand
C:\Windows\system32\sc.exe
sc config lltdsvc start=demand
C:\Windows\system32\sc.exe
sc config lmhosts start=demand
C:\Windows\system32\sc.exe
sc config mpssvc start=auto
C:\Windows\system32\sc.exe
sc config msiserver start=demand
C:\Windows\system32\sc.exe
sc config netprofm start=demand
C:\Windows\system32\sc.exe
sc config nsi start=auto
C:\Windows\system32\sc.exe
sc config p2pimsvc start=demand
C:\Windows\system32\sc.exe
sc config p2psvc start=demand
C:\Windows\system32\sc.exe
sc config perceptionsimulation start=demand
C:\Windows\system32\sc.exe
sc config pla start=demand
C:\Windows\system32\sc.exe
sc config seclogon start=demand
C:\Windows\system32\sc.exe
sc config shpamsvc start=disabled
C:\Windows\system32\sc.exe
sc config smphost start=demand
C:\Windows\system32\sc.exe
sc config spectrum start=demand
C:\Windows\system32\sc.exe
sc config sppsvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config ssh-agent start=disabled
C:\Windows\system32\sc.exe
sc config svsvc start=demand
C:\Windows\system32\sc.exe
sc config swprv start=demand
C:\Windows\system32\sc.exe
sc config tiledatamodelsvc start=auto
C:\Windows\system32\sc.exe
sc config tzautoupdate start=disabled
C:\Windows\system32\sc.exe
sc config uhssvc start=disabled
C:\Windows\system32\sc.exe
sc config upnphost start=demand
C:\Windows\system32\sc.exe
sc config vds start=demand
C:\Windows\system32\sc.exe
sc config vm3dservice start=demand
C:\Windows\system32\sc.exe
sc config vmicguestinterface start=demand
C:\Windows\system32\sc.exe
sc config vmicheartbeat start=demand
C:\Windows\system32\sc.exe
sc config vmickvpexchange start=demand
C:\Windows\system32\sc.exe
sc config vmicrdv start=demand
C:\Windows\system32\sc.exe
sc config vmicshutdown start=demand
C:\Windows\system32\sc.exe
sc config vmictimesync start=demand
C:\Windows\system32\sc.exe
sc config vmicvmsession start=demand
C:\Windows\system32\sc.exe
sc config vmicvss start=demand
C:\Windows\system32\sc.exe
sc config vmvss start=demand
C:\Windows\system32\sc.exe
sc config wbengine start=demand
C:\Windows\system32\sc.exe
sc config wcncsvc start=demand
C:\Windows\system32\sc.exe
sc config webthreatdefsvc start=demand
C:\Windows\system32\sc.exe
sc config webthreatdefusersvc_dc2a4 start=auto
C:\Windows\system32\sc.exe
sc config wercplsupport start=demand
C:\Windows\system32\sc.exe
sc config wisvc start=demand
C:\Windows\system32\sc.exe
sc config wlidsvc start=demand
C:\Windows\system32\sc.exe
sc config wlpasvc start=demand
C:\Windows\system32\sc.exe
sc config wmiApSrv start=demand
C:\Windows\system32\sc.exe
sc config workfolderssvc start=demand
C:\Windows\system32\sc.exe
sc config wscsvc start=delayed-auto
C:\Windows\system32\sc.exe
sc config wuauserv start=demand
C:\Windows\system32\sc.exe
sc config wudfsvc start=demand
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations=is-enterprise-managed=no --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5816,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=5608 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --field-trial-handle=6252,i,12788852660465085191,16957507334792636477,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:8
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootmenupolicy Legacy
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
C:\Windows\system32\findstr.exe
findstr /r /c:"CurrentBuild"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
C:\Windows\system32\Taskmgr.exe
"C:\Windows\system32\Taskmgr.exe"
C:\Windows\system32\timeout.exe
timeout /t 2
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
C:\Windows\system32\reg.exe
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\curl.exe
curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"
C:\Windows\system32\curl.exe
curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"
C:\Oneclick Tools\OOShutup10\OOSU10.exe
"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
C:\Windows\system32\reg.exe
reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
C:\Windows\system32\sc.exe
sc config wlidsvc start= disabled
C:\Windows\system32\sc.exe
sc config DisplayEnhancementService start= disabled
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\system32\sc.exe
sc config DusmSvc start= disabled
C:\Windows\system32\sc.exe
sc config TabletInputService start= disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start= disabled
C:\Windows\system32\sc.exe
sc config Fax start= disabled
C:\Windows\system32\sc.exe
sc config SharedAccess start= disabled
C:\Windows\system32\sc.exe
sc config lfsvc start= disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start= disabled
C:\Windows\system32\sc.exe
sc config SessionEnv start= disabled
C:\Windows\system32\sc.exe
sc config MicrosoftEdgeElevationService start= disabled
C:\Windows\system32\sc.exe
sc config edgeupdate start= disabled
C:\Windows\system32\sc.exe
sc config edgeupdatem start= disabled
C:\Windows\system32\sc.exe
sc config autotimesvc start= disabled
C:\Windows\system32\sc.exe
sc config CscService start= disabled
C:\Windows\system32\sc.exe
sc config TermService start= disabled
C:\Windows\system32\sc.exe
sc config SensorDataService start= disabled
C:\Windows\system32\sc.exe
sc config SensorService start= disabled
C:\Windows\system32\sc.exe
sc config SensrSvc start= disabled
C:\Windows\system32\sc.exe
sc config shpamsvc start= disabled
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start= disabled
C:\Windows\system32\sc.exe
sc config PhoneSvc start= disabled
C:\Windows\system32\sc.exe
sc config TapiSrv start= disabled
C:\Windows\system32\sc.exe
sc config UevAgentService start= disabled
C:\Windows\system32\sc.exe
sc config WalletService start= disabled
C:\Windows\system32\sc.exe
sc config TokenBroker start= disabled
C:\Windows\system32\sc.exe
sc config WebClient start= disabled
C:\Windows\system32\sc.exe
sc config MixedRealityOpenXRSvc start= disabled
C:\Windows\system32\sc.exe
sc config stisvc start= disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start= disabled
C:\Windows\system32\sc.exe
sc config icssvc start= disabled
C:\Windows\system32\sc.exe
sc config Wecsvc start= disabled
C:\Windows\system32\sc.exe
sc config XboxGipSvc start= disabled
C:\Windows\system32\sc.exe
sc config XblAuthManager start= disabled
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start= disabled
C:\Windows\system32\sc.exe
sc config XblGameSave start= disabled
C:\Windows\system32\sc.exe
sc config SEMgrSvc start= disabled
C:\Windows\system32\sc.exe
sc config iphlpsvc start= disabled
C:\Windows\system32\sc.exe
sc config Backupper Service start= disabled
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start= disabled
C:\Windows\system32\sc.exe
sc config BDESVC start= disabled
C:\Windows\system32\sc.exe
sc config cbdhsvc start= disabled
C:\Windows\system32\sc.exe
sc config CDPSvc start= disabled
C:\Windows\system32\sc.exe
sc config CDPUserSvc start= disabled
C:\Windows\system32\sc.exe
sc config DevQueryBroker start= disabled
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc start= disabled
C:\Windows\system32\sc.exe
sc config dmwappushservice start= disabled
C:\Windows\system32\sc.exe
