Malware Analysis Report

2024-11-13 18:04

Sample ID 241108-qbv65ssgpc
Target Oneclick-V6.7.bat
SHA256 b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
Tags
defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f

Threat Level: Known bad

The file Oneclick-V6.7.bat was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan

Modifies security service

UAC bypass

Modifies visibility of file extensions in Explorer

Disables service(s)

Modifies boot configuration data using bcdedit

Stops running service(s)

Downloads MZ/PE file

Boot or Logon Autostart Execution: Active Setup

Possible privilege escalation attempt

Command and Scripting Interpreter: PowerShell

Modifies file permissions

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Power Settings

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Enumerates connected drives

Adds Run key to start application

Indicator Removal: File Deletion

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Hide Artifacts: Ignore Process Interrupts

Drops file in Windows directory

Launches sc.exe

Browser Information Discovery

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Modifies Control Panel

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Checks SCSI registry key(s)

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies data under HKEY_USERS

Delays execution with timeout.exe

System policy modification

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Checks processor information in registry

Disables Windows logging functionality

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-08 13:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 13:05

Reported

2024-11-08 13:11

Platform

win11-20241007-en

Max time kernel

231s

Max time network

332s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"

Signatures

Disables service(s)

evasion execution

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\system32\reg.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\uejf7w C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\k: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\t: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\j: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\n: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\q: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\m: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\a: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\r: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\w: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\y: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\z: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\i: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\s: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\v: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\b: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\o: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\p: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\u: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\l: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\x: C:\Windows\system32\SearchIndexer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SRU\SRU.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.jfm C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d0f9719f-3c53-47e6-bd0b-43e20030a528}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.log C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{d0f9719f-3c53-47e6-bd0b-43e20030a528}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1537126222-899333903-2037027349-1000_StartupInfo3.xml C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1537126222-899333903-2037027349-1000_UserData.bin C:\Windows\System32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\ C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\ C:\Windows\system32\svchost.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-System.dat C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-1537126222-899333903-2037027349-1000.dat C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-FontSet-S-1-5-21-1537126222-899333903-2037027349-1000.dat C:\Windows\system32\svchost.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Disables Windows logging functionality

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000339b8429df31db01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\ConfigExpiration = "133761496324011480" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\FontSetGeneration = "3" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdf79d27df31db01 C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tiff\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012038726df31db01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tif C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f7de527df31db01 C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b965a28df31db01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb949b27df31db01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2TS\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6c6aa26df31db01 C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.raw C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ico\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\System32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14734" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000100000014000000494c200601000400440010001000ffffffff2110ffffffffffffffff424d36000000000000003600000028000000100000004000000001002000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000001000000040000001c0000000100000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1537126222-899333903-2037027349-1000\{1A68A3F0-A084-48D6-AAFF-9A12CB6DF959} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "1000" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "967" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\EnableCortana = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14767" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoftwindows.client.cbs C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a00410062006700200066007600740061007200710020007600610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030de99adb018db01000000000000000000000000420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "967" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" C:\Windows\system32\reg.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "1000" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\AllUsers\{93C2563A-6DA3-4254-92F0-AC1AFFA92A34} C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FPEnabled = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ShowSearchSuggestionsGlobal = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\client.cbs C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727759429371813" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory\ = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DoNotTrack = "1" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 4952 wrote to memory of 3612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 4952 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4952 wrote to memory of 936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4952 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4952 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4952 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 1228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4952 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4952 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4952 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4952 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 5092 wrote to memory of 3896 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 5092 wrote to memory of 3896 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4952 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4952 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4952 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 4952 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tar.exe
PID 4952 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 2504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 4224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 1404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4952 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 4852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 1964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 2192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4952 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4952 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V6.7.bat"

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\sc.exe

sc query "WinDefend"

C:\Windows\system32\find.exe

find "STATE"

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc qc "TrustedInstaller"

C:\Windows\system32\find.exe

find "START_TYPE"

C:\Windows\system32\find.exe

find "DISABLED"

C:\Windows\system32\sc.exe

sc config TrustedInstaller start=auto

C:\Windows\system32\net.exe

net start TrustedInstaller

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TrustedInstaller

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding

C:\Windows\system32\curl.exe

curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\tar.exe

tar -xf "C:\\Oneclick Tools.zip" --strip-components=1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f

C:\Windows\system32\powercfg.exe

powercfg.exe /hibernate off

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config HomeGroupListener start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupProvider start=demand

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config AJRouter start=disabled

C:\Windows\system32\sc.exe

sc config ALG start=demand

C:\Windows\system32\sc.exe

sc config AppIDSvc start=demand

C:\Windows\system32\sc.exe

sc config AppMgmt start=demand

C:\Windows\system32\sc.exe

sc config AppReadiness start=demand

C:\Windows\system32\sc.exe

sc config AppVClient start=disabled

C:\Windows\system32\sc.exe

sc config AppXSvc start=demand

C:\Windows\system32\sc.exe

sc config Appinfo start=demand

C:\Windows\system32\sc.exe

sc config AssignedAccessManagerSvc start=disabled

C:\Windows\system32\sc.exe

sc config AudioEndpointBuilder start=auto

C:\Windows\system32\sc.exe

sc config AudioSrv start=auto

C:\Windows\system32\sc.exe

sc config Audiosrv start=auto

C:\Windows\system32\sc.exe

sc config AxInstSV start=demand

C:\Windows\system32\sc.exe

sc config BDESVC start=demand

C:\Windows\system32\sc.exe

sc config BFE start=auto

C:\Windows\system32\sc.exe

sc config BITS start=delayed-auto

C:\Windows\system32\sc.exe

sc config BTAGService start=demand

C:\Windows\system32\sc.exe

sc config BcastDVRUserService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config BluetoothUserService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config BrokerInfrastructure start=auto

C:\Windows\system32\sc.exe

sc config Browser start=demand

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start=auto

C:\Windows\system32\sc.exe

sc config BthHFSrv start=auto

C:\Windows\system32\sc.exe

sc config CDPSvc start=demand

C:\Windows\system32\sc.exe

sc config CDPUserSvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config COMSysApp start=demand

C:\Windows\system32\sc.exe

sc config CaptureService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CertPropSvc start=demand

C:\Windows\system32\sc.exe

sc config ClipSVC start=demand

C:\Windows\system32\sc.exe

sc config ConsentUxUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CoreMessagingRegistrar start=auto

C:\Windows\system32\sc.exe

sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CryptSvc start=auto

C:\Windows\system32\sc.exe

sc config CscService start=demand

C:\Windows\system32\sc.exe

sc config DPS start=auto

C:\Windows\system32\sc.exe

sc config DcomLaunch start=auto

C:\Windows\system32\sc.exe

sc config DcpSvc start=demand

C:\Windows\system32\sc.exe

sc config DevQueryBroker start=demand

C:\Windows\system32\sc.exe

sc config DeviceAssociationBrokerSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config DeviceAssociationService start=demand

C:\Windows\system32\sc.exe

sc config DeviceInstall start=demand

C:\Windows\system32\sc.exe

sc config DevicePickerUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config Dhcp start=auto

C:\Windows\system32\sc.exe

sc config DiagTrack start=disabled

C:\Windows\system32\sc.exe

sc config DialogBlockingService start=disabled

C:\Windows\system32\sc.exe

sc config DispBrokerDesktopSvc start=auto

C:\Windows\system32\sc.exe

sc config DisplayEnhancementService start=demand

C:\Windows\system32\sc.exe

sc config DmEnrollmentSvc start=demand

C:\Windows\system32\sc.exe

sc config Dnscache start=auto

C:\Windows\system32\sc.exe

sc config DoSvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config DsSvc start=demand

C:\Windows\system32\sc.exe

sc config DsmSvc start=demand

C:\Windows\system32\sc.exe

sc config DusmSvc start=auto

C:\Windows\system32\sc.exe

sc config EFS start=demand

C:\Windows\system32\sc.exe

sc config EapHost start=demand

C:\Windows\system32\sc.exe

sc config EntAppSvc start=demand

C:\Windows\system32\sc.exe

sc config EventLog start=auto

C:\Windows\system32\sc.exe

sc config EventSystem start=auto

C:\Windows\system32\sc.exe

sc config FDResPub start=demand

C:\Windows\system32\sc.exe

sc config Fax start=demand

C:\Windows\system32\sc.exe

sc config FontCache start=auto

C:\Windows\system32\sc.exe

sc config FrameServer start=demand

C:\Windows\system32\sc.exe

sc config FrameServerMonitor start=demand

C:\Windows\system32\sc.exe

sc config GraphicsPerfSvc start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupListener start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupProvider start=demand

C:\Windows\system32\sc.exe

sc config HvHost start=demand

C:\Windows\system32\sc.exe

sc config IEEtwCollectorService start=demand

C:\Windows\system32\sc.exe

sc config IKEEXT start=demand

C:\Windows\system32\sc.exe

sc config InstallService start=demand

C:\Windows\system32\sc.exe

sc config InventorySvc start=demand

C:\Windows\system32\sc.exe

sc config IpxlatCfgSvc start=demand

C:\Windows\system32\sc.exe

sc config KeyIso start=auto

C:\Windows\system32\sc.exe

sc config KtmRm start=demand

C:\Windows\system32\sc.exe

sc config LSM start=auto

C:\Windows\system32\sc.exe

sc config LanmanServer start=auto

C:\Windows\system32\sc.exe

sc config LanmanWorkstation start=auto

C:\Windows\system32\sc.exe

sc config LicenseManager start=demand

C:\Windows\system32\sc.exe

sc config LxpSvc start=demand

C:\Windows\system32\sc.exe

sc config MSDTC start=demand

C:\Windows\system32\sc.exe

sc config MSiSCSI start=demand

C:\Windows\system32\sc.exe

sc config MapsBroker start=delayed-auto

C:\Windows\system32\sc.exe

sc config McpManagementService start=demand

C:\Windows\system32\sc.exe

sc config MessagingService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config MicrosoftEdgeElevationService start=demand

C:\Windows\system32\sc.exe

sc config MixedRealityOpenXRSvc start=demand

C:\Windows\system32\sc.exe

sc config MpsSvc start=auto

C:\Windows\system32\sc.exe

sc config MsKeyboardFilter start=demand

C:\Windows\system32\sc.exe

sc config NPSMSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config NaturalAuthentication start=demand

C:\Windows\system32\sc.exe

sc config NcaSvc start=demand

C:\Windows\system32\sc.exe

sc config NcbService start=demand

C:\Windows\system32\sc.exe

sc config NcdAutoSetup start=demand

C:\Windows\system32\sc.exe

sc config NetSetupSvc start=demand

C:\Windows\system32\sc.exe

sc config NetTcpPortSharing start=disabled

C:\Windows\system32\sc.exe

sc config Netlogon start=demand

C:\Windows\system32\sc.exe

sc config Netman start=demand

C:\Windows\system32\sc.exe

sc config NgcCtnrSvc start=demand

C:\Windows\system32\sc.exe

sc config NgcSvc start=demand

C:\Windows\system32\sc.exe

sc config NlaSvc start=demand

C:\Windows\system32\sc.exe

sc config OneSyncSvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config P9RdrService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PNRPAutoReg start=demand

C:\Windows\system32\sc.exe

sc config PNRPsvc start=demand

C:\Windows\system32\sc.exe

sc config PcaSvc start=demand

C:\Windows\system32\sc.exe

sc config PeerDistSvc start=demand

C:\Windows\system32\sc.exe

sc config PenService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PerfHost start=demand

