Malware Analysis Report

2024-11-13 18:03

Sample ID 241109-tmzv9awqey
Target Full-Package-OneClick-V6.7.zip
SHA256 3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21
Tags
defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Threat Level: Known bad

The file Full-Package-OneClick-V6.7.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan

UAC bypass

Modifies security service

Disables service(s)

Modifies visibility of file extensions in Explorer

Modifies boot configuration data using bcdedit

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Stops running service(s)

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Legitimate hosting services abused for malware hosting/C2

Power Settings

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Adds Run key to start application

Enumerates connected drives

Indicator Removal: File Deletion

Drops file in System32 directory

Launches sc.exe

Hide Artifacts: Ignore Process Interrupts

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Gathers network information

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

System policy modification

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Suspicious behavior: AddClipboardFormatListener

Kills process with taskkill

Delays execution with timeout.exe

Modifies registry key

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Disables Windows logging functionality

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-09 16:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 16:11

Reported

2024-11-09 16:22

Platform

win11-20241007-en

Max time kernel

633s

Max time network

618s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Full-Package-OneClick-V6.7.zip"

Signatures

Disables service(s)

evasion execution

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\system32\reg.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Windows\system32\reg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion execution

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TimerResolution = "C:\\Oneclick Tools\\Timer Resolution\\SetTimerResolution.exe --resolution 5070 --no-console" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\8m56aq C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Windows\system32\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: N/A N/A
File opened (read-only) \??\F: N/A N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Indicator Removal: File Deletion

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SRU\SRU.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRU.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3a811826-2439-4b4b-8e5b-3758fdc20efe}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3a811826-2439-4b4b-8e5b-3758fdc20efe}\snapshot.etl C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3587106988-279496464-3440778474-1000_UserData.bin C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\SRU\SRUDB.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-3587106988-279496464-3440778474-1000_StartupInfo3.xml C:\Windows\System32\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\CONCRT~2.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_CENT~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\BIB~1.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\UPDATE~1.API C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEP~1.PMP C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\COLLEC~1.AAP C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1250~1.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_R~1.AAP C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Spelling.api C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TURKISH.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PPKLite.api C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_53EF~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXE8SH~1.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CCME_B~2.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\COOLTY~1.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\INFO~1.PLI C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MULTIM~1.API C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DISPLA~2.T C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\PLUGIN~1.MAN C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A468~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~2 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_62AD~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_C9E2~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEL~1.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1257.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_31C8~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACROFO~1.API C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeXMP.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1251.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CROATIAN.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\CACHES~1.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\COMMEN~1.AAP C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CORPCH~1.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\SYMBOL~1.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_3369~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\FILLSI~1.AAP C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\LOGTRA~1.EXE C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Onix32.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adelrcp.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXSLE.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DigSig.api C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENT~3.194 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icudt40.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DISPLA~1.EN_ C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TESSEL~1.X3D C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00006109E70000000100000000F01FEC\16.0.12527\CONCRT~1.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~4 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_9587~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_B2C0~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEH~1.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Annots.api C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\TRACKE~1.AAP C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\_d.x3d C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\a3dutils.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ADOBEC~1.EXE C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CENTEURO.TXT C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\DISPLA~2.EN_ C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\dummy.dic C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icucnv40.dll C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_D2B9~1 C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ACE~1.DLL C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\EPDF_F~1.AAP C:\Windows\System32\cmd.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A