sc config DispBrokerDesktopSvc start= disabled
C:\Windows\system32\sc.exe
sc config TrkWks start= disabled
C:\Windows\system32\sc.exe
sc config dLauncherLoopback start= disabled
C:\Windows\system32\sc.exe
sc config EFS start= disabled
C:\Windows\system32\sc.exe
sc config fdPHost start= disabled
C:\Windows\system32\sc.exe
sc config FDResPub start= disabled
C:\Windows\system32\sc.exe
sc config IKEEXT start= disabled
C:\Windows\system32\sc.exe
sc config NPSMSvc start= disabled
C:\Windows\system32\sc.exe
sc config WPDBusEnum start= disabled
C:\Windows\system32\sc.exe
sc config PcaSvc start= disabled
C:\Windows\system32\sc.exe
sc config RasMan start= disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=disabled
C:\Windows\system32\sc.exe
sc config SstpSvc start=disabled
C:\Windows\system32\sc.exe
sc config ShellHWDetection start= disabled
C:\Windows\system32\sc.exe
sc config SSDPSRV start= disabled
C:\Windows\system32\sc.exe
sc config SysMain start= disabled
C:\Windows\system32\sc.exe
sc config OneSyncSvc start= disabled
C:\Windows\system32\sc.exe
sc config lmhosts start= disabled
C:\Windows\system32\sc.exe
sc config UserDataSvc start= disabled
C:\Windows\system32\sc.exe
sc config UnistoreSvc start= disabled
C:\Windows\system32\sc.exe
sc config Wcmsvc start= disabled
C:\Windows\system32\sc.exe
sc config FontCache start= disabled
C:\Windows\system32\sc.exe
sc config W32Time start= disabled
C:\Windows\system32\sc.exe
sc config tzautoupdate start= disabled
C:\Windows\system32\sc.exe
sc config DsSvc start= disabled
C:\Windows\system32\sc.exe
sc config DevicesFlowUserSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config diagsvc start= disabled
C:\Windows\system32\sc.exe
sc config DialogBlockingService start= disabled
C:\Windows\system32\sc.exe
sc config PimIndexMaintenanceSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config MessagingService_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config AppVClient start= disabled
C:\Windows\system32\sc.exe
sc config MsKeyboardFilter start= disabled
C:\Windows\system32\sc.exe
sc config NetTcpPortSharing start= disabled
C:\Windows\system32\sc.exe
sc config ssh-agent start= disabled
C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
C:\Windows\system32\sc.exe
sc config OneSyncSvc_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config wercplsupport start= disabled
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start= disabled
C:\Windows\system32\sc.exe
sc config WerSvc start= disabled
C:\Windows\system32\sc.exe
sc config WpnUserService_5f1ad start= disabled
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start= disabled
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDInstallLauncher" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "ModifyLinkUpdate" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "SoftMakerUpdater" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "StartCN" /f
C:\Windows\system32\schtasks.exe
schtasks /DELETE /TN "StartDVR" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc stop uhssvc
C:\Windows\system32\sc.exe
sc stop upfc
C:\Windows\system32\sc.exe
sc stop PushToInstall
C:\Windows\system32\sc.exe
sc stop BITS
C:\Windows\system32\sc.exe
sc stop InstallService
C:\Windows\system32\sc.exe
sc stop uhssvc
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop LanmanServer
C:\Windows\system32\sc.exe
sc config BITS start= disabled
C:\Windows\system32\sc.exe
sc config InstallService start= disabled
C:\Windows\system32\sc.exe
sc config uhssvc start= disabled
C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc config LanmanServer start= disabled
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config RemoteRegistry start= disabled
C:\Windows\system32\sc.exe
sc config RemoteAccess start= disabled
C:\Windows\system32\sc.exe
sc config WinRM start= disabled
C:\Windows\system32\sc.exe
sc config RmSvc start= disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config PrintNotify start= disabled
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config PrintNotify start= disabled
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config NlaSvc start= disabled
C:\Windows\system32\sc.exe
sc config LanmanWorkstation start= disabled
C:\Windows\system32\sc.exe
sc config BFE start= demand
C:\Windows\system32\sc.exe
sc config Dnscache start= demand
C:\Windows\system32\sc.exe
sc config WinHttpAutoProxySvc start= demand
C:\Windows\system32\sc.exe
sc config Dhcp start= auto
C:\Windows\system32\sc.exe
sc config DPS start= auto
C:\Windows\system32\sc.exe
sc config lmhosts start= disabled
C:\Windows\system32\sc.exe
sc config nsi start= auto
C:\Windows\system32\sc.exe
sc config Wcmsvc start= disabled
C:\Windows\system32\sc.exe
sc config Winmgmt start= auto
C:\Windows\system32\sc.exe
sc config WlanSvc start= demand
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\chcp.com
chcp 437
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config ALG start=disabled
C:\Windows\system32\sc.exe
sc config AJRouter start=disabled
C:\Windows\system32\sc.exe
sc config XblAuthManager start=disabled
C:\Windows\system32\sc.exe
sc config XblGameSave start=disabled
C:\Windows\system32\sc.exe
sc config XboxNetApiSvc start=disabled
C:\Windows\system32\sc.exe
sc config WSearch start=disabled
C:\Windows\system32\sc.exe
sc config lfsvc start=disabled
C:\Windows\system32\sc.exe
sc config RemoteRegistry start=disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=disabled
C:\Windows\system32\sc.exe
sc config SEMgrSvc start=disabled
C:\Windows\system32\sc.exe
sc config SCardSvr start=disabled
C:\Windows\system32\sc.exe
sc config Netlogon start=disabled
C:\Windows\system32\sc.exe
sc config CscService start=disabled
C:\Windows\system32\sc.exe
sc config icssvc start=disabled
C:\Windows\system32\sc.exe
sc config wisvc start=disabled
C:\Windows\system32\sc.exe
sc config RetailDemo start=disabled
C:\Windows\system32\sc.exe
sc config WalletService start=disabled
C:\Windows\system32\sc.exe
sc config Fax start=disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start=disabled
C:\Windows\system32\sc.exe
sc config iphlpsvc start=disabled
C:\Windows\system32\sc.exe
sc config wcncsvc start=disabled
C:\Windows\system32\sc.exe
sc config fhsvc start=disabled
C:\Windows\system32\sc.exe
sc config PhoneSvc start=disabled
C:\Windows\system32\sc.exe
sc config seclogon start=disabled
C:\Windows\system32\sc.exe
sc config FrameServer start=disabled
C:\Windows\system32\sc.exe
sc config WbioSrvc start=disabled
C:\Windows\system32\sc.exe
sc config StiSvc start=disabled
C:\Windows\system32\sc.exe
sc config PcaSvc start=disabled
C:\Windows\system32\sc.exe
sc config DPS start=disabled
C:\Windows\system32\sc.exe
sc config MapsBroker start=disabled
C:\Windows\system32\sc.exe
sc config bthserv start=disabled
C:\Windows\system32\sc.exe
sc config BDESVC start=disabled
C:\Windows\system32\sc.exe
sc config BthAvctpSvc start=disabled
C:\Windows\system32\sc.exe
sc config WpcMonSvc start=disabled
C:\Windows\system32\sc.exe
sc config DiagTrack start=disabled
C:\Windows\system32\sc.exe
sc config CertPropSvc start=disabled
C:\Windows\system32\sc.exe