C:\Windows\system32\sc.exe

sc config PhoneSvc start=demand

C:\Windows\system32\sc.exe

sc config PimIndexMaintenanceSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PlugPlay start=demand

C:\Windows\system32\sc.exe

sc config PolicyAgent start=demand

C:\Windows\system32\sc.exe

sc config Power start=auto

C:\Windows\system32\sc.exe

sc config PrintNotify start=demand

C:\Windows\system32\sc.exe

sc config PrintWorkflowUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config ProfSvc start=auto

C:\Windows\system32\sc.exe

sc config PushToInstall start=demand

C:\Windows\system32\sc.exe

sc config QWAVE start=demand

C:\Windows\system32\sc.exe

sc config RasAuto start=demand

C:\Windows\system32\sc.exe

sc config RasMan start=demand

C:\Windows\system32\sc.exe

sc config RemoteAccess start=disabled

C:\Windows\system32\sc.exe

sc config RemoteRegistry start=disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=demand

C:\Windows\system32\sc.exe

sc config RmSvc start=demand

C:\Windows\system32\sc.exe

sc config RpcEptMapper start=auto

C:\Windows\system32\sc.exe

sc config RpcLocator start=demand

C:\Windows\system32\sc.exe

sc config RpcSs start=auto

C:\Windows\system32\sc.exe

sc config SCPolicySvc start=demand

C:\Windows\system32\sc.exe

sc config SCardSvr start=demand

C:\Windows\system32\sc.exe

sc config SDRSVC start=demand

C:\Windows\system32\sc.exe

sc config SEMgrSvc start=demand

C:\Windows\system32\sc.exe

sc config SENS start=auto

C:\Windows\system32\sc.exe

sc config SNMPTRAP start=demand

C:\Windows\system32\sc.exe

sc config SNMPTrap start=demand

C:\Windows\system32\sc.exe

sc config SSDPSRV start=demand

C:\Windows\system32\sc.exe

sc config SamSs start=auto

C:\Windows\system32\sc.exe

sc config ScDeviceEnum start=demand

C:\Windows\system32\sc.exe

sc config Schedule start=auto

C:\Windows\system32\sc.exe

sc config SecurityHealthService start=demand

C:\Windows\system32\sc.exe

sc config Sense start=demand

C:\Windows\system32\sc.exe

sc config SensorDataService start=demand

C:\Windows\system32\sc.exe

sc config SensorService start=demand

C:\Windows\system32\sc.exe

sc config SensrSvc start=demand

C:\Windows\system32\sc.exe

sc config SessionEnv start=demand

C:\Windows\system32\sc.exe

sc config SgrmBroker start=auto

C:\Windows\system32\sc.exe

sc config SharedAccess start=demand

C:\Windows\system32\sc.exe

sc config SharedRealitySvc start=demand

C:\Windows\system32\sc.exe

sc config ShellHWDetection start=auto

C:\Windows\system32\sc.exe

sc config SmsRouter start=demand

C:\Windows\system32\sc.exe

sc config Spooler start=auto

C:\Windows\system32\sc.exe

sc config SstpSvc start=demand

C:\Windows\system32\sc.exe

sc config StateRepository start=demand

C:\Windows\system32\sc.exe

sc config StiSvc start=demand

C:\Windows\system32\sc.exe

sc config StorSvc start=demand

C:\Windows\system32\sc.exe

sc config SysMain start=auto

C:\Windows\system32\sc.exe

sc config SystemEventsBroker start=auto

C:\Windows\system32\sc.exe

sc config TabletInputService start=demand

C:\Windows\system32\sc.exe

sc config TapiSrv start=demand

C:\Windows\system32\sc.exe

sc config TermService start=auto

C:\Windows\system32\sc.exe

sc config TextInputManagementService start=demand

C:\Windows\system32\sc.exe

sc config Themes start=auto

C:\Windows\system32\sc.exe

sc config TieringEngineService start=demand

C:\Windows\system32\sc.exe

sc config TimeBroker start=demand

C:\Windows\system32\sc.exe

sc config TimeBrokerSvc start=demand

C:\Windows\system32\sc.exe

sc config TokenBroker start=demand

C:\Windows\system32\sc.exe

sc config TrkWks start=auto

C:\Windows\system32\sc.exe

sc config TroubleshootingSvc start=demand

C:\Windows\system32\sc.exe

sc config TrustedInstaller start=demand

C:\Windows\system32\sc.exe

sc config UI0Detect start=demand

C:\Windows\system32\sc.exe

sc config UdkUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UevAgentService start=disabled

C:\Windows\system32\sc.exe

sc config UmRdpService start=demand

C:\Windows\system32\sc.exe

sc config UnistoreSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UserDataSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UserManager start=auto

C:\Windows\system32\sc.exe

sc config UsoSvc start=demand

C:\Windows\system32\sc.exe

sc config VGAuthService start=auto

C:\Windows\system32\sc.exe

sc config VMTools start=auto

C:\Windows\system32\sc.exe

sc config VSS start=demand

C:\Windows\system32\sc.exe

sc config VacSvc start=demand

C:\Windows\system32\sc.exe

sc config VaultSvc start=auto

C:\Windows\system32\sc.exe

sc config W32Time start=demand

C:\Windows\system32\sc.exe

sc config WEPHOSTSVC start=demand

C:\Windows\system32\sc.exe

sc config WFDSConMgrSvc start=demand

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start=demand

C:\Windows\system32\sc.exe

sc config WManSvc start=demand

C:\Windows\system32\sc.exe

sc config WPDBusEnum start=demand

C:\Windows\system32\sc.exe

sc config WSService start=demand

C:\Windows\system32\sc.exe

sc config WSearch start=delayed-auto

C:\Windows\system32\sc.exe

sc config WaaSMedicSvc start=demand

C:\Windows\system32\sc.exe

sc config WalletService start=demand

C:\Windows\system32\sc.exe

sc config WarpJITSvc start=demand

C:\Windows\system32\sc.exe

sc config WbioSrvc start=demand

C:\Windows\system32\sc.exe

sc config Wcmsvc start=auto

C:\Windows\system32\sc.exe

sc config WcsPlugInService start=demand

C:\Windows\system32\sc.exe

sc config WdNisSvc start=demand

C:\Windows\system32\sc.exe

sc config WdiServiceHost start=demand

C:\Windows\system32\sc.exe

sc config WdiSystemHost start=demand

C:\Windows\system32\sc.exe

sc config WebClient start=demand

C:\Windows\system32\sc.exe

sc config Wecsvc start=demand

C:\Windows\system32\sc.exe

sc config WerSvc start=demand

C:\Windows\system32\sc.exe

sc config WiaRpc start=demand

C:\Windows\system32\sc.exe

sc config WinDefend start=auto

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start=demand

C:\Windows\system32\sc.exe

sc config WinRM start=demand

C:\Windows\system32\sc.exe

sc config Winmgmt start=auto

C:\Windows\system32\sc.exe

sc config WlanSvc start=auto

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=demand

C:\Windows\system32\sc.exe

sc config WpnService start=demand

C:\Windows\system32\sc.exe

sc config WpnUserService_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config WwanSvc start=demand

C:\Windows\system32\sc.exe

sc config XblAuthManager start=demand

C:\Windows\system32\sc.exe

sc config XblGameSave start=demand

C:\Windows\system32\sc.exe

sc config XboxGipSvc start=demand

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start=demand

C:\Windows\system32\sc.exe

sc config autotimesvc start=demand

C:\Windows\system32\sc.exe

sc config bthserv start=demand

C:\Windows\system32\sc.exe

sc config camsvc start=demand

C:\Windows\system32\sc.exe

sc config cbdhsvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config cloudidsvc start=demand

C:\Windows\system32\sc.exe

sc config dcsvc start=demand

C:\Windows\system32\sc.exe

sc config defragsvc start=demand

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start=demand

C:\Windows\system32\sc.exe

sc config diagsvc start=demand

C:\Windows\system32\sc.exe

sc config dmwappushservice start=demand

C:\Windows\system32\sc.exe

sc config dot3svc start=demand

C:\Windows\system32\sc.exe

sc config edgeupdate start=demand

C:\Windows\system32\sc.exe

sc config edgeupdatem start=demand

C:\Windows\system32\sc.exe

sc config embeddedmode start=demand

C:\Windows\system32\sc.exe

sc config fdPHost start=demand

C:\Windows\system32\sc.exe

sc config fhsvc start=demand

C:\Windows\system32\sc.exe

sc config gpsvc start=auto

C:\Windows\system32\sc.exe

sc config hidserv start=demand

C:\Windows\system32\sc.exe

sc config icssvc start=demand

C:\Windows\system32\sc.exe

sc config iphlpsvc start=auto

C:\Windows\system32\sc.exe

sc config lfsvc start=demand

C:\Windows\system32\sc.exe

sc config lltdsvc start=demand

C:\Windows\system32\sc.exe

sc config lmhosts start=demand

C:\Windows\system32\sc.exe

sc config mpssvc start=auto

C:\Windows\system32\sc.exe

sc config msiserver start=demand

C:\Windows\system32\sc.exe

sc config netprofm start=demand

C:\Windows\system32\sc.exe

sc config nsi start=auto

C:\Windows\system32\sc.exe

sc config p2pimsvc start=demand

C:\Windows\system32\sc.exe

sc config p2psvc start=demand

C:\Windows\system32\sc.exe

sc config perceptionsimulation start=demand

C:\Windows\system32\sc.exe

sc config pla start=demand

C:\Windows\system32\sc.exe

sc config seclogon start=demand

C:\Windows\system32\sc.exe

sc config shpamsvc start=disabled

C:\Windows\system32\sc.exe

sc config smphost start=demand

C:\Windows\system32\sc.exe

sc config spectrum start=demand

C:\Windows\system32\sc.exe

sc config sppsvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config ssh-agent start=disabled

C:\Windows\system32\sc.exe

sc config svsvc start=demand

C:\Windows\system32\sc.exe

sc config swprv start=demand

C:\Windows\system32\sc.exe

sc config tiledatamodelsvc start=auto

C:\Windows\system32\sc.exe

sc config tzautoupdate start=disabled

C:\Windows\system32\sc.exe

sc config uhssvc start=disabled

C:\Windows\system32\sc.exe

sc config upnphost start=demand

C:\Windows\system32\sc.exe

sc config vds start=demand

C:\Windows\system32\sc.exe

sc config vm3dservice start=demand

C:\Windows\system32\sc.exe

sc config vmicguestinterface start=demand

C:\Windows\system32\sc.exe

sc config vmicheartbeat start=demand

C:\Windows\system32\sc.exe

sc config vmickvpexchange start=demand

C:\Windows\system32\sc.exe

sc config vmicrdv start=demand

C:\Windows\system32\sc.exe

sc config vmicshutdown start=demand

C:\Windows\system32\sc.exe

sc config vmictimesync start=demand

C:\Windows\system32\sc.exe

sc config vmicvmsession start=demand

C:\Windows\system32\sc.exe

sc config vmicvss start=demand

C:\Windows\system32\sc.exe

sc config vmvss start=demand

C:\Windows\system32\sc.exe

sc config wbengine start=demand

C:\Windows\system32\sc.exe

sc config wcncsvc start=demand

C:\Windows\system32\sc.exe

sc config webthreatdefsvc start=demand

C:\Windows\system32\sc.exe

sc config webthreatdefusersvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config wercplsupport start=demand

C:\Windows\system32\sc.exe

sc config wisvc start=demand

C:\Windows\system32\sc.exe

sc config wlidsvc start=demand

C:\Windows\system32\sc.exe

sc config wlpasvc start=demand

C:\Windows\system32\sc.exe

sc config wmiApSrv start=demand

C:\Windows\system32\sc.exe

sc config workfolderssvc start=demand

C:\Windows\system32\sc.exe

sc config wscsvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config wuauserv start=demand