Disables Windows logging functionality

Gathers network information

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A N/A N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002" C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "56" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "58" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\Use FormSuggest = "no" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12401" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2} C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 0c0001008421de39020000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "0" C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "56" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12366" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000fdad8608b018db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "38" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f706806ee260aa0d7449371beb064c986830000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "858" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\Total = "23" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoftwindows.client.cbs C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "12399" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "858" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\ShowSearchHistory\ = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoftwindows.client.cbs\ = "23" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\svchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Oneclick Tools\NSudo\NSudoLG.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\system32\Taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1160 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 2292 wrote to memory of 1160 N/A C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\NOTEPAD.EXE
PID 1652 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 1652 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\fltMC.exe
PID 1652 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1652 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1652 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1652 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1652 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 4756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1652 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1652 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1652 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1652 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 988 wrote to memory of 420 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 988 wrote to memory of 420 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3624 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\fltMC.exe
PID 3624 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\fltMC.exe
PID 3624 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3624 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3624 wrote to memory of 4976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 4976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 2420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 4004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3624 wrote to memory of 4004 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3624 wrote to memory of 1128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 1128 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 2536 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\find.exe
PID 3624 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 3624 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\curl.exe
PID 3624 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3624 wrote to memory of 2672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3624 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tar.exe
PID 3624 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tar.exe
PID 3624 wrote to memory of 3400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 3400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3624 wrote to memory of 796 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3624 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 3208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 3208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2464 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3992 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3624 wrote to memory of 3908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3624 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 1420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 1176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 1176 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3624 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3624 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe
PID 3624 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\timeout.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" C:\Oneclick Tools\OOShutup10\OOSU10.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Full-Package-OneClick-V6.7.zip"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4F86FEB7\0- Read Me Important.txt

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat" "

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\sc.exe

sc query "WinDefend"

C:\Windows\system32\find.exe

find "STATE"

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc qc "TrustedInstaller"

C:\Windows\system32\find.exe

find "START_TYPE"

C:\Windows\system32\find.exe

find "DISABLED"

C:\Windows\system32\sc.exe

sc config TrustedInstaller start=auto

C:\Windows\system32\net.exe

net start TrustedInstaller

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 start TrustedInstaller

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.469_none_04a25ac34c904574\TiWorker.exe -Embedding

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat"

C:\Windows\system32\fltMC.exe

fltmc

C:\Windows\system32\sc.exe

sc query "WinDefend"

C:\Windows\system32\find.exe

find "STATE"

C:\Windows\system32\find.exe

find "RUNNING"

C:\Windows\system32\sc.exe

sc qc "TrustedInstaller"

C:\Windows\system32\find.exe

find "START_TYPE"

C:\Windows\system32\find.exe

find "DISABLED"

C:\Windows\system32\curl.exe

curl -s -L "https://github.com/QuakedK/Downloads/raw/main/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\tar.exe

tar -xf "C:\\Oneclick Tools.zip" --strip-components=1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Invalid choice, Please choose Y or N.' -ForegroundColor White -BackgroundColor Red"

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f

C:\Windows\system32\powercfg.exe

powercfg.exe /hibernate off

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config HomeGroupListener start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupProvider start=demand

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config AJRouter start=disabled

C:\Windows\system32\sc.exe

sc config ALG start=demand

C:\Windows\system32\sc.exe

sc config AppIDSvc start=demand

C:\Windows\system32\sc.exe

sc config AppMgmt start=demand

C:\Windows\system32\sc.exe

sc config AppReadiness start=demand

C:\Windows\system32\sc.exe

sc config AppVClient start=disabled

C:\Windows\system32\sc.exe

sc config AppXSvc start=demand

C:\Windows\system32\sc.exe

sc config Appinfo start=demand

C:\Windows\system32\sc.exe

sc config AssignedAccessManagerSvc start=disabled

C:\Windows\system32\sc.exe

sc config AudioEndpointBuilder start=auto

C:\Windows\system32\sc.exe

sc config AudioSrv start=auto

C:\Windows\system32\sc.exe

sc config Audiosrv start=auto

C:\Windows\system32\sc.exe

sc config AxInstSV start=demand

C:\Windows\system32\sc.exe

sc config BDESVC start=demand

C:\Windows\system32\sc.exe

sc config BFE start=auto

C:\Windows\system32\sc.exe

sc config BITS start=delayed-auto

C:\Windows\system32\sc.exe

sc config BTAGService start=demand

C:\Windows\system32\sc.exe

sc config BcastDVRUserService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config BluetoothUserService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config BrokerInfrastructure start=auto