sc config WdiServiceHost start=disabled
C:\Windows\system32\sc.exe
sc config lmhosts start=disabled
C:\Windows\system32\sc.exe
sc config WdiSystemHost start=disabled
C:\Windows\system32\sc.exe
sc config TrkWks start=disabled
C:\Windows\system32\sc.exe
sc config WerSvc start=disabled
C:\Windows\system32\sc.exe
sc config TabletInputService start=disabled
C:\Windows\system32\sc.exe
sc config EntAppSvc start=disabled
C:\Windows\system32\sc.exe
sc config Spooler start=disabled
C:\Windows\system32\sc.exe
sc config BcastDVRUserService start=disabled
C:\Windows\system32\sc.exe
sc config WMPNetworkSvc start=disabled
C:\Windows\system32\sc.exe
sc config diagnosticshub.standardcollector.service start=disabled
C:\Windows\system32\sc.exe
sc config DmEnrollmentSvc start=disabled
C:\Windows\system32\sc.exe
sc config PNRPAutoReg start=disabled
C:\Windows\system32\sc.exe
sc config wlidsvc start=disabled
C:\Windows\system32\sc.exe
sc config AXInstSV start=disabled
C:\Windows\system32\sc.exe
sc config lfsvc start=disabled
C:\Windows\system32\sc.exe
sc config NcbService start=disabled
C:\Windows\system32\sc.exe
sc config DeviceAssociationService start=disabled
C:\Windows\system32\sc.exe
sc config StorSvc start=disabled
C:\Windows\system32\sc.exe
sc config TieringEngineService start=disabled
C:\Windows\system32\sc.exe
sc config DPS start=disabled
C:\Windows\system32\sc.exe
sc config Themes start=disabled
C:\Windows\system32\sc.exe
sc config AppReadiness start=disabled
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\sc.exe
sc config HvHost start=disabled
C:\Windows\system32\sc.exe
sc config vmickvpexchange start=disabled
C:\Windows\system32\sc.exe
sc config vmicguestinterface start=disabled
C:\Windows\system32\sc.exe
sc config vmicshutdown start=disabled
C:\Windows\system32\sc.exe
sc config vmicheartbeat start=disabled
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | private-user-images.githubusercontent.com | udp |
| US | 185.199.111.133:443 | private-user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 21.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | christitus.com | udp |
| US | 172.67.70.188:443 | christitus.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 188.70.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| GB | 216.58.201.99:443 | update.googleapis.com | tcp |
| GB | 216.58.201.99:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| GB | 216.58.201.99:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 173.194.69.84:443 | accounts.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.69.194.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.187.234:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| GB | 216.58.201.99:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | clients2.googleusercontent.com | udp |
| GB | 216.58.213.1:443 | clients2.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.213.58.216.in-addr.arpa | udp |
| GB | 216.58.201.99:443 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | tools.google.com | udp |
| GB | 142.250.180.14:443 | tools.google.com | tcp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.206.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | translate.googleapis.com | udp |
| GB | 142.250.187.234:443 | translate.googleapis.com | tcp |
| US | 8.8.8.8:53 | dl5.oo-software.com | udp |
| DE | 93.90.192.112:443 | dl5.oo-software.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | 112.192.90.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.110.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
\??\pipe\LOCAL\crashpad_5112_DZSNUGGUSPSLMNAH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 57e3919b8bf69bce109cd988eee52b8a |
| SHA1 | 3933c37c8bcb4c376e5b1dcfb7f7eeac14cf5f68 |
| SHA256 | 521a06a95ae838ff6049926f2b859e066aef11bf11932b1b0dd9e03703515ec8 |
| SHA512 | ef01b56d9490bb903641e23e01880fbc6fd23fea0b481cf821d06e3000ecf0aca5b56e6fbe8d2791e9a26fb53835983803fb8ea0d5a0ca67bb1ea4d415ec71d7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c33fb6f93ce9799e35bb956cbdcbfd3b |
| SHA1 | 673b1f65ad28a22277706d0b9f188910786d64cf |
| SHA256 | f2ae55e1d231dff82631858d4ed675ec9b62345d59de4411301a27cef67ca215 |
| SHA512 | b2c57bdae8c7ab4684c3c2777bba9abd01533847fbd4ec0ea392af794abf42670f5846f8bb58d8fe09b7eafb6a974493da035e11b4787b4d3a52227742e1ce35 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 53be6d230fee87ba615bf94ec9fd1033 |
| SHA1 | 99fe0174c91510e0670c1d1371dbb8209b7f2303 |
| SHA256 | 86624ed4436bec7f01cd814eb2cf6cd0838f9eb8ce189c7feac807cfb1cd17aa |
| SHA512 | ba934b65983e8bb5372bdd573f87ee2630a64f71321645328625708485fef93138410611af21807ffd332ea6dc0334a3c2564bcdca7f77dc2ca4f3e13bffe805 |
C:\Users\Admin\Downloads\Full-Package-OneClick-V6.7.zip
| MD5 | d8dc00ed1b4565dc180ceacd4b44ced3 |
| SHA1 | 623cd693f170780c1859bc6d9f8c693e8d1b5cfa |
| SHA256 | 3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21 |
| SHA512 | b77d52184a9b40fab368e4e67179c5fc71825a3895dc665ded380dc1c5a44d7da12be97c5637ef2c35e8ae73cd1354a7a40e54947c5aa5dbdba1c76820c51a83 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dd9e.TMP
| MD5 | 854a1c3b85850b208de3905c76a35717 |
| SHA1 | 44fa87acb6f004f2892b33f191df8bd92b5aab07 |
| SHA256 | 39afa504f89086999abc0d9f7258f436bb8f11435164b7b50941e2aceaeffa28 |
| SHA512 | 7121c76c9a0a724e2c5c668ff9596de6e61b688a1300d7c83c0eb5ad3dd8f62610af1e8d096c57dac699a21c5532b144770d197b1e4cc0ea06518d8ea9f977d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 62bafbd3c8f283b5e75e732036d3ef78 |
| SHA1 | ffe882a24cab77308c5268fd4904612cff2570f1 |
| SHA256 | 9aec52e7c2daac67288a5f934cdd3b967a2b0afde323ea4375dfafeda2c77e63 |
| SHA512 | 3658a31dec4100789c96dfa7f4fb01831673b332fa80155aa56e042e673dba3ad264be99cd52a64f815f9f7fd698fba65b9d34b6bbd3fc8538c476e09d50e6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ced586e08484eb45e7a177a52fc6f3d2 |
| SHA1 | 581a543bcf3a19bd5eb7e2545c114c9a8e8684d9 |
| SHA256 | b08963841f1ebbf57e45efec0ddcbb655bd29db29c4c8877d7be3551e378c92e |
| SHA512 | 87cb0c78f3994d11d36e122b0d97acb0f9161081f6e6828d28bfd061e80824e7b98d4d2a5ba2e519f0b12931599d346919708f9ecffc85295b06dc8a1060c41b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c460583f-1d8e-4860-ae28-942f2c8b14c7.tmp
| MD5 | 9550de33b8192f3f660b6643fb35ef7c |
| SHA1 | d5b558cbe1b7cb70f21ada5a5dea974e73dd05c0 |
| SHA256 | f8e0cb3047066e40854ea027878badc8c53192db469de294e86aa644ad40e490 |
| SHA512 | a7ad72e8271d97206021135cc1f81308868c88ffd4826ae3fdac0b56f200ed002eed494bb94978bfdcc9158d30b1ee0ec0474ed354c90425e728e440f96dbb6e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 45059011123a090629f5200cd2d3033b |
| SHA1 | cb62b71ce45a11268be9d1208b7cd9b86deeb4c5 |
| SHA256 | dcb7858655418f15f75e5b9b008c49b831cfe87c4551cf6fde29bf4854f06592 |
| SHA512 | 82588522671174cc868a28e1810267ccf96299d84576a61ba5e7b0a458fa78d5a4e91708579bba7c345161c7dd338a44ee701fd9359744fa154f6ac0be93e8f8 |
C:\Oneclick Tools.zip
| MD5 | d2be90c23063c07c5bf6e02c9400ac35 |
| SHA1 | c2ca99de035c17ba9b7912c26725efffe290b1db |
| SHA256 | 9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3 |
| SHA512 | 13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e |