C:\Windows\system32\sc.exe

sc config wudfsvc start=demand

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootmenupolicy Legacy

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild

C:\Windows\system32\findstr.exe

findstr /r /c:"CurrentBuild"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"

C:\Windows\system32\Taskmgr.exe

"C:\Windows\system32\Taskmgr.exe"

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences

C:\Windows\system32\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\curl.exe

curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\System32\SearchProtocolHost.exe

"C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 824 2816 2808 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 824 2876 2872 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}

C:\Windows\system32\curl.exe

curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"

C:\Oneclick Tools\OOShutup10\OOSU10.exe

"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\sc.exe

sc config wlidsvc start= disabled

C:\Windows\system32\sc.exe

sc config DisplayEnhancementService start= disabled

C:\Windows\system32\sc.exe

sc config DiagTrack start= disabled

C:\Windows\system32\sc.exe

sc config DusmSvc start= disabled

C:\Windows\system32\sc.exe

sc config TabletInputService start= disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start= disabled

C:\Windows\system32\sc.exe

sc config Fax start= disabled

C:\Windows\system32\sc.exe

sc config SharedAccess start= disabled

C:\Windows\system32\sc.exe

sc config lfsvc start= disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start= disabled

C:\Windows\system32\sc.exe

sc config SessionEnv start= disabled

C:\Windows\system32\sc.exe

sc config MicrosoftEdgeElevationService start= disabled

C:\Windows\system32\sc.exe

sc config edgeupdate start= disabled

C:\Windows\system32\sc.exe

sc config edgeupdatem start= disabled

C:\Windows\system32\sc.exe

sc config autotimesvc start= disabled

C:\Windows\system32\sc.exe

sc config CscService start= disabled

C:\Windows\system32\sc.exe

sc config TermService start= disabled

C:\Windows\system32\sc.exe

sc config SensorDataService start= disabled

C:\Windows\system32\sc.exe

sc config SensorService start= disabled

C:\Windows\system32\sc.exe

sc config SensrSvc start= disabled

C:\Windows\system32\sc.exe

sc config shpamsvc start= disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start= disabled

C:\Windows\system32\sc.exe

sc config PhoneSvc start= disabled

C:\Windows\system32\sc.exe

sc config TapiSrv start= disabled

C:\Windows\system32\sc.exe

sc config UevAgentService start= disabled

C:\Windows\system32\sc.exe

sc config WalletService start= disabled

C:\Windows\system32\sc.exe

sc config TokenBroker start= disabled

C:\Windows\system32\sc.exe

sc config WebClient start= disabled

C:\Windows\system32\sc.exe

sc config MixedRealityOpenXRSvc start= disabled

C:\Windows\system32\sc.exe

sc config stisvc start= disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start= disabled

C:\Windows\system32\sc.exe

sc config icssvc start= disabled

C:\Windows\system32\sc.exe

sc config Wecsvc start= disabled

C:\Windows\system32\sc.exe

sc config XboxGipSvc start= disabled

C:\Windows\system32\sc.exe

sc config XblAuthManager start= disabled

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start= disabled

C:\Windows\system32\sc.exe

sc config XblGameSave start= disabled

C:\Windows\system32\sc.exe

sc config SEMgrSvc start= disabled

C:\Windows\system32\sc.exe

sc config iphlpsvc start= disabled

C:\Windows\system32\sc.exe

sc config Backupper Service start= disabled

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start= disabled

C:\Windows\system32\sc.exe

sc config BDESVC start= disabled

C:\Windows\system32\sc.exe

sc config cbdhsvc start= disabled

C:\Windows\system32\sc.exe

sc config CDPSvc start= disabled

C:\Windows\system32\sc.exe

sc config CDPUserSvc start= disabled

C:\Windows\system32\sc.exe

sc config DevQueryBroker start= disabled

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc start= disabled

C:\Windows\system32\sc.exe

sc config dmwappushservice start= disabled

C:\Windows\system32\sc.exe

sc config DispBrokerDesktopSvc start= disabled

C:\Windows\system32\sc.exe

sc config TrkWks start= disabled

C:\Windows\system32\sc.exe

sc config dLauncherLoopback start= disabled

C:\Windows\system32\sc.exe

sc config EFS start= disabled

C:\Windows\system32\sc.exe

sc config fdPHost start= disabled

C:\Windows\system32\sc.exe

sc config FDResPub start= disabled

C:\Windows\system32\sc.exe

sc config IKEEXT start= disabled

C:\Windows\system32\sc.exe

sc config NPSMSvc start= disabled

C:\Windows\system32\sc.exe

sc config WPDBusEnum start= disabled

C:\Windows\system32\sc.exe

sc config PcaSvc start= disabled

C:\Windows\system32\sc.exe

sc config RasMan start= disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start=disabled

C:\Windows\system32\sc.exe

sc config ShellHWDetection start= disabled

C:\Windows\system32\sc.exe

sc config SSDPSRV start= disabled

C:\Windows\system32\sc.exe

sc config SysMain start= disabled

C:\Windows\system32\sc.exe

sc config OneSyncSvc start= disabled

C:\Windows\system32\sc.exe

sc config lmhosts start= disabled

C:\Windows\system32\sc.exe

sc config UserDataSvc start= disabled

C:\Windows\system32\sc.exe

sc config UnistoreSvc start= disabled

C:\Windows\system32\sc.exe

sc config Wcmsvc start= disabled

C:\Windows\system32\sc.exe

sc config FontCache start= disabled

C:\Windows\system32\sc.exe

sc config W32Time start= disabled

C:\Windows\system32\sc.exe

sc config tzautoupdate start= disabled

C:\Windows\system32\sc.exe

sc config DsSvc start= disabled

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config diagsvc start= disabled

C:\Windows\system32\sc.exe

sc config DialogBlockingService start= disabled

C:\Windows\system32\sc.exe

sc config PimIndexMaintenanceSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config MessagingService_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config AppVClient start= disabled

C:\Windows\system32\sc.exe

sc config MsKeyboardFilter start= disabled

C:\Windows\system32\sc.exe

sc config NetTcpPortSharing start= disabled

C:\Windows\system32\sc.exe

sc config ssh-agent start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config OneSyncSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config wercplsupport start= disabled

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start= disabled

C:\Windows\system32\sc.exe

sc config WerSvc start= disabled

C:\Windows\system32\sc.exe

sc config WpnUserService_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start= disabled

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDInstallLauncher" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDLinkUpdate" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "ModifyLinkUpdate" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "SoftMakerUpdater" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "StartCN" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "StartDVR" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc stop uhssvc

C:\Windows\system32\sc.exe

sc stop upfc

C:\Windows\system32\sc.exe

sc stop PushToInstall

C:\Windows\system32\sc.exe

sc stop BITS

C:\Windows\system32\sc.exe

sc stop InstallService

C:\Windows\system32\sc.exe

sc stop uhssvc

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop LanmanServer

C:\Windows\system32\sc.exe

sc config BITS start= disabled

C:\Windows\system32\sc.exe

sc config InstallService start= disabled

C:\Windows\system32\sc.exe

sc config uhssvc start= disabled

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc config LanmanServer start= disabled

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config RemoteRegistry start= disabled

C:\Windows\system32\sc.exe

sc config RemoteAccess start= disabled

C:\Windows\system32\sc.exe

sc config WinRM start= disabled

C:\Windows\system32\sc.exe

sc config RmSvc start= disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config PrintNotify start= disabled

C:\Windows\system32\sc.exe

sc config Spooler start= disabled

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config PrintNotify start= disabled

C:\Windows\system32\sc.exe

sc config Spooler start= disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config NlaSvc start= disabled

C:\Windows\system32\sc.exe

sc config LanmanWorkstation start= disabled

C:\Windows\system32\sc.exe

sc config BFE start= demand

C:\Windows\system32\sc.exe

sc config Dnscache start= demand

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start= demand

C:\Windows\system32\sc.exe

sc config Dhcp start= auto

C:\Windows\system32\sc.exe

sc config DPS start= auto

C:\Windows\system32\sc.exe

sc config lmhosts start= disabled

C:\Windows\system32\sc.exe

sc config nsi start= auto

C:\Windows\system32\sc.exe

sc config Wcmsvc start= disabled

C:\Windows\system32\sc.exe

sc config Winmgmt start= auto

C:\Windows\system32\sc.exe

sc config WlanSvc start= demand

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config ALG start=disabled

C:\Windows\system32\sc.exe

sc config AJRouter start=disabled

C:\Windows\system32\sc.exe

sc config XblAuthManager start=disabled

C:\Windows\system32\sc.exe

sc config XblGameSave start=disabled

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start=disabled

C:\Windows\system32\sc.exe

sc config WSearch start=disabled

C:\Windows\system32\sc.exe

sc config lfsvc start=disabled

C:\Windows\system32\sc.exe

sc config RemoteRegistry start=disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=disabled

C:\Windows\system32\sc.exe

sc config SEMgrSvc start=disabled

C:\Windows\system32\sc.exe

sc config SCardSvr start=disabled

C:\Windows\system32\sc.exe

sc config Netlogon start=disabled

C:\Windows\system32\sc.exe

sc config CscService start=disabled

C:\Windows\system32\sc.exe

sc config icssvc start=disabled

C:\Windows\system32\sc.exe

sc config wisvc start=disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=disabled

C:\Windows\system32\sc.exe

sc config WalletService start=disabled

C:\Windows\system32\sc.exe

sc config Fax start=disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start=disabled

C:\Windows\system32\sc.exe

sc config iphlpsvc start=disabled

C:\Windows\system32\sc.exe

sc config wcncsvc start=disabled

C:\Windows\system32\sc.exe

sc config fhsvc start=disabled

C:\Windows\system32\sc.exe

sc config PhoneSvc start=disabled

C:\Windows\system32\sc.exe

sc config seclogon start=disabled

C:\Windows\system32\sc.exe

sc config FrameServer start=disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start=disabled

C:\Windows\system32\sc.exe

sc config StiSvc start=disabled

C:\Windows\system32\sc.exe

sc config PcaSvc start=disabled

C:\Windows\system32\sc.exe

sc config DPS start=disabled

C:\Windows\system32\sc.exe

sc config MapsBroker start=disabled

C:\Windows\system32\sc.exe

sc config bthserv start=disabled

C:\Windows\system32\sc.exe

sc config BDESVC start=disabled

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start=disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=disabled

C:\Windows\system32\sc.exe

sc config DiagTrack start=disabled

C:\Windows\system32\sc.exe

sc config CertPropSvc start=disabled

C:\Windows\system32\sc.exe

sc config WdiServiceHost start=disabled

C:\Windows\system32\sc.exe

sc config lmhosts start=disabled

C:\Windows\system32\sc.exe

sc config WdiSystemHost start=disabled

C:\Windows\system32\sc.exe

sc config TrkWks start=disabled

C:\Windows\system32\sc.exe

sc config WerSvc start=disabled

C:\Windows\system32\sc.exe

sc config TabletInputService start=disabled

C:\Windows\system32\sc.exe

sc config EntAppSvc start=disabled

C:\Windows\system32\sc.exe

sc config Spooler start=disabled

C:\Windows\system32\sc.exe

sc config BcastDVRUserService start=disabled

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start=disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start=disabled

C:\Windows\system32\sc.exe

sc config DmEnrollmentSvc start=disabled

C:\Windows\system32\sc.exe

sc config PNRPAutoReg start=disabled

C:\Windows\system32\sc.exe

sc config wlidsvc start=disabled

C:\Windows\system32\sc.exe

sc config AXInstSV start=disabled

C:\Windows\system32\sc.exe

sc config lfsvc start=disabled

C:\Windows\system32\sc.exe

sc config NcbService start=disabled

C:\Windows\system32\sc.exe

sc config DeviceAssociationService start=disabled

C:\Windows\system32\sc.exe

sc config StorSvc start=disabled

C:\Windows\system32\sc.exe

sc config TieringEngineService start=disabled

C:\Windows\system32\sc.exe

sc config DPS start=disabled

C:\Windows\system32\sc.exe

sc config Themes start=disabled

C:\Windows\system32\sc.exe

sc config AppReadiness start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config HvHost start=disabled

C:\Windows\system32\sc.exe

sc config vmickvpexchange start=disabled

C:\Windows\system32\sc.exe

sc config vmicguestinterface start=disabled

C:\Windows\system32\sc.exe

sc config vmicshutdown start=disabled

C:\Windows\system32\sc.exe

sc config vmicheartbeat start=disabled

C:\Windows\system32\sc.exe

sc config vmicvmsession start=disabled

C:\Windows\system32\sc.exe

sc config vmicrdv start=disabled

C:\Windows\system32\sc.exe

sc config vmictimesync start=disabled

C:\Windows\system32\sc.exe

sc config vmicvss start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config edgeupdate start=disabled

C:\Windows\system32\sc.exe

sc config edgeupdatem start=disabled

C:\Windows\system32\sc.exe

sc config GoogleChromeElevationService start=disabled

C:\Windows\system32\sc.exe

sc config gupdate start=disabled

C:\Windows\system32\sc.exe

sc config gupdatem start=disabled

C:\Windows\system32\sc.exe

sc config BraveElevationService start=disabled

C:\Windows\system32\sc.exe

sc config brave start=disabled

C:\Windows\system32\sc.exe

sc config bravem start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config NcbService start=disabled

C:\Windows\system32\sc.exe

sc config jhi_service start=disabled

C:\Windows\system32\sc.exe

sc config WMIRegistrationService start=disabled

C:\Windows\system32\sc.exe

sc config "Intel(R) TPM Provisioning Service" start=disabled

C:\Windows\system32\sc.exe

sc config ipfsvc start=disabled

C:\Windows\system32\sc.exe

sc config igccservice start=disabled

C:\Windows\system32\sc.exe

sc config cplspcon start=disabled

C:\Windows\system32\sc.exe

sc config esifsvc start=disabled

C:\Windows\system32\sc.exe

sc config LMS start=disabled

C:\Oneclick Tools\NSudo\NSudoLG.exe

"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"

C:\Windows\system32\timeout.exe

timeout 1

C:\Oneclick Tools\NSudo\NSudoLG.exe

"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleaner Update" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerCrashReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleaner Update" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerCrashReporting" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\taskkill.exe

taskkill.exe /F /IM "OneDrive.exe"

C:\Windows\system32\taskkill.exe

taskkill.exe /F /IM "explorer.exe"

C:\Windows\system32\reg.exe

reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f

C:\Windows\system32\reg.exe

reg unload "hku\Default"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "OneDrive*" /f

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\UsoClient.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\taskkill.exe

taskkill /F /IM WidgetService.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Widgets.exe

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\smartscreen.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe8,0x108,0x7ffc74d7cc40,0x7ffc74d7cc4c,0x7ffc74d7cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1744,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4640,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4296 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4612,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption /format:list

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "uejf7w " /t REG_SZ /d "" /f

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4836,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5088,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3488,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3120,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4484,i,3579385352841370726,1188370588731749131,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4420 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *PandoraMediaInc.29680B314EFC2* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *46928bounde.EclipseManager* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ActiproSoftwareLLC.562882FEEB491* | Remove-AppxPackage"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49735 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49742 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dl5.oo-software.com udp
N/A 127.0.0.1:49870 tcp
DE 93.90.192.112:443 dl5.oo-software.com tcp
US 8.8.8.8:53 112.192.90.93.in-addr.arpa udp
GB 88.221.135.32:443 tcp
GB 92.123.128.141:443 r.bing.com tcp
GB 92.123.128.141:443 r.bing.com tcp
GB 92.123.128.141:443 r.bing.com tcp
GB 92.123.128.141:443 r.bing.com tcp
GB 92.123.128.141:443 r.bing.com tcp
GB 92.123.128.141:443 r.bing.com tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 20.42.73.28:443 browser.pipe.aria.microsoft.com tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 222.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
GB 92.123.128.190:443 www.bing.com tcp
GB 142.250.187.206:443 drive.google.com tcp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
GB 142.250.187.227:80 c.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
GB 142.250.187.227:80 c.pki.goog tcp
N/A 127.0.0.1:50060 tcp
N/A 127.0.0.1:50066 tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.179.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.179.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.179.234:443 ogads-pa.googleapis.com udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 chrome.google.com udp
GB 216.58.201.110:443 chrome.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 clients2.googleusercontent.com udp
GB 216.58.213.1:443 clients2.googleusercontent.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 tunnel.googlezip.net udp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
GB 142.250.179.234:443 content-autofill.googleapis.com udp
US 216.239.34.157:443 tunnel.googlezip.net tcp
US 8.8.8.8:53 157.34.239.216.in-addr.arpa udp
GB 142.250.187.206:443 play.google.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 172.217.16.238:443 consent.google.com tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
GB 142.250.187.214:443 i.ytimg.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.180.14:443 www.youtube.com udp
GB 142.250.187.214:443 i.ytimg.com tcp
US 8.8.8.8:53 214.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 172.217.169.66:443 googleads.g.doubleclick.net tcp
GB 142.250.179.230:443 static.doubleclick.net tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com udp
GB 172.217.169.66:443 googleads.g.doubleclick.net udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com udp
US 8.8.8.8:53 66.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 230.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 142.250.200.46:443 www.youtube.com udp
US 8.8.8.8:53 open.spotify.com udp
US 8.8.8.8:53 apresolve.spotify.com udp
US 8.8.8.8:53 clienttoken.spotify.com udp
US 8.8.8.8:53 encore.scdn.co udp
US 8.8.8.8:53 open.spotifycdn.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.googleoptimize.com udp
US 8.8.8.8:53 gew4-spclient.spotify.com udp
US 35.186.224.24:443 pixel-static.spotify.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com tcp
US 35.186.224.24:443 pixel-static.spotify.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 216.58.201.110:443 www.googleoptimize.com tcp
GB 2.18.190.80:443 encore.scdn.co tcp
GB 2.18.190.80:443 encore.scdn.co tcp
GB 2.18.190.80:443 encore.scdn.co tcp
GB 2.18.190.80:443 encore.scdn.co tcp
GB 2.18.190.80:443 encore.scdn.co tcp
US 35.186.224.28:443 gew4-spclient.spotify.com tcp
US 35.186.224.44:443 gew4-dealer.spotify.com tcp
US 199.232.214.248:443 pl.scdn.co tcp
US 35.186.224.24:443 pixel-static.spotify.com tcp
US 8.8.8.8:53 mosaic.scdn.co udp
US 8.8.8.8:53 lineup-images.scdn.co udp
US 35.186.224.24:443 api-partner.spotify.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com tcp
US 8.8.8.8:53 i.scdn.co udp
US 199.232.214.248:443 daily-mix.scdn.co tcp
US 199.232.214.248:443 daily-mix.scdn.co tcp
GB 2.18.190.74:443 i.scdn.co tcp
US 8.8.8.8:53 api.spotify.com udp
US 35.186.224.24:443 api.spotify.com tcp
US 8.8.8.8:53 spclient.wg.spotify.com udp
US 199.232.210.248:443 daily-mix.scdn.co tcp
US 35.186.224.24:443 spclient.wg.spotify.com tcp
US 199.232.214.251:443 open-exp.spotifycdn.com udp
US 35.186.224.24:443 spclient.wg.spotify.com tcp
US 35.186.224.24:443 spclient.wg.spotify.com tcp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.224.186.35.in-addr.arpa udp
US 8.8.8.8:53 44.224.186.35.in-addr.arpa udp
US 8.8.8.8:53 248.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 248.210.232.199.in-addr.arpa udp
US 199.232.214.251:443 open-exp.spotifycdn.com udp
US 34.120.195.249:443 o22381.ingest.sentry.io tcp
US 35.186.224.24:443 spclient.wg.spotify.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 172.217.169.10:443 jnn-pa.googleapis.com tcp
GB 142.250.180.4:443 www.google.com udp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 35.186.224.26:443 gew1-spclient.spotify.com udp
US 151.101.131.42:443 open.spotify.com tcp
US 104.18.86.42:443 cdn.cookielaw.org tcp
US 35.186.224.24:443 spclient.wg.spotify.com udp
US 104.18.86.42:443 cdn.cookielaw.org tcp
US 34.120.195.249:443 o22381.ingest.sentry.io udp
US 8.8.8.8:53 8.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 104.18.32.137:443 geolocation.onetrust.com tcp
GB 172.217.169.10:443 jnn-pa.googleapis.com udp
GB 142.250.180.4:443 www.google.com udp
US 199.232.214.250:443 web-sdk-assets.spotifycdn.com tcp
US 199.232.214.250:443 web-sdk-assets.spotifycdn.com tcp
US 8.8.8.8:53 137.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 250.214.232.199.in-addr.arpa udp
GB 2.18.190.74:443 image-cdn-ak.spotifycdn.com tcp
GB 2.18.190.74:443 image-cdn-ak.spotifycdn.com tcp
GB 2.18.190.74:443 image-cdn-ak.spotifycdn.com tcp
US 199.232.214.250:443 seed-mix-image.spotifycdn.com tcp
US 8.8.8.8:53 www.spotify.com udp
US 35.186.224.24:443 www.spotify.com tcp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 www.fastly-insights.com udp
US 8.8.8.8:53 privacyportal-de.onetrust.com udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
GB 146.75.72.157:443 static.ads-twitter.com tcp
US 151.101.66.91:443 www.fastly-insights.com tcp
US 172.64.155.119:443 privacyportal-de.onetrust.com tcp
FR 52.222.169.99:443 sb.scorecardresearch.com tcp
FR 52.222.169.99:443 sb.scorecardresearch.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 spotify.demdex.net udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 analytics.twitter.com udp
IE 54.72.18.169:443 spotify.demdex.net tcp
US 8.8.8.8:53 fastly-insights.com udp
US 172.66.0.227:443 t.co tcp
US 104.244.42.131:443 analytics.twitter.com tcp
US 151.101.130.91:443 fastly-insights.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 any-v4.pops.fastly-insights.com udp
US 8.8.8.8:53 www.google.co.uk udp
US 151.101.66.91:443 any-v4.pops.fastly-insights.com tcp
GB 172.217.169.3:443 www.google.co.uk tcp
BE 66.102.1.155:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 c18eefa2-66dc-4137-8cb5-2f3786aaa312.eu.u.fastly-insights.com udp
US 151.101.130.91:443 c18eefa2-66dc-4137-8cb5-2f3786aaa312.eu.u.fastly-insights.com tcp
US 8.8.8.8:53 157.72.75.146.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 91.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 119.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 99.169.222.52.in-addr.arpa udp
US 8.8.8.8:53 169.18.72.54.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 227.0.66.172.in-addr.arpa udp
US 8.8.8.8:53 131.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 91.130.101.151.in-addr.arpa udp
US 8.8.8.8:53 3.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 155.1.102.66.in-addr.arpa udp
US 8.8.8.8:53 hel-v4.pops.fastly-insights.com udp
FI 151.101.246.91:443 hel-v4.pops.fastly-insights.com tcp
US 8.8.8.8:53 krnt-v4.pops.fastly-insights.com udp
US 151.101.22.91:443 krnt-v4.pops.fastly-insights.com tcp
US 216.239.32.36:443 region1.analytics.google.com udp
US 8.8.8.8:53 gig-v4.pops.fastly-insights.com udp
BR 151.101.178.91:443 gig-v4.pops.fastly-insights.com tcp
US 8.8.8.8:53 91.246.101.151.in-addr.arpa udp
US 8.8.8.8:53 91.22.101.151.in-addr.arpa udp
US 8.8.8.8:53 lim-v4.pops.fastly-insights.com udp
PE 199.232.134.91:443 lim-v4.pops.fastly-insights.com tcp
US 8.8.8.8:53 91.178.101.151.in-addr.arpa udp
US 8.8.8.8:53 lfpg-v4.pops.fastly-insights.com udp
FR 199.232.170.91:443 lfpg-v4.pops.fastly-insights.com tcp
US 8.8.8.8:53 lon-v4.pops.fastly-insights.com udp
GB 199.232.58.91:443 lon-v4.pops.fastly-insights.com tcp
US 8.8.8.8:53 man-v4.pops.fastly-insights.com udp
GB 199.232.54.91:443 man-v4.pops.fastly-insights.com tcp
US 8.8.8.8:53 91.170.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.58.232.199.in-addr.arpa udp
IT 151.101.242.91:443 mxp-v4.pops.fastly-insights.com tcp
US 35.186.224.24:443 www.spotify.com udp
US 199.232.214.248:443 daily-mix.scdn.co tcp
US 35.186.224.24:443 www.spotify.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 35.186.224.24:443 www.spotify.com udp
US 35.186.224.24:443 www.spotify.com udp
US 8.8.8.8:53 gew1-spclient.spotify.com udp
US 35.186.224.26:443 gew1-spclient.spotify.com udp
N/A 127.0.0.1:51893 tcp
N/A 127.0.0.1:51896 tcp
US 216.239.34.36:443 region1.analytics.google.com udp
GB 172.217.169.3:443 www.google.co.uk udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 vt.myvisualiq.net udp
US 8.8.8.8:53 vars.hotjar.com udp
US 8.8.8.8:53 platform.twitter.com udp
US 8.8.8.8:53 encore.scdn.co udp
US 8.8.8.8:53 www-growth.scdn.co udp
FR 18.164.52.24:443 vars.hotjar.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:443 connect.facebook.net tcp
US 8.8.8.8:53 cm.g.doubleclick.net udp
GB 172.217.16.226:443 cm.g.doubleclick.net tcp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 fcmatch.youtube.com udp
GB 142.250.187.206:443 fcmatch.youtube.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 fcmatch.google.com udp
GB 142.250.187.238:443 fcmatch.google.com tcp
US 8.8.8.8:53 24.52.164.18.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 226.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.201.58.216.in-addr.arpa udp
US 199.232.214.248:443 www-growth.scdn.co tcp
US 199.232.214.248:443 www-growth.scdn.co tcp
US 199.232.214.248:443 www-growth.scdn.co tcp
US 199.232.214.248:443 www-growth.scdn.co tcp
US 199.232.214.248:443 www-growth.scdn.co tcp
US 199.232.214.248:443 www-growth.scdn.co tcp
GB 172.217.169.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 e2c53.gcp.gvt2.com udp
US 8.8.8.8:53 www.scdn.co udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 35.217.93.191:443 e2c53.gcp.gvt2.com tcp
US 199.232.210.248:443 www.scdn.co tcp
GB 142.250.180.4:443 www.google.com udp
US 199.232.210.248:443 www.scdn.co tcp
US 8.8.8.8:53 beacons.gvt2.com udp
GB 172.217.169.35:443 beacons.gvt2.com tcp
US 8.8.8.8:53 191.93.217.35.in-addr.arpa udp
US 8.8.8.8:53 35.169.217.172.in-addr.arpa udp
GB 151.101.188.157:443 platform.twitter.com tcp