memory/5172-231-0x00000245EAA40000-0x00000245EAA62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bsiial5k.s1z.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5172-237-0x00000245EAA70000-0x00000245EAAB8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8161bf7a280f56447ce0b00c58e61454 |
| SHA1 | bd486490f624db194c0949d0b1066defaf47a94c |
| SHA256 | ef88cc1f1f70c5209a578ef52d309435361f8c94eaf02323a21d13209ff2830b |
| SHA512 | 1f8e87b11e10526d440f805bc05731c9755f847bc5cf00dae473db561c59d27688eff0da25c38a11b43a57b3c6d486ada23879ce9e347cc8d38e84293871f047 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 08f9f3eb63ff567d1ee2a25e9bbf18f0 |
| SHA1 | 6bf06056d1bb14c183490caf950e29ac9d73643a |
| SHA256 | 82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0 |
| SHA512 | 425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512 |
memory/5788-295-0x000001E762E00000-0x000001E762FC2000-memory.dmp
memory/5788-296-0x000001E763500000-0x000001E763A28000-memory.dmp
memory/5788-299-0x000001E7653A0000-0x000001E7653AE000-memory.dmp
memory/5788-298-0x000001E763D00000-0x000001E763D38000-memory.dmp
memory/5788-297-0x000001E763CB0000-0x000001E763CB8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\kwznn1ey\kwznn1ey.cmdline
| MD5 | 9ebaf72cd6b2f98e0e34975522b66eff |
| SHA1 | ba124e877022efeadb51ce151f3eec0be193bd86 |
| SHA256 | a40642ede8b73996b6887f5a18928ace7b661cbf8e1115b1676685fad499b274 |
| SHA512 | efe7a994620f28e2c1465a0d33dbf4942115184650417e6348b20ffe9ed24844ec5c8c4e30a3a667627c3ea628f0c00ef2ade757e3673d51da46b6023a9c71f5 |
\??\c:\Users\Admin\AppData\Local\Temp\kwznn1ey\kwznn1ey.0.cs
| MD5 | 66ca8de746bd5bc09574b9b5d72a91bb |
| SHA1 | ae5b33f83239264d6202d1b9fdff566e851b85e4 |
| SHA256 | 8221e96e5aef72f45e31a858a97638c7f2fc0bad68f6a21d92edb26cfba20f2b |
| SHA512 | 80d6b675b08acc1bdd65da19938c2a30a0bdb4ba75459d2677e56345720a5ce5590ace5aae48f2ca1bb14315cd73c40adb841af0ff917799a6a8e5963871e74a |
\??\c:\Users\Admin\AppData\Local\Temp\kwznn1ey\CSC89514FDE3051491186F114B6EF7ECB42.TMP
| MD5 | bca950304b3dd58603299fc2827ff6bc |
| SHA1 | ad757dc6f77b11387aac17007104ac865947a255 |
| SHA256 | 6a0f5d1c38fb2982d37ad6b1eae94dac76cbf405d8221db0744c2a25461733a2 |
| SHA512 | 10753941b3bd27d08a33daeb1da961f7693bf75de908a031c387079e923232f73b51a1538df94a92d7a3b8d289512a7cc7352dc9ffbb955aedf2c9a7820bd19c |
C:\Users\Admin\AppData\Local\Temp\RESDE26.tmp
| MD5 | 37e13ff000d5e6525a73883e06e4e014 |
| SHA1 | 8fb2855ecbd27e5c46f7d4aecde40d081ccedd89 |
| SHA256 | a219307ba6fa1f783801a985f4efa80c10b3a7e2436c9eebe96f09dca1083989 |
| SHA512 | c1d2e73803ed916ccdea5b932ad2ece58c24332308bc4bc37cc93cf032bc36f1d49c2ac6881870208974ff6818bfa033761514f6baf1b8f68b8bf20eec1a0869 |
C:\Users\Admin\AppData\Local\Temp\kwznn1ey\kwznn1ey.dll
| MD5 | b874dd88e19a762253c4522957783943 |
| SHA1 | 905a7fa75eedfed81d506ad53a5fe45efa3fe1e7 |
| SHA256 | 5eb56e7db3bc09ddd81b31ed2a3487f82d813a0b0a868e8d58a053fd389d026a |
| SHA512 | 51a3f4dc2c177dedab357f044155c96aef9cf769ceaa96b7b80a1c39a8d438dc0c003ebaffe2d6aa6db608f056eb8835cc3995e551459746cfafdae1c4196a3b |
memory/5788-312-0x000001E764880000-0x000001E764888000-memory.dmp
memory/5788-314-0x000001E7627A0000-0x000001E7628EE000-memory.dmp
memory/5788-317-0x000001E7627A0000-0x000001E7628EE000-memory.dmp
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdate.exe
| MD5 | 9d11650401d71ce469f70b4f93d0b6c5 |
| SHA1 | d562bc3ff94d4c9ed3b4ea495522a0c9a7b71934 |
| SHA256 | 75db49d5fe15f8affee5e3c08ae191db0839d34b54526ea1d9339897f99b48a3 |
| SHA512 | 22ac788f038b2e633a45b13a8ee672614d33ef94dd89ffdd60545c67100e01db250431f6126805a149dfd25210ebac14c53add5c69dcfc975cc60e18bca04881 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdate.dll
| MD5 | 5fc51add59269589fa3e515aabd49c91 |
| SHA1 | 24790893fa362a48c2367e7381ab40dc148f7942 |
| SHA256 | 7d8a5276b0309df7a2ebbc58cbd64235797b34fe77ede2bb61a67c7c791c6917 |
| SHA512 | ad5c177b5c6a5aabdb434dc78eac217d1559b0fe2f95414a038cb4ab37ffce255c954b7a726e40f42156497fbdc1f0ced49e69be8d5d265499cd92de03a1da37 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_en.dll
| MD5 | 5c21ee293e7675e94addcdf310df7ca9 |
| SHA1 | 617053566a3f30fe0300b65ee1c2bbd2b503162c |
| SHA256 | 77fefd0cbbbfd59a026b6959e150f27bc31167ff1ab0b32fb5d82fafe6bab4c8 |
| SHA512 | 0d4098c2f6b697c877b6e0401e3942d20a8700562236fde347adfcafe1e8221234898080258b92ab9ebf5c8cd506d78149581598c09a0d76f7b1f0415e0f84f6 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdateCore.exe
| MD5 | a302b2911c09a97ba215aee8dcf45ef5 |
| SHA1 | 580e20d62f906b8d99ec52fb9d54f727cc468590 |
| SHA256 | 91eac5b15837121a222354001ec7a25a3fca23bbd41bafbc442a468e079d937d |
| SHA512 | c4b9e5de25b83ebddb94afc15933013b872293b22a7db95c2a0e5a382b92ad0def6c14dcc61b34f224ab0cc3550ed7cc0f0920fc85f87924a2463daec32d0052 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleCrashHandler.exe
| MD5 | c281ea9d8b6e02e9992a39f2edcefddf |
| SHA1 | 02bcdc22d0666a3d4f882e2746ba5902435e5b7f |
| SHA256 | a9ffff9a0636e35c0b0661a05705d3c74a2613be52093f892efdc370f2fb4453 |
| SHA512 | c10a06cb88bbbf8e12de3f94abcc605c91d2d0eae4350709ed8bc0202c9be7f981747fc9627c0f84670bece1676d9860d08cecc13dd2c59b3a9ea0b1028bcd83 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ml.dll
| MD5 | 6f932129d637fef1e4517613879aa3f4 |
| SHA1 | f9015d5dab8036de48ba01d5752dd83d5c25a56c |
| SHA256 | ad67804ea0f82474c762c018435840a4c8a78e96b3cc04330706e9449dfbe435 |
| SHA512 | 52ac66f701aeff90c52bbb2d9016f45035827bbc2ba1ebf9a7527fcd127770c4881bd5382ff07010b66e26cddc56cc816decf236feb8f375e16e6d1a38355a64 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ko.dll
| MD5 | 6fd785cb2a82b52d318a4abc9fa55f75 |
| SHA1 | 3435478498151e88835c79d326594bf644985710 |
| SHA256 | bea642d58f62502cb75d862975060433f94b0bada5e1a92e7e7b74a85500cca8 |
| SHA512 | 3dfdc925ab3684d1b2aac676cfb359a2bc3280ba3ec171bb4d4a30a41c9218d0e6e2d328df0f9bc11075014cb6900f068e7c41c796fb458d1a61648bf59fc3c4 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_kn.dll
| MD5 | 1de8f3628587faeb55ead5e6efca7a31 |
| SHA1 | 3cb43cb76af9db6b254b836d81071d199dd63298 |
| SHA256 | ac8f80fa2dd45ea3ca0f3208b566ec5a161c9cd4c85494a52e9fcfe35fc536c6 |
| SHA512 | 23e3a34d79459ded2f55a920729cc29e43f994553ede81412bcd04b2fef57b88b910a666557d4b2cdd5710e7e62887538580b77f68f728bf31b61d2d7f3d5d82 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_lv.dll
| MD5 | c3a99de97e9a12b454fa9580c05b7927 |
| SHA1 | 074c883aff1530559b152587d9cf8a2d9535cae6 |
| SHA256 | 0274618487583909590bad7b6c51eebf99da3dd4ad6f43447fb81cd89560f3d0 |
| SHA512 | 1c81e0960feac84c822e8e9886baa3d5a4d7dd4f570a179710d4c21343bfe8ca1fcd38e3f7fa14a6125eb25f9b6b055b01f177299a1d8f37e5c4bec5bc0508ec |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ja.dll
| MD5 | 1ef4a3d1c7c8c039de81f81fd7d93f30 |
| SHA1 | 3138e335e4e454c05a3f1469fca4851160b5e217 |
| SHA256 | 2b33eaf99fae7cc1cb4449bcfabc7580b8463d686ce3075da91b1befa11fc356 |
| SHA512 | 2b4b55da069e2c83951082952f72470c6543482b351a3d0ced9e3c32fb18ecb0de7f8d2cd2a5a898fbf271af13b85fbe652529ee9b67c78681d4dbedbc41870c |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_iw.dll
| MD5 | 66f368446f6319e61643122eba941fb8 |