Files

C:\Oneclick Tools.zip

MD5 d2be90c23063c07c5bf6e02c9400ac35
SHA1 c2ca99de035c17ba9b7912c26725efffe290b1db
SHA256 9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA512 13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

memory/2716-9-0x00000145F0A40000-0x00000145F0A62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kuxku2qr.glt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 5f4c933102a824f41e258078e34165a7
SHA1 d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256 d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512 a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17a60c9cac37cf5412f4cd266c22a435
SHA1 648aed53b8f323be19dfb75e1c61e9dd95fdd0fd
SHA256 de36be11adf1651810ebee5d6214786e3a6045ac7ee51730036385f504d4653d
SHA512 43c8160d5e32d6aeae36201e7580dfd2d47b53ceba28443b2aedefd32377448296ce805669b5136686378603af1348d58fb40a59b906c28aed2df6f7d98b4044

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f369fc29ba05fe1357a35e47f6a7654c
SHA1 a43b41f3bc2a0d30c4e4d7a9694fc2e91ef3f924
SHA256 1f22676e0c5895f9ba83fc073c61a177df3d38924ce37073b20c1b2e9c55e20e
SHA512 18f62cb937949db9fb9fb3ed1f2bbf657b4204620184208fd62171da1c0b2e41ca35cc04d9e234e2b3205fd78df2ebd50ec632848077ec551728a510cfed74c7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3a924916719c590c164e2306f5b3ad4
SHA1 6b99d5b4cadd988deb3f825c38d3b2ca62beed11
SHA256 a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1
SHA512 29ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5a06365e87db621b11dcbd82f6da3f84
SHA1 8091eaa102a2cce702bbfe906af73031513be2a0
SHA256 9e5264586c076a281fddb057dc508220ab0ed3ed2eef797124092bda50b281e0
SHA512 76b7f3d2bb8234c8de598102ee7b6580c8f16988cc9bda1f3cb6b6c36186524a0635d515bb0cfcc6fb95292c6221c083fdb3a4b1704e6360152d8aef4537d091

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6472a580676d60dd89de4d0c4ea92ff
SHA1 1b628eaf008b7b87ead73e964703b62e35953155
SHA256 1be7146c53116b9c949ef8a21935a274d03c993d2c3aa5b11d2ff41711d93c94
SHA512 2d93e363fa83015d1c5dc6fa2a0a300c9216dcf5a6b7786414b8cd0062fd994974c3a5280dea5e52668bac53635bce1220b7003e14eb83d61407a44b99da93ed

memory/5112-70-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-71-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-72-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-76-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-77-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-82-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-81-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-80-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-79-0x000001C385700000-0x000001C385701000-memory.dmp

memory/5112-78-0x000001C385700000-0x000001C385701000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbf9fec0284459c885c695c96fdd4e67
SHA1 f3530eb549137596bb53cde08a3e3cc1ea237faf
SHA256 3cc2ef28f616ca2a6e5fb06da63d6bdb53b63e92701ecee38e84f98b7f56b38a
SHA512 95a7858d009940a1c29f9c05c2bd2a6a03a3122fe749546d87e435b5d3172fd0d22dec099b450be3ea99c58b8681484eafd8ad00be1364d9085fc4a9f249f452

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/2504-102-0x000001D372AA0000-0x000001D372ACA000-memory.dmp

memory/2504-103-0x000001D372AA0000-0x000001D372AC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 238f0a5701700be966cc85a76ecbfc19
SHA1 c69446816c9c6c0657e8705ca08459440b6e1d53
SHA256 cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b
SHA512 791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb1d69b71a38dfe81ac0d2020830faf9
SHA1 1f8baf6d137b5138ee40c725f9138e1cdd2a71fd
SHA256 5ca132239020780c2a57681b9b6960880f23c03daa982d03cb3142cb923f5001
SHA512 dba787451922e7bd2d863ba23774d80200acf58243617d0c54e5b3941fa4a47e2c7f8ba43ed91580fdc82884db7bb22bbaec0ee9ca286faab6c1d827b62896fe

memory/4888-141-0x000001EEE7A10000-0x000001EEE7A20000-memory.dmp

memory/4888-125-0x000001EEE77E0000-0x000001EEE77F0000-memory.dmp

memory/4888-157-0x000001EEEBFD0000-0x000001EEEBFD8000-memory.dmp

memory/964-169-0x000001F36EB70000-0x000001F36EB71000-memory.dmp

memory/4888-171-0x000001EEECFB0000-0x000001EEECFB8000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e7eeff51-18c6-4013-a123-180ffca04c52.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

memory/324-180-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-179-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-181-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-182-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-184-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-183-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-185-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-187-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-189-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-188-0x000002967A550000-0x000002967A560000-memory.dmp

memory/324-186-0x000002967A550000-0x000002967A560000-memory.dmp

C:\Oneclick Tools\OOShutup10\OOSU10.exe

MD5 4803e06db91fdb8b6d1b65c0010d2f87
SHA1 f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256 beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512 f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

memory/624-296-0x0000021DB5180000-0x0000021DB5370000-memory.dmp

memory/624-297-0x0000021DB5820000-0x0000021DB584C000-memory.dmp

memory/624-298-0x0000021DCF9E0000-0x0000021DCFA86000-memory.dmp

memory/624-299-0x0000021DB59F0000-0x0000021DB5A0A000-memory.dmp

memory/624-300-0x0000021DCFB40000-0x0000021DCFBFA000-memory.dmp

C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg

MD5 109f47ced5da3f92362c49069fc4624e
SHA1 79b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA256 2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA512 55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

C:\Oneclick Tools\NSudo\NSudoLG.exe

MD5 423129ddb24fb923f35b2dd5787b13dd
SHA1 575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA256 5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512 d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bacdb75c4942e8d022b553029b82f734
SHA1 7b67186bcc7de347f46270f88ec7e98356477cbb
SHA256 a85b3cde6a46b70c129741f0a8326bcb438a8124667082bd6701b351ddea9aa6
SHA512 727814ce148bcc37cfe3c8ca78585261b61533021b0664c331292478d22ad01e5e968225a8f41879575c61b67166e4350c15f9f896822360f316f8542594322f

memory/4188-316-0x00000297F4A70000-0x00000297F4A8C000-memory.dmp

memory/4188-317-0x00000297F4960000-0x00000297F496A000-memory.dmp

memory/4188-318-0x00000297F4C80000-0x00000297F4CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70c91e55fe182a7b11ff383b0dbdd172
SHA1 b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6
SHA256 20a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f
SHA512 0f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e

\??\pipe\crashpad_4984_VKVYFIWSZEPFKETL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\276f6e76-acd0-49c8-84ed-3d12367b5cdf.tmp

MD5 d627069eecac74bf9506b4e9e665e01c
SHA1 8c5691da35b6ed34cdfc3687ee804c0f99b15f64
SHA256 4bdf6b57748f301c07367d0c0c0f3b66f445f6840f987023b7ebc3dcee0ba4ad
SHA512 20d150a6ed521511d492a7c2b45d36da3ba3bfee8ce622345d6ff931ab915a26b1930a2fcc5112e28361167f50d822ae5c6799bb366dad090922ef024468f729

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 fc7ad0397656d7185f5e04f70974aaa0
SHA1 dad7df33764c8691f53c19dc0753742e02fe2d0a
SHA256 97b2ca954ecddf065fbcd1e4ee46702c82c956d2da246386cb82a400098daee9
SHA512 880023b14928b3943830607195e5feaf29e1d2f7f9655081ec02af223d2d46f543f0b9c515ef9fe44b7eec99ade1f1283176eb525bb8a2525da0edc26b2f3802