| SHA1 | e65b384941cc21e3739685a2e277494e649fa752 |
| SHA256 | 93276078afa5b4874f056505be9be78bba0b87b5b33ab3f291097ea750325042 |
| SHA512 | 1c0bfb8a67cb117bf728256f00637f3ea65a2a67db6c54481bac04f2d5d6e1aa465b09b652c116335875d8068704cbcd936024fa64569a21cbe4837d406ddd6c |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_it.dll
| MD5 | 034832d340773843a8df5c102236a4e4 |
| SHA1 | 7ad97f211fc0f6ee2855b712104b7c79d9f81300 |
| SHA256 | 6ba57e9c1e5b6f5848f76c57a72a05fd26c4a175a6565215264d6746b1286c03 |
| SHA512 | a71b580fd23ddca4394730bbf666460aee40a4a1e282e3fbafc8475aa744d7373f2f96d4f84e473273204b68aba12e1e89c1accebb5ba9199bb8f9edeb1a7036 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_is.dll
| MD5 | fd53266c4c2fe27e582a8dde346b384d |
| SHA1 | 9e4cfab2726a91814a4b08edcf86844c9fca385d |
| SHA256 | 9f968ad5436b82ba6e980d8e6f398e56688fe7004c4bbb8d636bb3c830c7b45d |
| SHA512 | 607f9f1cc11dc6047f4c52718d631bc4de82650112fcd6630678a88ac32a9d757ac7160a7a44c6f0a5b0496667156cbc21651114ccf4116d7be757c367d07f05 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_id.dll
| MD5 | c6547c7547c6045358028a6705b93b25 |
| SHA1 | 89328d7a53ff48b8bcf9c48e4224978b81cb2778 |
| SHA256 | ee5fbf68078b0b2e72fbe996b190658f201731e68df2fbd237f00c0d375f2381 |
| SHA512 | cafc6f6187eaa7825d14a601a548bd06d24823f5bfd75df26a76f93c39076b2fe04878a4f9c494b09ca316aeb97f4a2556ce0a7986dedb8b5e492b02d3f6a0a3 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_hu.dll
| MD5 | 793e7ccaf19f40dc8a8fc1b37a334317 |
| SHA1 | 95fef741a58f4e5725d6562dd91522bdb3cc710a |
| SHA256 | 34f87b8b6057ddaaee1196e984abf9464b7ac709d603cfa1f9a680900a0fe9af |
| SHA512 | 295a4dc4a6ed045fecaacf0cb060af2c37fac49f964e47409c5f9adf986a6d28539dfdb410f4c4ceaf06bbc2f02c910edcc60d0bbcb5c173641657decd229d76 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_hr.dll
| MD5 | b6ade531c5b0dd4818d912e75888c969 |
| SHA1 | b2cb623d15c9afbe38ecca74a59b3180cbd91043 |
| SHA256 | 6aebac808995ccc5ffb93047ec1d4f2eb421544b5a5b20696e6f723f7379318c |
| SHA512 | 919b8f23e5124ccc48698c749a90ccf92dba08061c7faae50f53a9c209ea156731b6eab5f9f45b8842e3ef8bd1927b5e92fbca840f6af4f9e57b6587d0a170b6 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_hi.dll
| MD5 | 7f76e2c441dc51b075d189259df2abbb |
| SHA1 | 6bcdea5bd0490b064a1997506d1c521ee93f1e3c |
| SHA256 | 8fc23044471be6be0fa0089684efce4796ec4ddbfe9eb28add86f69eb5aaf60d |
| SHA512 | ec5988ae6dec9c9e0764714a9fb6e4ac95f16cd107299841d617917cb46f73ce71be6706c143376a9d053f42dae4c62d69965160522c1145a9bbcea295b6e67d |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_gu.dll
| MD5 | 182603f069ffd14a18c2fdf4fa51541e |
| SHA1 | c7c61a553db5810b8ef113bac82a4a9979f27a6e |
| SHA256 | f178061ee7d373f3ac63d940979ee0b8b14bbc1303f4b89cacca26faa985376f |
| SHA512 | d31ca2130ebe9ef1ed7f0f6dc8adc8cbcb9c2450aa8fcc8cafe07c1828def5dd917287cead9f3b7946dc9562eea666c471810a5987693614328fe4d0f2279f29 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_fr.dll
| MD5 | 1377128b3630eeced7bf5301155cf5f1 |
| SHA1 | 3fcaffee05b4ecb2694215b819368a3b986b277c |
| SHA256 | bd02d433485917d4c0fe97f493b525d2f816ff87771e49f877028aa45753e3fb |
| SHA512 | 073eb63d5574082cf45ec5bd6b289c90e61d1db435aeb546a6b4f23da9642a17d893a001b080afeffbf31615038530f8b673bab3ea3adf7a21956a0565564403 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_fil.dll
| MD5 | d4acde0f430445ae85095b996fa153e0 |
| SHA1 | 8cd8bfc5732f912b3b5f4eb5ffecd3806a9445ef |
| SHA256 | 3d76fd29cc9f4705c03a65ba9e4e861e8c2b5e0515ff9e54619aed5da51b620c |
| SHA512 | c670cec0753513d46da5da4cb16f2f6317dfd45732cc7b446d558a266bcdf0c770a9bcbc172521b50d0e5c44bdaf9f22171d6d903b010c157eb06bdb188d6d4c |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_fi.dll
| MD5 | 56adc2f0db1331938ea05d5e165ed1ec |
| SHA1 | 115cd2335ea8b02b5a0d30d7e44687f9c9cd8f54 |
| SHA256 | ecebd63626dc344f4e4811e2bf76ef0cea600e62cf7b92e7553911d6432673ab |
| SHA512 | 07df252ca48b426dc822e570f9f356b35e6d01ce5d72d146fee8126ea04d3f3c94605457aa68bb76b99d48903ea4f1786eebf79477ad566b2908d92894f14a3f |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_fa.dll
| MD5 | ae487ce7dae2b30338915878a8d0c04c |
| SHA1 | 8a52ed3ada0f7e77033f01e25188488fc1731c36 |
| SHA256 | 979be24f9921321aeaa2826d1b52c6582543e9c691ebafe9aba1db167f1907bd |
| SHA512 | ea5091364a5cf844d238ed10d606190ab54e79091f41c6f2bf24d67589809c5f7ad3ff4e7efd87f6ad690dd4f2bd0b39e3190b479b8641a244e7728e9f0ab2ea |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_et.dll
| MD5 | 77c47b4191d07dcf9d4b2dc92865801a |
| SHA1 | 521b7384fa26dccd978512834015129037e3e3d4 |
| SHA256 | 4c0d4c49b677632abc0d5c8ce3fd49782783d97fa810ca42d0edbd80714e1a91 |
| SHA512 | f0d24b000b0cd90965ac437098e3e7ec04a35c0f451c1795c31e9dc5c2a5b6c41778780ab4e14dc7c5ebafd9ee4f1bc3dcdc17717eee10114954ee95f3114aca |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_es-419.dll
| MD5 | a77d7bd88f42c96cd869cc910b4bc00d |
| SHA1 | 658d152e54522ec3f5f99259b973482d6dd9aa5f |
| SHA256 | d01f6199b83241120db133c86149bb43ad07631a2226aca410cb116e26531da8 |
| SHA512 | af0031afd02f4343dd971835f72d84020df1f976a36e0cc4a1859c8e76a3c7dd9ccfef560aa699540c44458d7c7acc0efe811ad65148a63b4caf8a605cb2b72a |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_es.dll
| MD5 | fae17db40fdc07960e22cb692e151c5c |
| SHA1 | ed5a92ae518c9c7cf095f78eac7b7addcbc7287a |
| SHA256 | 860727bc15881c4f6b897ad361a20f3f80858494639a05b016fb1a572724368a |
| SHA512 | a24bf6bb52468db0d39b3252c862c0d62462bfd60c49e64f43d52512b4873b202292d1d0b895e9734f851037110ae7d8ba1fd24f0f45dd9f879fadad0be19134 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_en-GB.dll
| MD5 | c062b5a4d25e7b6f96177ddbf75a1282 |
| SHA1 | d575774c3677362d882b1901cf775ab402338264 |
| SHA256 | 21dd425a66babd1f72455cd27bb53fed743159aba345a8e8f4b1e5ca2ea7962c |
| SHA512 | aedd072d619b142cb15ae30eec4553ef9d158dbd7d51dd39931a1911ee1c029159fd550f371d3096ed031f4532056c324405c5ff06781aa5173164a24f3057ca |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_el.dll
| MD5 | 8299854798b02c7f298f98e9e9fa3fae |
| SHA1 | 54c94bbbb7089b5b1c494fab45ac48c0fba2d162 |
| SHA256 | 18a65693ec19ca4d25a5d40e05db0bcb2872fe08e3357521feb1b44c9aa90229 |
| SHA512 | ab21410089ff740f8f7912188eb8a0375bd52e2888e390c0e8d7db652b0c2c1d31082c8acac233ec67a70a9190836e63a63611da46980a34430167fb9aede1a9 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_de.dll
| MD5 | 229e7d67c8cf7f493229540527403f96 |
| SHA1 | 63e165565323f6171ab57d222f4269be104831f3 |
| SHA256 | 70e7c27a1413088a7bbb869c0c40112a7b6c1dc98db4d3f81dc4b494127a5155 |
| SHA512 | c613ec73339bc59f1dc9fef2a8801bda8b519784a3514f0edcc742b462521a1e71485638083e363e2a30f61be133d40ddec7803c990e683647dadbbadf6f773e |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_da.dll
| MD5 | b2fea77ef33fcbeea2ef0b726b6f1359 |
| SHA1 | a9d042a87f612e09012e3099a4cf0432207d75da |
| SHA256 | 8fecad0347071ff293745937a15b797b3c51ac520835c63157013bd913cb866f |
| SHA512 | e67acaf4d063a128a4e240d04551178089d91d8be6f9d067952e7696e56c698b51fde8a67e1187f6ee025037e8ffd5909e2cf6f89ecaddf798304b2fd0b10f09 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_cs.dll
| MD5 | ba7ef0c0da231535173488952ed4fa3c |
| SHA1 | 20f558e94c187d0319ea29fffa7e3238b623d89e |
| SHA256 | 129c42f715e76fef63bbda8f60b718f195f9b8e15eb2b594fd9756cbfcd45f1d |
| SHA512 | 7b144d7abcb63285f31aa690a58abbcbfa1c69d8f975650d263e855f89e26bff16b5f9ff34a72afc5e1b61ab135000db046aa7f35e5c9cfe7133c983b39fd158 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ca.dll
| MD5 | be4c2c8a77df3ec7ff0fed33e9ee471e |
| SHA1 | cceb9e251fec9b7373387ebc234b3c034314302e |
| SHA256 | 9df902fe9a56b825a433c6ca949c378ff873396c438ba6466c13ec588956af3a |
| SHA512 | 5310c1e8740cf68d7bf3d7e3d951bf9c2bd09491fc38b3611cefe8721c399229e42d42b40a471b78abafeffad6ab430d803895bc2c59673e9f2cebba77a9fa85 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_bn.dll
| MD5 | 76f438c02858015b3926f028409c6c39 |
| SHA1 | 0960e0c1816b4d48a2fe0e1a5959ebad3571ebdb |
| SHA256 | 69c3e0d056e9d49e19c8c303c31c5a493fe200444ce6396e6a1788f80026b9fb |
| SHA512 | bc320dacf034b33f8b73f77c13496d8abd488496a83a7fbce663274832e208b453004ef8f8136a29d41fdd78b90b42ebcddf0b0f653e2217385a24c825456aae |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_bg.dll
| MD5 | 7a524191eb27b5ef81d5a108eca2e76f |
| SHA1 | 0baa260b174378e13c59fb0cea22ce3890edca65 |
| SHA256 | 544e49bffd37e40bb642f3aba26d3d72690075530107b58f391770068b958881 |
| SHA512 | d029478e6418fdd92f2f940b3eb7d1477a857f2fb1eff6f4603c6da2bed43b6cb64df55b4d38feb8169f9d55cab861a7a1bcbc2c6bdd8fddfa8b0ff030603844 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ar.dll
| MD5 | a897556c06506988947606230709dc05 |
| SHA1 | 315f991ba8ae96463d6ca789770bd0514cfda22c |
| SHA256 | ce4e4479b254d51cc4f8adf4803d4d2810fb430c74eff2db3fe9dc159e87804b |
| SHA512 | aa79b4cb73b925b9cf27d2603e7842c00d5cd5527b69281f9ba454a4a325711cc372f6a04e8f489cacf09ebe9ddefa01fc0c32323102df58bae453527a695557 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_am.dll
| MD5 | 16d24c3ee7bd990d606cc1ae1b36f0c6 |
| SHA1 | e9339a69d828670a7be9419910f89446c25be571 |
| SHA256 | c183203d266b6f0122f75cb035cfac59b264c03467434da64ca9ae10afb085ef |
| SHA512 | 9ab59b0cc83d727caf067426601de391de617a99d36975d1ec420a0de828b00cea55e2c8f6eae68c0fcba7259bb57e9acb367aa1e8b5e5a1d1b1b38b1eb0f561 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_lt.dll
| MD5 | e47de2e3f2c834ab292623fc667b51f3 |
| SHA1 | 91a82103a1dc875bfed7693e695a172b3d74fd3d |
| SHA256 | 50a08575d882baa660bb91bd1f0f76af222dbe315d18ac0cf0f569739dac10e9 |
| SHA512 | 141cb2d311284288c1b6fec426ef1af3d1be2b1ae30fb8884234b0615210af7b47544bc8cfbe7f49f6fa08cc615ce419aaeffd5fd6fe72abc0d15ae978b5fd7c |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_nl.dll
| MD5 | dc5436fd8d4a7d588ba0b784d88224d7 |
| SHA1 | e3a4c19365378b93c8f853bc5bbf37c52ad52d01 |
| SHA256 | 8649d98614f98d4bcf4236f3c15534cf652ee7bd97672d8d9e49c5989f7dda81 |
| SHA512 | af1c7364b8da1783c3375c002116f23378cdd71149a9dbc8d6c855fc6731cc4ceaa87b0a2355d764bbed1e890dbadc854a9dfe7898f00044de52436b7f600514 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_ms.dll
| MD5 | 791a83218841bac5604232529aa44140 |
| SHA1 | 251eafc3182ccbad6dfba3af8d3ba40e23488a4b |
| SHA256 | 49be589cb02529171494d27a8fc92f1b4cd678e06328a50604b19ff979ef67b9 |
| SHA512 | 5b990c0d871114689bf54a10982a32daef74755a9be610e6ec107d7d56f819d13813282516adc9310ce7e23f88fdae50d75c69fd019f2c43724ccdbe7aa0e924 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\goopdateres_mr.dll
| MD5 | 238c4c2539d5b03a943296b9e9582743 |
| SHA1 | b5fd7d01c02bf7dd19126b07d78c1decce8cfbfa |
| SHA256 | 3c66ef42e9df33e958f4fc557ea22ae59995886e47b94cee65c8c9532aa03d64 |
| SHA512 | cf65f667e1217660229b8380641714ce8478cfb34c717d0148b1cb2875a39f2e2b493b133d37d127eb14b137815f3e1a13adeb4e055514a14d063f91279722cd |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleUpdateComRegisterShell64.exe
| MD5 | 8506a7617f993ecdb00e21f52eff95e2 |
| SHA1 | a9e7d4b81c28a70ff3ab9cfa6d97409654b0dada |
| SHA256 | 8b1a4a549001d926be2e4e06c6820964b7155ec9ec87e28e1735cebe7b0048db |
| SHA512 | 1dc7067d38b17f909bbd5edb0c983c3130270973e4f282eb199c349c0c25363429bc553f8e1759bbe3657c9c67c604e42d7822923a4a081c2d4729d68a2da182 |
C:\Program Files (x86)\Google\Temp\GUM146A.tmp\GoogleCrashHandler64.exe
| MD5 | c9b7af8ceab51d99a8747ef7c2721d00 |
| SHA1 | 085bb3746c1aef6cb0caed0fab002a1755919020 |
| SHA256 | bbaf147ab2631632fa6b40e5c42a753fdf08e23ac1a468ce6d61411c4e75cdae |
| SHA512 | 25582203966baec4a6f05796a0b06738d0c9291f1d079167e3635a80e19194a01a55d0bd19e792973e36bf5f1a8e0cfa150e77cfbe75d79762914fbd9c9bc7c9 |
C:\Program Files\Google\Chrome\Application\130.0.6723.117\Installer\setup.exe
| MD5 | 975f2eaa38bb31796f08bdf7ada59b5d |
| SHA1 | 3d8bbb8cc560a5be2d73d394caf19a914140432d |
| SHA256 | fdd374c979fdd584e6361d41a238c81436018d96d9f5be0cc1e05e7f997c1873 |
| SHA512 | a110ddf5b7df6d871c0bfe0f1821df8e127e3e5e6d1c6955f844cce4725afa06ca258c34b9488681588da0fe0594660f080525a101a2f05ef6b5c63811332051 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d3c85863e3c74985d50d0c3f5ece31d7 |
| SHA1 | 55dde27f89e42b8ad773a797b8146396563a74e6 |
| SHA256 | 6c06e7240c5d97f4038e86bcd5b10cad6ae09550d86ec2d032d1ce1fb9015967 |
| SHA512 | 8cae886a7842ee771e9ff2c7abc9f5af3d808bea2b47377e336aa10a76c5bae6f4f27c6b473d962fa245695d1077ed3a636e168ce218810e16312574c9d192e3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 533b89104378a52d4056bdd9f3db23ac |
| SHA1 | 194fd12c1106b77d38fe891983875bc1512fd31f |
| SHA256 | 69f9c8c074049d6b253e18b9a26f3adb405d8669d7000ee3f5468b18c16adf37 |
| SHA512 | bd906b57b50ea887007bc1738db1496906a5ef615b547feb6a2a4d8ccd509074767f8ceead87a6d8023c52d8398ba12e54cdc270589e5b7fdecb3dcd7966500d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
| MD5 | 505a174e740b3c0e7065c45a78b5cf42 |
| SHA1 | 38911944f14a8b5717245c8e6bd1d48e58c7df12 |
| SHA256 | 024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d |
| SHA512 | 7891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\trusted_vault.pb
| MD5 | 3433ccf3e03fc35b634cd0627833b0ad |
| SHA1 | 789a43382e88905d6eb739ada3a8ba8c479ede02 |
| SHA256 | f7d5893372edaa08377cb270a99842a9c758b447b7b57c52a7b1158c0c202e6d |
| SHA512 | 21a29f0ef89fec310701dcad191ea4ab670edc0fc161496f7542f707b5b9ce619eb8b709a52073052b0f705d657e03a45be7560c80909e92ae7d5939ce688e9c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
| MD5 | da75bb05d10acc967eecaac040d3d733 |
| SHA1 | 95c08e067df713af8992db113f7e9aec84f17181 |
| SHA256 | 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2 |
| SHA512 | 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef |
C:\Users\Admin\AppData\Local\Temp\4c54d183-862c-4b2b-86dc-a58613f82342.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir5484_394602597\CRX_INSTALL\_locales\en_CA\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 831211caf15e3d5f4681015288a53ac9 |
| SHA1 | d311e8533f470a46efd0384fe7ef015c4f9c9165 |
| SHA256 | 5c394d79e31c923a29a43b751dd0a78d5a66ad43190b5a1019e97dcdb56e7b04 |
| SHA512 | f974f0962c28437c39e8dfb297a79d77d8c95e26b5cfbad02cb357cc9215f4351ceb4d8a02e7f562dd55bf03cd478c64644aae6cc1dc7962768996a6a3fc6507 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b7f1d4ee4861901e9d957bb153c3350a |
| SHA1 | 38b3335c66059bd0fc3d68cf5a6331034471670f |
| SHA256 | 716d682824d3b7b983513d3881d911e8e5b15b3310ef369f672dda764082abd2 |