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2233685206647f2e2c7236462bae6400
SHA1 78f1ac2f059679cb57ba05c4dfb3933d90a56162
SHA256 98c68797e8154a920ff7e9e7ea35efa6e50cef3508a12e380771e9c29cfcfcb2
SHA512 76cec5ec12b58c851749b50217c07b7d5536cb97afb8ca96d93c73b3e0543856c9405473f0ce6b900974b2c2f8d7bf9d7db53d912523746ca958ec4f84ee76bf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b31b9be50780705674235c018a23d81
SHA1 2fa05e84639f1ebbf69685b68a10476c1cd761b1
SHA256 5d194e06e04bcd4858da2ee82b3c01d406a7654ddadc330e04e897ad9751bb41
SHA512 4fe8ebcf42e159ae4b1b45ec3ed0de8592f3e2099e27133992ecae2ecd89e88d8d0a8c12229c5fbc663184a922721e4816cf61b720e21b0da66095d33e6ebf5c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 aba9335e9c1369506487e652f00a2349
SHA1 bc69fc2fed46922970d690b1c6ec8ef1af17376a
SHA256 7208fca13898a0cd4ec12de0f842c3ea8c584259c45b1d7749035cada35f9d7b
SHA512 3a06aca65ba3714aaf26d83d8bd525129d0a33d22080df26793cdcbe7869331c0d2ad0a8a454df009490b11bf782e772f0e8531bcf15a012e04c833b8bda1347

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f923e75424fbf0c90841a3ca0a7e2497
SHA1 566b60eedeb8b2bb0faee8bb89ee6f13945d518f
SHA256 cf30866990ad2a12e2184463bc9521b2557fa528fa5540e2ffc8cfc4df9b947f
SHA512 297e424588ed9f532721fa03f36f9a355e56a20f50a3d4e47fe6417fbe82f455507ab2384644df878c4b2fddf4f663d2cff6237a99f74b41b42d84d5e93bc1b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1711f53722fd7a5b645e0fc44d33d25e
SHA1 4f6d00525bf4b243472e2968b190f4697f03384b
SHA256 faea80f7d57e1c15a9d8acce99d52ac93f333ce9e63d15f10dfc1918025ed87d
SHA512 36e1e1ff4f0545ef15ad3c8efa235abd6849604a59862e8477d41888fdba5035ee83f69eef6b10a37628e4f6e89b4020b1fe614d428999987ad035450433b0f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abad006480085dfae3ac13c797965ae8
SHA1 c239f025f3707985379f5ffd7265bee31fbb46f8
SHA256 7dac25d578ddb243df8c7ac4267f0f5820467f9f55cc0e4a283946a42e6f3941
SHA512 f719b236f63ff7d94eaf3bdc47a3f900a9f3f8a1dc04bbc8b5c4f989365882772feaff665447201c7302ee93b188866e8de4d41c178cba480fbcf4d90d486143

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28acdf407989ea0516a4775da3309308
SHA1 d087e99fbfd27cfb18f33b8b8cdc35a8b579ecfb
SHA256 4726ca29d1140c5ad252de8415a6a1ae887e7dbfa2dd762e9618b8775118eda0
SHA512 5a2c6349dae4d5d0363598566e95366893c1808aca4eb55a1d84f7bfd3e456082425660241a1f80313f63249d38f54613fd08f68f41edec1e0884ab6d34306a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c4c5a4b51ee58977ebe4065ddd888ee
SHA1 bc2952aad53fe4db8d9e73463808f5db4d68e7e0
SHA256 6db52d214ba4a615a68e750785857f5f4fa0b37aa36a032bac75ab0c9fec190e
SHA512 c6607f07553a5361b182039772c389cadb00896e9993bd747dc4c8db01e0fe368e27b7d173d925fa0ae16bd3461bca6ab86f3467a92591cc068c37c98ab9e5c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2f6c3b62609822ff613ce392fe32043b
SHA1 dc8e61fbc5341ef23c26a63a33e5d3c83a53c7a0
SHA256 7d3ab280fb445e28907319c0733af0bfda5c59876958a203c7e44dfba8f326bc
SHA512 3f0a3b1329c1fbeb7f0697a4bf4c91379458f7e0c8b54ef66d9bc5e1570b22c57a97c4d0ba5938ac5ff42c069b07923ddf951353b9b9880fd01d34fc2e696ff1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1b67ba6324d15ab63fd7090538dcd24e
SHA1 aaae307f15a92894b194d915ef4e5965f7d3aff2
SHA256 b6f66a17d209e4e73de969ee7ce27b7d30bf20a10acc7469442845149a4696df
SHA512 16dd7166472e2386e9488b8904e74eca0dd7468fd9b108b04c898ea55c02d30ee2464c6e906aaca8ba8bf29c84625d4f8b3fefefd3fb5d52a78948e6bb0123ad

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f27596dcec47d5f158a6a8922bcdef2a
SHA1 35d2fd3368cc58629e4ab4593883c03df7343b8a
SHA256 da3aec5f6c3ea0559e7b34a5897350ecf40f5dbc12b6bec6d6f969396185f047
SHA512 614949003e3fa2b8b35466fc43310e3066dae476c43f4f9283dc0efbd3680e8496869802fc65b9f27a6a1d165274c43dda636669e20c3b2f43bdd3967eac8ffe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c27ef45da0f6ff28a4cb02697b65f598
SHA1 b8d42b5954718a834289f97a01a7ebb7c8e1535e
SHA256 b259c24e1c29620457f0545ad6ae7b1b232fe4c2f14a04c8c95800090b1f6fe1
SHA512 0af497cdd2639530b829daf38db55f85649c3fe3a4d66fea45f6bc930f39decf6cdd3122ab5ed2cb892978e6dfecaa33141c83305c48982f494c3c697f3b3d78

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6c73e32041293864a9112b63fc31e30
SHA1 42b195b09dd1e26b4c595297cdd4353185c0072e
SHA256 1c24eeb45a7d3f3fe93b21bc1fe64f800c97271626addba4d083216ee79c96fa
SHA512 90905389b04e1c810a380b8dc577af3ba891313c95b66a4a5f7e2a9ceb3cca3198f0a4bdddf15de69a6353984787bfbebe807584100d1b67069f11bf87199960

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 018e2644e95c0cebe22cf3b01a2f04ef
SHA1 f73e4974451213f79af0349aa82e8ed5bb51e730
SHA256 917000a16bfb81b337ada47ace3fc17d2e3ec65ada9c593ed1416be767a7be9e
SHA512 0f69ca949644f72a722fab3a42f847a7bfa0b8bede95d855258897461b184af5b6cbc6af5dfc27ee1dd3f502c99fdc142519b3416015658792f69715fde5cea1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d3cee1bb29ebd083a46b76b27b6956ac
SHA1 7fd95e00f1fb5cd238a33dc49ca654b0a26b1240
SHA256 83a08747c880626fecba698a155d8e551ea8078be77c706e73632d383a3c69fa
SHA512 978a255b4cf1115d10bc275921325da356174e38097f33efc85d0b768b6ff1fb4a371386b56734260106c06e3bcc1cc8f60da84dde7ec6dbe9cc7b9f2bb4b2be

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f02ebef4174e1c8ad23a9ca33ceff0af
SHA1 ab43e226b3e5ab7c9e635c79e24e4a83ba86c9d2
SHA256 535644291f79de129eb33239d3650ad25e45a2c1ed20dc3590949d7008e00d3e
SHA512 a60cac36efe422b7960077dbb31f0a6e1c2d66a666fd47899321fd52643bc773a8af89150d6833e15ae34d5a2cd5cd58f41bc4097fece489489cce063478b9db

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 546e5227fa36cd807c0269d46d2ff0ff
SHA1 56793531c722f305fdc9779098764955a5a2804e
SHA256 33e5adf3985704ca2a26c74ce7faa0ed383ebd0402dcf90809e396c9bdd96a29
SHA512 7066ea1fcf359bb913d21ee38386b0e859be3fb947e4aefd4407c25cf5c78f3e8fab63cc36967a030cb1475b85227cf2c08b3e693d069732b608d088020f7b5f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a953035a998f94820922125827d0728
SHA1 31a37b32f629948781803b64ae79e8448a0bcb30
SHA256 3b4f2f1be922764962c95cae933fdf4267a89cd53670d0c14714fd8c3e6b4ac6
SHA512 0647b07c6fff260435150b930ce0d474dbacee6bf5b9c9a359f3ff639139c37b532379a8096d25fe874ef7559a41516e6a6a5a5dee84bd3c9433b45212300b2c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3648114c014ea179249cc8ff8c112b8a
SHA1 2f2f44accbd0cc2983537ab8b318fab2da8af7ec
SHA256 e8809e07528cc4e7f05a7b83508812da2274768e0dc0503297e2f592d7795275
SHA512 9a6fed5ae37b1c5b4d85c3365eeda8747e2ce3d87de6c10e336acec56bb0d9a5fe88cf48b9fac5501ab362dd3c2a8021fe4d2288f73e8bc6842bce335c36e02d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d6b0f4be3e62f288c7c7d280eb545713
SHA1 c9b0bfeab5a96377f6c29cca317da41c3e4a67ff
SHA256 169c9801b0441e445a7d1e99a4ccf2e4904e87b838c29752cdc198d74a81fd58
SHA512 9a19b0359c4392a03199f7e1388347652c96fec1fc11c030c68b7579c54a21356918c270e34eec79b201eba9dd0975c94885114216d72b5aae0d83246cb48631

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 161717754da9a957d454696fe86ffa2c
SHA1 61db849a5b26228ccf830e77bcd5b7c9fc60a4e7
SHA256 c27db1a92b50018669f98faeda2b581693110bc74b3cd01b34274ff461a0e1b9
SHA512 6f5c053060f841c3c4a2078d10338f3bc22967656944a23a4545baf2eb7284f95cfcb63156ba88d4893aa9c4045af90f94259fa002c346a99c58443e419cb3b6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2ebc299c7d6e1b329bd1656991fa227f
SHA1 4f01d9bb83239a2c52c66bccab83ab2bb3e533fc
SHA256 4aaad22df815c9da61bfdbfe6433e59ba8b71b36ae5b793fa10905abc2c7955a
SHA512 05e84ee4958feb9276ab9b416aca8d18efa0a339aea9bcf3dd1eae1354f74b634aa4e742cc5a4d060e0bf36bc9b3f2650b05a81594c0e0a15742ffca9f8680bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a485f1ca7eb3c5018a0e24ef7df89afa
SHA1 b926fd0aa9698e06ea76747e302e6f36543fc187
SHA256 8cc21379ce9d15a0cde092e2cba97bb181ede4e9e8e6663b7429b829b2a69895
SHA512 2eebc9e469c42ab2eaa6e2830fb9386c46111385f8a7bc4ef54b843406eb11ed0bdd19819a9e948a3d01bf589761422f538d895f9d7518403fe24395a1449a59

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb21ad74626136258de152fefac33542
SHA1 92cfae99772932e050be68c0bdbee14fc177b4b3
SHA256 003b410901619bf09c74c426e4ad378d0b43ca51882bba731cf2bd81b5cac9da
SHA512 f5ce5efdc9108d6d6f216742139d0124e266432eda3617b99e1c5836623a3de1c206aac97e6d73dcc0066466928c4136ef0c2ef00523e0c5bd210c5f8adad5c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7e517a513129d3efbbc8b99f0e620a2
SHA1 4520fe1fba2133e75a7066b1b20f65ccf6abdcfe
SHA256 4b8679f30805a39cee65500429b18b117b9e97f7d9284b23083b99ca8c1b06b2
SHA512 18c89d8e049ca99578991f080a9e346fd7353533bf41453b89a5f9a4e11d84505dc01307772ad2219437a8395c66dcaa4671fea46623801ac54b4ac558064891