| SHA512 | 3a5cb90c83409d789c628a1f49eaa038a095f64235ed0971489fd864055f8eeee0c7c9a1df280889df6ec66795540b9999c7d1db6ddce13d6bd8146797020d2e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 10657a93c6fb3dd13532252e2c635362 |
| SHA1 | c6b47c43380af592d3bb39400e3a50a103edeb7c |
| SHA256 | e944c55c7bdb68da2827d4a59ae877f84ebb74c59bb4bbe64bb50301019bc63f |
| SHA512 | fdc8273e06b1cffa53c6fc41a13360e4b205a7b4bb2c9da0e75a9064934b38a0cef5ca64fa220ba9335bfb409b69f25fcb4fd8752c1263d79ee6eb801f0e9276 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 6689447f96da8122312350b45a717d9a |
| SHA1 | 92a9eac89d2478f278766325755ac2f430df0a97 |
| SHA256 | 40edaba89f8fc847d0c2ef21097314618fe563b5bce94bac61e0a490dd6e7727 |
| SHA512 | cbe102d6f297b61733e0f3f808a8099e6a41edc6c36c88a60cf17e787e4f528593f1f267586050416269a93aecb9382e561ac5367cf8ab99681d54433dca6467 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | fda604a6335c7449251959f4737093b0 |
| SHA1 | b3b1fa25b0270dbad138382d08ebefb108fc1ade |
| SHA256 | 638fbfbbccdc0ad034c21e2263edd9a53d0ac7ba90250e2a918d6eb1a2e6a1dd |
| SHA512 | 9dad51d6ec6ff80f682cb4db025be8119876358de630d9175c9208c2e3bd3dc2920aba1d6ed3ba67f6da7ac6022ec8e8316d3e95e30c70f320dc27b171d0ba9a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 599e56156072a314ab60ab3ff096f2e9 |
| SHA1 | 38273d0e1ba3dad916dca3c9ed5c6d2c428fe98e |
| SHA256 | e95e96de28990f073567aadc21709403ee99e33d2414d1385abd7872239442d7 |
| SHA512 | e6db77b54b6a87ff7768f8956bce74fe7210794a96b156e2107ca72df2a2f8798907f348ad6b964349b68d3fca38b1f637f84502d76cb17995b711737dac137b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | c62476327fcf8e0d6b5d33bc84ac2da6 |
| SHA1 | bdaec9b4aa3ae3c59003cb9b7a61811c748116b4 |
| SHA256 | 33c71db42ed2ac0dd328b87f0095bf85f04f787bfc89595399b1c4c8df740b30 |
| SHA512 | 52988a7fde569ca5df3252e4e46ec696f244da46ce3ef8661dd3fb00597ebf2b76e97e6de4f1d2ed602b99b02ffdfa8126881d80af738cbe93a9ac0b5214e29b |
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b60f627aa47266ce70e04507af7cbaeb |
| SHA1 | 21bbb8dd5a90f86126b8fce22660d7742f1e8c95 |
| SHA256 | 6a8d3b9ceb68a1bbda6c776b79cf0386ba92cd1980b371de1f03b7c18a56758e |
| SHA512 | bba50e307ccad56bced7658a8a3fe61f8b3b6cf6eb342ed37bdceaf71a8db10124be2ed1b502aaffa057f6760f036abcde8eb53661d808cc8e999fab38f0490c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | fdcc9a0a3a0ddbdd42216550affb60a0 |
| SHA1 | 7d7f26c9641719c9928e241aacea1aa22151e0dc |
| SHA256 | 41583e574c37d3012e6ae9fac737c1b1ed58999af41c6cbd4823209ac6fa6c5c |
| SHA512 | 2bff0efee1cb2bd6d7717083e0cf6fdf9c76010e9d4b006b007eebf1a2d1a2795b2ffa21df708defcb6f7e92d9bcfa8f6900b035243a1c39a69bfb0b7f78e5f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5f62d835be98b4562e9b2d43ecc6d234 |
| SHA1 | 9d5f5961630772a3232ec57a29e8a564ea3c88d3 |
| SHA256 | e431f37adbbacd903a1195d77927bef761ecd3a70ba7db212f97b57412ac9879 |
| SHA512 | 9552891fdde2b76073cff74d8d9cc4519ec5517df066fbd32c61cd3912cc3f7d036039ff00dbafd14426e1e960ee92d25ce656a6530ed0e022725a4066fd8f51 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 125e868d56e6d7694ed9557a358683fc |
| SHA1 | dea919dec9e35054e91ff14ef8d8713064a4c271 |
| SHA256 | ab3eb4e8e4837b2a3a39ba42b9217c419fe62434ad4f0744de35be33879cb7ef |
| SHA512 | 08dfda0a530a2c12dc415a4f06d0b8adde57297ee353eae2f596a399fac50c55ae18d0593039fbc778876199a00c24af39dfde23a1ae332d8a046fa919a6f62d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | fbae348a7e3f2c6a48c1c5e1dd708d27 |
| SHA1 | c0a9eeeebd09bb85c381bd6eab1a9bb808d2b843 |
| SHA256 | 7b77c749aaab781b3808a78481addd6abf91c434d3b02e5737383b2a6385a47a |
| SHA512 | c77f8c744df7abbeca36a2bd56f7c78ca45d45336f6ebaf0d0911f86fb8c0efd43d918c5261246f1b482360924c1edcc2f762f3e3c29c2cf7092c650a1c29729 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnWebGPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 474f601c2de483908332bd38ab55c5bf |
| SHA1 | 33038f08c65da089dc9adeeab49ebfbe7b6922c9 |
| SHA256 | 61d378ee9b509949f4bcabdfdebf8738e3eaf64a3b3efd12ba7b27be47d9526a |
| SHA512 | dbb0989137ba766ff467eb310c173bd24327a925154f74131567bbc425c815e8f65178b13a9f928053f60cc6bb4762d971be6082b8e55fcb40d3645feaf2461c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | dbee2abcde33e39597ceac978345103a |
| SHA1 | 5145e06d593f2fec876e0bc645e0dbf604f187f7 |
| SHA256 | 11245d7a247df12a645694c2fefea35a6b20995c0ea2e190868cdcc5230119d2 |
| SHA512 | a02ac79558ab3805ad610f6bfa353dbd8c3c9aa20c64aa1bcb751fd033e460385f18b345d896b11a6ad9ed04df805b4c37298429f91b1c8e1129fd2e5b01fca7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cb2c9697111e87008354d236d31950de |
| SHA1 | eb6d7e2156462d483ae9e8715da74e96fb7056d7 |
| SHA256 | 56eb573349bb23d498705ea5ee72a995c8d064a214faa251347be97483352b66 |
| SHA512 | dc172f2670b50b84d72fdb0351cf0da29c62862fdb19076b06dfe4d6f9aeab7db2c4ba45842112f9b5264b8afabd0eafb6f590165d5f47e0c2a72f096d74cccb |
memory/5848-1500-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1501-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1502-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1512-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1511-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1510-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1509-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1508-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1507-0x000002185F190000-0x000002185F191000-memory.dmp
memory/5848-1506-0x000002185F190000-0x000002185F191000-memory.dmp
memory/6112-1532-0x0000027B6C6A0000-0x0000027B6C6CA000-memory.dmp
memory/6112-1533-0x0000027B6C6A0000-0x0000027B6C6C4000-memory.dmp
memory/4436-1558-0x00000243C9580000-0x00000243C9590000-memory.dmp
memory/4436-1554-0x00000243C9540000-0x00000243C9550000-memory.dmp
memory/4436-1562-0x00000243C9E00000-0x00000243C9E01000-memory.dmp
memory/1464-1568-0x000002911CDA0000-0x000002911CF90000-memory.dmp
memory/1464-1569-0x000002911D3A0000-0x000002911D3CC000-memory.dmp
memory/1464-1570-0x000002911EBB0000-0x000002911EC56000-memory.dmp
memory/1464-1571-0x000002911EC50000-0x000002911EC6A000-memory.dmp
memory/1464-1572-0x0000029137650000-0x000002913770A000-memory.dmp
memory/4528-1585-0x000001D769820000-0x000001D769836000-memory.dmp
memory/4528-1586-0x000001D769810000-0x000001D76981A000-memory.dmp
memory/4528-1587-0x000001D7698E0000-0x000001D769906000-memory.dmp
memory/6708-1592-0x000002E81C800000-0x000002E81C900000-memory.dmp
memory/6708-1595-0x000002E81D4A0000-0x000002E81D4C0000-memory.dmp
memory/6708-1590-0x000002E81C800000-0x000002E81C900000-memory.dmp
memory/6708-1603-0x000002E81D460000-0x000002E81D480000-memory.dmp
memory/6708-1616-0x000002E81DA80000-0x000002E81DAA0000-memory.dmp
memory/2208-1755-0x0000023299DC0000-0x0000023299EC0000-memory.dmp
memory/2208-1754-0x0000023299DC0000-0x0000023299EC0000-memory.dmp
memory/2208-1758-0x000002329ADF0000-0x000002329AE10000-memory.dmp
memory/2208-1753-0x0000023299DC0000-0x0000023299EC0000-memory.dmp
memory/2208-1783-0x000002329B1C0000-0x000002329B1E0000-memory.dmp
memory/2208-1770-0x000002329ADB0000-0x000002329ADD0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\FKEP33TV\microsoft.windows[1].xml
| MD5 | dcfd0f22889d8b3a982fbe019d01d543 |
| SHA1 | fe866022f3fdf8fba4d3bd366ff0e2683fe58e59 |
| SHA256 | 2337927b5b24c83c8ab37dfc0fe7ddcd832ffb16d0cee5d50344478218893f5b |
| SHA512 | 11b59e18705c1d95508e298938525f931c12c9010cdc03fad15f5585bc503713670d93739668d886ed9446d528c3dc7ac8cbc8e52198eb85ea6557821a124cc8 |
memory/3648-1903-0x000001DA88920000-0x000001DA88940000-memory.dmp
memory/3648-1898-0x000001DA87C00000-0x000001DA87D00000-memory.dmp
memory/3648-1907-0x000001DA888E0000-0x000001DA88900000-memory.dmp
memory/3648-1921-0x000001DA88F00000-0x000001DA88F20000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe5ba891.TMP
| MD5 | 9b91fbc743dbfc7d191d843d8937178c |
| SHA1 | 5d0e2636e5823126d81546439a072907821311db |
| SHA256 | cb7cc02ebeba87181f68392b5eaa93e482cd28f52c7faf2c365abb81b35fe4b7 |
| SHA512 | 35b85833c4f4c2c2635326f0c20754792beec821e30ea4ac6545df7a2bbfe8d383cc1c831f000b323e88ef88227bd3fbd61c500351808abf2a777b6c082545ce |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk
| MD5 | d46ff9341d8779f8cf69499a48e247a7 |
| SHA1 | 82d0de580d207fb0d29d5b79c9226bff67d3d276 |
| SHA256 | 7ca61f30ba6834b7b9cbff540bef1f1b2b9d6e274b6106d27a25ec8bca5741b0 |
| SHA512 | ad1f9ab6bef08e96c3485007bc9ca29ce09846e070d6b586ee4aa1eb7e6268b1077777cac783c47cf0d2b4acfc68b7f470e06c84a749699f1934a7232a1b6fe6 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk
| MD5 | c811594c6dcea9cf94ed7d0b282380de |
| SHA1 | 949476de5626fce6b19f050e8f968b043db19353 |
| SHA256 | 912a78bae10ad9678d3f6f92b1064b8849fb4de5b547d8cac9b4f38759c8080c |
| SHA512 | 7df0a7a5f3d03aeefe84894c97a666f2cc266df819153a4aed8b5c35b59cec585f3e77a8c9da358fff64353f9ccf28aef8f98c7347556d75bec8eed6c60a001a |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk
| MD5 | 20c7276a8300b121e981057b277c0a13 |
| SHA1 | 44a06af6aff68e97b71ae766b575caf1dbec398e |
| SHA256 | b07c462bcc554aff042af452294ff6985cbd2b3ed36c1deb074cb2abc122b905 |
| SHA512 | ad24ceae60e9a51fd515c030b05d12dcdf7ac1146815f32e9e2358fff665f6800a02dad86e64f02e6d4844ed98234bd0fae13a76d197b3473616cb5de480e546 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk
| MD5 | f9c4f3200f3237204ef12a6ddbd9a1e1 |
| SHA1 | d9f1d9466ba1ab6211d38f23ba1cda94e9459981 |
| SHA256 | fd56982dabc60b1fc566ebda065136cb9d44511ccbd71397cd92b9a7be312eca |
| SHA512 | 02179858479d828429b6cce7d91a014010586aaa5a09830502639fefc89e826bee0bab54dc5991d67ff47c3b9125498a5bfc78e7b4d75826b41f56ced4bf2ccb |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe5ba8b0.TMP
| MD5 | d884a29d514c29ca93b24819627f0e9f |
| SHA1 | 64fb1a1a46f207dfe72c04c767c1c1ab9b7499c2 |
| SHA256 | ee1e1269c81c2982e4ae82b8ab0a89c168e1df16ef457de7265c1251272ab552 |
| SHA512 | 7bd4b0373c4c0c4d6e7cfec9971939fd9a8dd778374d18b84287ea39f2b7d4b405a9c8eea61020695bb942ac75ecba043ed0575ff7a718604bc643e9449d1efe |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk
| MD5 | f9673cea8457f1985b1e57b7716e4b42 |
| SHA1 | c23f1f4e64cc248fb2eee97beba8e3fb2594b947 |
| SHA256 | 3f6fe0237557b7f3c3403d59f75539eeba5abec6c65f19a9b5351b6a0088f904 |
| SHA512 | 8e3d4db2c9353de88a94d3d6aad25db22c771b065cb54631353ff866086de28885d36ac7abc1f7453c2269bec3723cda6d68598eb385027ec93d3800c2caedbf |
C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe5ba8c0.TMP
| MD5 | bb49355e418e885ac257df83279affa3 |
| SHA1 | 1dfa49fa6a6b04795c11099b11610c647a32c232 |
| SHA256 | c654099e819714aa4a2ebe9a534e6da84f88d12829dbded6363fb4bef0a063d5 |
| SHA512 | c345cd55de5fb32227ffcec896a1515c3e1fa16e1c63c55bebd0586e89374db3cd86f45d83dbcd1dff3ec79d157aeca8776f2da25282749230a183072a2f5cc8 |
C:\Program Files\Open-Shell\StartMenu.exe
| MD5 | 9aca92d31344210995d18ac75f7df752 |
| SHA1 | fec9f414f3c399f8384ad6a32d0b60adde85d8d9 |
| SHA256 | df5fe5f0b4e28d0e555e20764fe78fdf99970271b87f42e81b208e2fee9e31cf |
| SHA512 | ddfb706f8d0b96350a2e2d527428b2e02d0715e33e9d4e16f1add62f1cd6b1da1ff3ed2ac4cf26e40625c7b94738ab9f109709b3f2f91b9298ec720a304470dc |
C:\Program Files\Open-Shell\Start Menu Settings.lnk
| MD5 | 5e7a8c43b1e2fd724f4b3661924343c7 |
| SHA1 | e2c6f7694b352571664a375a271409b18e5c5706 |
| SHA256 | 067368fd8c128100f92c466609164b0dd767df96212a7c950b2f00f9664e890b |
| SHA512 | b07337e35236b12b330c7d7c15843a16a4325093830b213639da0cdb42e7e250ab263c5ade675bc1286380ad4f3872e05db7d133a9c033e8c6b1c7ea62afb95f |
C:\Program Files\Open-Shell\Start Screen.lnk~RFe5ba8c0.TMP
| MD5 | 169eec71d1cd016b01636ce10682f02e |
| SHA1 | 8a685c9d2104d0de969f04e2187fafd07beb9daf |
| SHA256 | 41673cbea087ef35bd6fd9f7cd22ac7f63ba430a3c27360495de4685a0472465 |
| SHA512 | c47f942efe584a6620c05ffeeb77b4c5bf40fc47bc7c30f13f1e75832792cacad5cdac305bf4ba26c7d28f58306551c595b45d0bff8e4313b8c9201ddaa7dd80 |
C:\Program Files\Open-Shell\Start Screen.lnk
| MD5 | 43f2a36b18e51d88a9d06eb27d281f60 |
| SHA1 | 3a8f13e069329c1d8aabb4d1f5cc8a366e57d800 |
| SHA256 | b4e3eca3830d2772fb73071f8083163f01702617f70b0af9b4ff02e89c155797 |
| SHA512 | 41a637aa0889ad822a3e5bab801e87abfae236ed8703f4b65d867de137f6287adbe46bf9e59e0be507127baaed6e706a2953f5b155e0137c8a9d307dc50e949c |
C:\Program Files\Open-Shell\Start Screen.lnk
| MD5 | 2cacc64e5905566299a98a1a4a45f252 |
| SHA1 | 9170ddcffd850b494733dff7449aaacc4d8ba452 |
| SHA256 | 779603efbc8eabbf66cf9d5ba1d6c813a553684c67b05ba4c8aed45d7fd7cbe9 |
| SHA512 | 8b1fe5ef712004227746d1dd03d2bcbf4813276da9e3458c94926d95032510c4dd6c984569a42bf5aff4a742f4a0686db49714c1d42b7c70116150e5a4b3d688 |
C:\Program Files\Open-Shell\Start Screen.lnk
| MD5 | e4dd6f9e6b1b868307058338bea2176c |
| SHA1 | 13a5761bdcf74662b16e4a07bc8cdfe7c5304f05 |
| SHA256 | d26e3623ee5be5e59cafdf57b39ea808cc56c699dfe0d877c675b8214e4fe3f8 |
| SHA512 | ec7ca309cd0e160c28884aaaf2616fa9c6729ea911e34e2de81d4d51b2c605a36f387ba66b4372bb6fbadb2ce39ff12a24afe7170f6fa9306ebdd1ce9de8185e |
C:\Windows\Installer\e5ba537.msi
| MD5 | cc25bc2f1b5dec7e9e7ab3289ed92cc7 |
| SHA1 | 449e9de44f4b640f1b7cd4ee2f35ca3d15f77ff2 |
| SHA256 | 25aa0c605989a6a91ebe0eaafcf55843401e84ed5cc52d8b3ee4b2fa19ba2313 |
| SHA512 | e51dcaf8d622f87a9bb5a10a7156d34fb56d13ff26fc9a5d63986d353ae7dad9de3c637d1a1a04d2908d2c378f63873962043667c48607035cd4439f86c11c2a |
C:\Config.Msi\e5ba536.rbs
| MD5 | 0277ee1fc109282bd7c1589ba80525ad |
| SHA1 | 71e927b7e1f527146309c7ec365faf892e1962de |
| SHA256 | cd98a8c6bef1477bca1323999dd490d7e72c131bd69f7fac8fb687ad0a9c7d93 |
| SHA512 | 5760e9b32212e7c72e2d7f57cf4cf533361530676c456907a750f28b430429551a6e3de1f8779c749305a0eede028a3219f93a38942e32b11f69c09ac3120331 |
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | 0411457816ade35c1c6901b64423dea8 |
| SHA1 | d179aa3423b2aff8b81a4ed6658668587851959d |
| SHA256 | 80747fba31b493437c5af3da3d4f39e31f944270dfbc5ff0c0bbda80e5b8cf9e |
| SHA512 | 9925015158a54a58cc5daac4f412bde791da263cb3394a3382a415459827e594a72131a8c1053cc6d84b089c8749578116b770a4721ce59876cd775abd5215b4 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 940dcd95a1c6f9a23a4fbc099c8efc00 |
| SHA1 | 1498652de4952e3fceee7ec946b6debef91598a8 |
| SHA256 | 46bc0156219c1b0f1dd9b0ecca15fb323e7f258d9b5a23244fd35049886659e9 |
| SHA512 | 316998dada195a2e35d464fe610dd4c76a8a9a5e9de572f20a65dc2c870b6024e905f29c23d0673bb2282dabb50e8348d08d3f64156fe0c3278da82fe3c78bd1 |