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 42cb809d7e6cbc260b981595bfaeff8a
SHA1 8e829bb8df1a5226da77cd1eafeea072ad79dbea
SHA256 48f94b21af348d01054afbd5296217e58cf1b5e19c40a03582c881b07f4eb50a
SHA512 5f0253b4683f61e79001b7ccaf4ef60e4e4f6a11db34daa5ceefb034f1cbef9f64ec40944f618bdd3f19ba84038a7229a92ed8718a9017cc8fffd3f888027c4c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

MD5 e579aca9a74ae76669750d8879e16bf3
SHA1 0b8f462b46ec2b2dbaa728bea79d611411bae752
SHA256 6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512 df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 76ddbcdee025f9c799993303a5a70d60
SHA1 4cf31c49b16be5da4ccd9155aa6a57fd042f41c5
SHA256 74be88064ae5968a652ba332a1fae960e2cdb1b30e6b073b94ea6e80e38a130d
SHA512 c6a01be1060f770218820c3c4dd07bc0f1da29bf6c0a3c472b657983736fd2e0ccddb1b8f1c30e079aa5accf09f96f3974f895219bdbdc3133516d3e7e0ad5dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7ca416b30f3934e74bad24acc2081f6
SHA1 a9eb34ad453ef05c0dfce51aa79b0867430e8032
SHA256 0ef4b691fd9308624fbab7ab88e65fd03e91c87d56e3c46dab9375f9b685664d
SHA512 c57b736e6a05a5d58275d97dcf221da3a89be25b2a5f251abd52e5132a1229a3ff7694fbff56889efebdcb8593bd2188988112136ead7043e15da033dbe25e4c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59fc565c462e7c2ea191f5bcd07fc7f7
SHA1 82319a1561bf814d57909b2aabcc9cd694d28144
SHA256 66af5b8a9dbbc021a788ff678f65505956f668993d948f0a8688c77225a007a4
SHA512 72fd9b8208ac3603f1606038e91865d2399263d7d78c78bf94f1b08a72f4eae186a32f286ed2b6a61585254bf7596923ae0c355f4a582af71351465b56a9a2ff

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7cfaee7dbbdb26a004b0ab31953122e
SHA1 8807ac20333c5ccfc15ffe24073df4a724f4ccff
SHA256 0419c5f97506b99bb52e1a871bfa106243472d4bbf7ec05290fa2f9ee853204f
SHA512 4b824531d1e693e7dfd4a121a8c793d386527801ad7a887244802bcd350df26616e02c6fcee894e61e5f13ddcf7d215cf42f3f991e24029ffcbad82b805cf07b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d247f3dcef4b8065e5782588fa9994
SHA1 c0d499337fac8d433498ff3a558ef0576aa0a462
SHA256 a5d8ee69ea240bfc741a31d67484aead22f4a4333e6f7db6b2d6e41b5a43880c
SHA512 79328ca89bf886c4e5244c9516cc18051ce106ac607e2f4626acd964edf8f5204040ca26ddbaad6f4d8d41e6a4affef42fad5c3171fa0c3c6ef6aad1ac383302

C:\Users\Admin\AppData\Local\Temp\scoped_dir4984_611920583\39c486e4-e7d2-4f34-90ac-3d9a4d2e817c.tmp

MD5 da75bb05d10acc967eecaac040d3d733
SHA1 95c08e067df713af8992db113f7e9aec84f17181
SHA256 33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA512 56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af4b0dad49ad8f7fedf208469d57964e
SHA1 9d06eaeccb3134899b67834ef74b39712a506d69
SHA256 798ce95d8eaf80f62645eacbe9d63adc8ca99babcaa8052bc9f0cc9afae93ba0
SHA512 8136211dfe281faf11fad11a3073a939f156bc54f87bfbd69264a0a3ac9b975b32524f03bf59a24536fcafb70159b53b6e316393bc4920adf8d0c6d579db3cc8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 68549cca5eb98f6dbf4e71ea5838574d
SHA1 bc12a0fe84395d61898561139f732aae82093b79
SHA256 86a5f37f9307c3d357953aeb46c9282e7439f556b8029275f00f35ada4a5b42f
SHA512 58c4a1656d3b6a9dcb75098d5cc0439fa240e86f8efa8d692fff0948d4900e5aedf9b8b1e2c37cb33e3a78348c43c4c765e5da625982fd769649bf495302ca62

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aebc892b67e02565ce1c843823a64767
SHA1 e90b3d63138457f154bd814c97dbd7b910f67f8f
SHA256 9f8d6a47c465e3650140f1b56885bc2ff833d927690555fed4457b3244c35e21
SHA512 c9cb1c097a36daa450951d76038edd6871355a78f3d1a7433e93db3cbbca6623034411fc29147f28f64e2e708d4954bbd688596b262b1f4ccd622d53bb4a8b66

C:\Users\Admin\AppData\Local\Temp\scoped_dir4984_611920583\CRX_INSTALL\_locales\en_CA\messages.json

MD5 558659936250e03cc14b60ebf648aa09
SHA1 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA256 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA512 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee5cdd314ce58e5083a22b5deb48c97c
SHA1 992b5933b30935e935fd9546c98500b98622a4cd
SHA256 4c1b8ddf62bba7bf5574c6cf419c04cc64a49df56098296796f8c52026aa109c
SHA512 bfa16c231712474c4c3a8d94e70bd52cb0e2dc9e80e83554ea1e2497c396336e6710ff73802209e2654590dc93a2fcd470eb1eac260b515726ecce2450070edc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

MD5 07ffbe5f24ca348723ff8c6c488abfb8
SHA1 6dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA256 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA512 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

MD5 4ec1df2da46182103d2ffc3b92d20ca5
SHA1 fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA256 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 eb2fd399e2ed9df7e4166465bde58cc2
SHA1 8edbdd427f3dea06717b6927ab6b9a82b0e5c233
SHA256 0adad9f24a6c9019740340b99711d16035b517221aa15842caab2d719b092f70
SHA512 793fe0ef55fe5c63493fa2987921763bede92c145d9c9fd8d443b083981a7bf9173a8b13b0b1f981fd918dc0b34d62d317efb67b700274fac48415eace96a432

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 88c53e0b3a978337a5ac1df1645bc784
SHA1 281b34e42ba6af4fb502fc571784c5aed25b285b
SHA256 f913c428203afabf7b3a424c60d04b90ad400ae5eb1c9186fdaa5766a25cbb8d
SHA512 a37f4bf077faa5f595aaa1fdeab41e8dbc888d8560fc3e5b1491120c2863a1ba8947c77fa4144040968b9947081706011528baf53feaf566398fba7bc4421efd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 129c93c59e21dc08404c321b5838f209
SHA1 fbb2b9d8b6f96a6c0308b810726507b2d371c136
SHA256 72acbffc2c1cdd2fb76dabe29540ca15609a3810ad796390122ea017d4494c24
SHA512 dfb6eb9de7ab0478f2be2f01a61a79f548053bebaaeba32733a972cd76282f32be3eec1fcada5090ecdec7fd40ac2ede908db82f8751eaafe0d198dda63548bc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 971b0ff896f4dc0ab507b70aa093577f
SHA1 2c6d5dcef3224971463dbb5a249f9177599e2698
SHA256 7cb1eb5755fefa2418bc77860420c6cca41e9b70d3a7a72a9063e4928d3f5d75
SHA512 16bde382f4ebb8576ed01fa58650277a8b9788591b2957bdb3c08a354a3b0b518d34a9cfc4c77c279b05173833d632976c108070f2e07743e8271bf67f147f96

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6bcfec05a98424961b3bd28a6f782114
SHA1 d9ae1a038a67e740d13a4c0ce55f2b6290038433
SHA256 ae41df7561249983165bc3f7d36a62e05cc4dc43fdbefa43af5306081091ab35
SHA512 17870a87d10bd76948851400b0f799ca7f8417a4d3d8bea8e38ae87cf8b1835fe4728ab961213ba548cb02ae407eb968ff9622e77ca20283c26ce973c86bc0f5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 0fd737b7794cc272db174031dc14c366
SHA1 9e3f364088d474b2564f2d477e8e762b18e46cda
SHA256 320623970d737073fdb5215752648e34077855c07ace6b7e44439fbfa9bb4be6
SHA512 cc926df80203d51d2712a7264b69db69384acc17ca3b5b372b49ddbc472d06cba10642b5dbfa1f5cd1685b71a270e9a42c849dd7394692104f6049f2eb18cb1e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 dc4d0afa73e7b3486ab06aa4caf4d743
SHA1 5d250e2c02b5883f700c92cef7512e57ee340625
SHA256 920ca8e6f57b0fac57fbd259aac826c4ce0ce86585f37644d535ee635060e606
SHA512 b8e78cedf4ff66bc5fe9733b6ecbc4133ceff9d9ab9ca5af46268b84013934f86a82a29c94d2cf05d9356bdb0cd8f2d966000a8ca20997fbd0d351f2f0b74c60

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 004ad7e31866ffadef271d947e3fbd3a
SHA1 ff360c79e446f504114dfde2f7bc619c72b2d8fe
SHA256 98f091af77181f4247765f73542768b2ca006b8d86858bdf4e68176e557df628
SHA512 52fe62269f3f0059d60d3a34bfd8b5f74a4ff1a561a6afc549c4a920bb49e172e388379dd6e2654c0c49664f7c3fe9fc314733113d54dd04838272998dabe2a2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\IndexedDB\indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

MD5 a7a2f6dbe4e14a9267f786d0d5e06097
SHA1 5513aebb0bda58551acacbfc338d903316851a7b
SHA256 dd9045ea2f3beaf0282320db70fdf395854071bf212ad747e8765837ec390cbc
SHA512 aa5d81e7ee3a646afec55aee5435dc84fe06d84d3e7e1c45c934f258292c0c4dc2f2853a13d2f2b37a98fe2f1dcc7639eacf51b09e7dcccb2e29c2cbd3ba1835

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe5acae3.TMP

MD5 8a1cb1df278f31732099f9c7d504d04d
SHA1 a917c904cf24a8f0779682bb8c41254aa77795a4
SHA256 093aeaa28e7457143c0dc47d742e11e306ea5ef3225dc455f94d2f81c5e750ad
SHA512 b14d196885a00100845d89bf00041f8f1ed04a14add776dd84c568fc24db40c6e6d49c91898107f36c228f7941dd3d12f0bc24ca1492d9c65116b81e16211c58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ba4bc3aa4b2a94d2d4a923db58464706
SHA1 011d5a4483ab033133717dd85db47ba7597e9571
SHA256 57b0c0043ed6714485c687fd94bb37ef521bb3660dfbb500ecc2fd4478339d23
SHA512 7de306d2e4d2430a85b938f62028f4c9b6d0d3fd2a73327cf33de8ec80d810bba161095c82e4d7902d2ef34cdb7ec33a9539570c9b08404f13391cb0a12facff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 104a6e42d94baec0b11771554ccc50d9
SHA1 f905f82b109b54c420a70b76e2aaaead5a66b83f
SHA256 e678c02ab9f1b77f751cabf43981fc77c73c734b186f663ea336270cca3ff4d9
SHA512 dc1d792102aee808399562060d2d7d6e30b0a48845367c423685b30ba84fd5a3ceb92191190a6a028b719a8a51c9c71ea52eb9adda89e3e44641dec55dc5bbe8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 a553f848e040e1e40ed198734eeb1d86
SHA1 62dc2edfec896ddb0dc262362447fb1fe3b51355
SHA256 6e1ce61188546100cea344858023d0d6ed035fcbdc03f1dc2fc7b0c405a0ca43
SHA512 69f97bdc00aff2e5a0a4ca64d7d926de97db3dbbda6c741a49e7fc2527230d3a62d60a099d36d96b8e3f7a3bbb6590cba2dd10eee9d56d6d38bb99384bf7efe8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 9d1d365c84e0a861f48191c628555cb4
SHA1 f07170d7f218148ebb35c6db865708df5318354e
SHA256 43c652869865ce3705513e4284fdccd51a1b73fabe5cff7e9c6a1409018adfc1
SHA512 719b9899c338909d1b9d3a273e59e036f6e0755b0a8166e6f57d5ee0628bdbcd0f7707b23724f63e4a7be94d3ad3b139821b894a4542e8e978eb0beec0d831aa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

MD5 503766d5e5838b4fcadf8c3f72e43605
SHA1 6c8b2fa17150d77929b7dc183d8363f12ff81f59
SHA256 c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9
SHA512 5ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 116ccd3709805c6299179d210e16480d
SHA1 a01030caa8ceae89a29db2a63bf314a56c48daa5
SHA256 813ff2f26724d83146689fe823af847690f9932f46248f85647043a98c6eb60d
SHA512 101b545edd113b7eede904c369a214fd14acb0fa68b67715eeb91f2988e9b03097d8dfd09a90020367cd12bcce04af4bcbdf5c82595b879c9982e311076c0e2e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 3df8d99210ac09ece9b1426e61bf94f2
SHA1 c624e67e85d164d610110eeb41973e94c8344245
SHA256 78e2bbaab173ecf9f92833b4d2a4366fe722b345c77ce169dead95bb186a2862
SHA512 3d7b1eba8eef67415d5556bb497a67bdb3efe0841b2805d10f6773925fdaf88d139a02905eb48fe5fbd487fe3a89d43bbef458107e75a5915a5b25019913d32d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ae157b4459d73e199493ff1d7389a77e
SHA1 f58436db6c917f9ed4efac3bcdacc3cdd890de1e
SHA256 9e03f9f18e3526a12a0ffd892226fecfbcfcd324485dbc7956042227688164c0
SHA512 37b7305991003e52a00752fe9f8daf90a22f7b3bfac2b7e31c977bbc980a8627a9e1267b3f6d8270f4f22578b0e5f8ccb6cea174a6bab21ab024ba050b5b21c1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 48e337ac132467395a58346ee3651f26
SHA1 a369a619e783b8f14e4c1a214b50e59917e92130
SHA256 bc5e9be041de467150c2635bc37ec8f7dcdfad8a30a8cb0fde644d210f2fbe1d
SHA512 f427d9b0c5d6ee2393a4c34b87f9c49032e644260b1f06f2fa17ee232b1b7243d8bf1ddaeeefb53fea586d0575066249037cbb7c5ab34fbfeaae2b74d3402c85

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 6bf549e696b85b85d6197697cabaac81
SHA1 fa1467e5c9c36bc13762abe8f705e520b1101961
SHA256 b066a24a1a5f521eba094a6ab552a984bd0dd3ae20e06ef2592914b03702ca7b
SHA512 6686e28835077f8dc1ba5d11d06f307b06d31d5cb5ad93400c999876c5abf4f6d2f978891080951154bf5a45a3af2a4ac046dd986a1dc1b86a60a3972575f4ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a851b24f09b6d28a4b2b093a47e456f1
SHA1 ece9b80722c71c175484ff976d414ff68531088d
SHA256 54e75da9bc4ed32d97395b0be949f24527cb53b8b6fd0dfd6662309473fe82c3
SHA512 2b202b0c5b6b0c83c29e5e925f7c38fa5f063b43be6a4f82bd46fa7a79a32563f39625caaf9cf704244659d183fc4a51cb8947f1f47247568e86d63edbf304e7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7aaccfa219c3cd21e5cb9b04a56098d9
SHA1 aec4fb7a9b259262a20f641db91f6dcf5b689495
SHA256 1d20b8bd3c23109a1c9f6554f808ff87a57ad05c7e5e4a207f3429ad5c61e320
SHA512 44b39fe2a5f7eab2597d3b2e932cfc772c89e3bba657ee32aafd4b4098154762ccd0cf9b043dcdd5d52e5666be3415cead0ff2c76f09e8ecac03849bd1f4d093

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\be040516-2203-4425-a037-0cfa63dc345d\index-dir\the-real-index

MD5 5eacff890e9cdf4c75c9b07b64f0986b
SHA1 675b58f340b69c3ae67a89fe2167b6f7c12d171d
SHA256 7d517bf854cf4db6e0d278ff80aac84f60858824625f8abccdb234037c62414b
SHA512 c8ab093a5b5ac87ffba76bc477220c2083af68eb01933418e8fc05e87b32e3eae2fbe03ce1a6d934181abdb34cc7e45ba1a8f5a8bc20f8855df89e5b243ab91a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\be040516-2203-4425-a037-0cfa63dc345d\index-dir\the-real-index~RFe5b921b.TMP

MD5 be882afa46c8f883faed832b1b359378
SHA1 bdeca47fe2caaf9b9ec3b43265aad654ca22285f
SHA256 f7fd152a672bde64737cb76eee3241ba2a1ac1e309e800a14049838f51989259
SHA512 d5280eaae4e6a45c53553f61bc33fb0909e3ad641a8e2cb9af55052de77c5a871c6531c91f9a5c79d845b1967711e469536232044db6522e65a4d93c88adad48

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\index.txt

MD5 59cdfaeaa94abad151b2e0114e401e79
SHA1 18cf03d0f3154af11624e9e8337aa1122c842caa
SHA256 621887beed089af98678b09c3f432b10b3faf50c4033ad6183b3359e069d8448
SHA512 891afacdcebc63828b2d0c10e81e757c900dfea734ee74db7d8e2cbc39aada2ef838ba1f438e292a1c8526953b6b6832a93769645620b2fe2761dc70563f8c02

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\397e5d81bdb71a423054f3b5524da80fc3c2e3bb\index.txt~RFe5b924a.TMP

MD5 ee6d5e1247e789a3def15e035653bc10
SHA1 4e5a5996997903c6673d5a897de4eb51e0dce786
SHA256 fb0f0ffd45069fb49b6b27b2d60ae8fd1470b70e94eea8955cce9316d61bd678
SHA512 e43023d3eeb872789deeb7263e1e2884fdb33f4366e8377b7181df3e822904616d1d30afae84f4da892415fbcb65aaff8538ed1bd3f50b43b77dd939d9328c32

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 b5ad5caaaee00cb8cf445427975ae66c
SHA1 dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256 b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA512 92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 d222b77a61527f2c177b0869e7babc24
SHA1 3f23acb984307a4aeba41ebbb70439c97ad1f268
SHA256 80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512 d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 b27c7b50b561f180e9521b6f6b150d8f
SHA1 ed7725efc89974275de505be1819b115e73c7625
SHA256 798d1213dc8b9cf36150af90bc3cceab9ee96fdf24f8585ce8385a54e753601c
SHA512 10cc65aa3fc42bad5e06f52ff579e60f420a8b7d90e95f0a818805a993824386102aa80b54395912b7d40ac368b1a2aaec591c04e9e3dcd5a4bad5bac9502613

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2c8bce885285ee6356ad41f40710ed08
SHA1 4360f6110d1f1f0325d324183f590394d7ea4c52
SHA256 8987b1a2b7f0bcc672503e30255087b1e3a2b01034c725f5505e62cf57a4eb25
SHA512 1ad35c3e077fa2175c611577a731160237bc0b47b30667a0f3fcaf7bebebbf558ffc91aa052b61afc7d499f966635ffc3e4a87d9875442ffac4d058d955effbf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b4315fbe5a70820b9105471073de1f59
SHA1 eeb70bcd35c8afcd08edd433f4daaeb762cf3a71
SHA256 4a1b8980cce3bf81b05af117f877538ed6da580c9d902f95c3b019c5983b42eb
SHA512 8f821f482b04e81e4ff957396870fc981fb5a0a0b030092fa3e23062ad7f32aeae15c96934fe3290e226217a844c52053540afc4ebac134c3634a7ec88370272

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 358df9b7ee9faea6d3ac4a0494e46dd4
SHA1 24dd15d9e86273c7c25638112f9b3fa2036542b8
SHA256 10351fe5d022a825cebdaf5627d42e8444fe1233da9bfc551d12bf3c65c91db2
SHA512 c4849dbbbf1f1cf58e911aee9c02563dd9287905bae2eccb10cb99c1d1c29b393b0a2bafc4c825a38a39b3a31589136c7f9cbe0f2290d256ca09a61a3aedfd3c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 c8ea6b31a97be585929e46bf8931aea9
SHA1 bc9f9969ffa7b0c60c48eb9d61cb73bd7adb369b
SHA256 d0a1a180d9cb1265651466065d9aeaa1f1dbaa3a2842714dc40d9e26c3b101bc
SHA512 802b8a8f2caccef14f552bcf86f753bbf4d9c54f34893b9991bc285e54dd0316d8fc63fec3a19ce75999392f87cca1d92ed1a771325caff951e3cf61cbe721e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e67395032ed163c58f891c42db1a900d
SHA1 d9fda064df525de2bd1503d4941827571c02fa46
SHA256 a96b8139b8abae00b0dd56c40f36b23fedba75df5ce8a43287f6049d3d063378
SHA512 602d0fa0337352ee65bff1696e4b9738b9a1a2bf726ec9f93ae990278554c697f225e3475689f213bbda2cf438885427588510722da8a648b4547fe30ab0892c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1241fb31b2d2171799bac962894b393f
SHA1 7a466c212bbd475657d9b4c321267bb92e076a56
SHA256 4cd8f3fda2bc169aed4660d6fb5119cb5ffad8dd92ac5fae725a5ace41d70d24
SHA512 2352b23362f6e6b9ecb3726a98db6d25b1a5ba5a59329ba22a3f87ed7d85a9a568ab98807b426d6e955082981a08b3385aab8a86e3f00b42106a55c96565cdf6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 84c1854facd781f79c84b63508e2a844
SHA1 5bdb1073e510207a9dcaf768c7ba72aeeeb90f31
SHA256 76111f0a6dcde413e0d5fcb3aa48882d3065a492e545441616b0a923b703b317
SHA512 fca3d324af0722c0aaef37bf13c5990fcd1aaf0b942a78953f594c3cc61b255ad7c6d878eb98375dfe690015d6d17873e236c24d73cc56a61f07138f30c221f9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 0f67248d2d38d83c01deaadaa3c2f637
SHA1 c94dee4eebe089095e877f557f18464f0aadb085
SHA256 7e2ce8bdf5371390dd741376a606f87581c20c7638a82ec0b8a94ce00e531fb4
SHA512 6848a8b73cffe32d9cb2652bed7a4b3033be960f6b972344a3482fc2d269f20619f6d706d4bc9d6c034dfb7f692e7e3c0331a316c3440ad8bfef359b1658f7d7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_open.spotify.com_0.indexeddb.leveldb\MANIFEST-000001

MD5 3fd11ff447c1ee23538dc4d9724427a3
SHA1 1335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA512 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824