C:\Windows\system32\sc.exe

sc config Browser start=demand

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start=auto

C:\Windows\system32\sc.exe

sc config BthHFSrv start=auto

C:\Windows\system32\sc.exe

sc config CDPSvc start=demand

C:\Windows\system32\sc.exe

sc config CDPUserSvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config COMSysApp start=demand

C:\Windows\system32\sc.exe

sc config CaptureService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CertPropSvc start=demand

C:\Windows\system32\sc.exe

sc config ClipSVC start=demand

C:\Windows\system32\sc.exe

sc config ConsentUxUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CoreMessagingRegistrar start=auto

C:\Windows\system32\sc.exe

sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config CryptSvc start=auto

C:\Windows\system32\sc.exe

sc config CscService start=demand

C:\Windows\system32\sc.exe

sc config DPS start=auto

C:\Windows\system32\sc.exe

sc config DcomLaunch start=auto

C:\Windows\system32\sc.exe

sc config DcpSvc start=demand

C:\Windows\system32\sc.exe

sc config DevQueryBroker start=demand

C:\Windows\system32\sc.exe

sc config DeviceAssociationBrokerSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config DeviceAssociationService start=demand

C:\Windows\system32\sc.exe

sc config DeviceInstall start=demand

C:\Windows\system32\sc.exe

sc config DevicePickerUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config Dhcp start=auto

C:\Windows\system32\sc.exe

sc config DiagTrack start=disabled

C:\Windows\system32\sc.exe

sc config DialogBlockingService start=disabled

C:\Windows\system32\sc.exe

sc config DispBrokerDesktopSvc start=auto

C:\Windows\system32\sc.exe

sc config DisplayEnhancementService start=demand

C:\Windows\system32\sc.exe

sc config DmEnrollmentSvc start=demand

C:\Windows\system32\sc.exe

sc config Dnscache start=auto

C:\Windows\system32\sc.exe

sc config DoSvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config DsSvc start=demand

C:\Windows\system32\sc.exe

sc config DsmSvc start=demand

C:\Windows\system32\sc.exe

sc config DusmSvc start=auto

C:\Windows\system32\sc.exe

sc config EFS start=demand

C:\Windows\system32\sc.exe

sc config EapHost start=demand

C:\Windows\system32\sc.exe

sc config EntAppSvc start=demand

C:\Windows\system32\sc.exe

sc config EventLog start=auto

C:\Windows\system32\sc.exe

sc config EventSystem start=auto

C:\Windows\system32\sc.exe

sc config FDResPub start=demand

C:\Windows\system32\sc.exe

sc config Fax start=demand

C:\Windows\system32\sc.exe

sc config FontCache start=auto

C:\Windows\system32\sc.exe

sc config FrameServer start=demand

C:\Windows\system32\sc.exe

sc config FrameServerMonitor start=demand

C:\Windows\system32\sc.exe

sc config GraphicsPerfSvc start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupListener start=demand

C:\Windows\system32\sc.exe

sc config HomeGroupProvider start=demand

C:\Windows\system32\sc.exe

sc config HvHost start=demand

C:\Windows\system32\sc.exe

sc config IEEtwCollectorService start=demand

C:\Windows\system32\sc.exe

sc config IKEEXT start=demand

C:\Windows\system32\sc.exe

sc config InstallService start=demand

C:\Windows\system32\sc.exe

sc config InventorySvc start=demand

C:\Windows\system32\sc.exe

sc config IpxlatCfgSvc start=demand

C:\Windows\system32\sc.exe

sc config KeyIso start=auto

C:\Windows\system32\sc.exe

sc config KtmRm start=demand

C:\Windows\system32\sc.exe

sc config LSM start=auto

C:\Windows\system32\sc.exe

sc config LanmanServer start=auto

C:\Windows\system32\sc.exe

sc config LanmanWorkstation start=auto

C:\Windows\system32\sc.exe

sc config LicenseManager start=demand

C:\Windows\system32\sc.exe

sc config LxpSvc start=demand

C:\Windows\system32\sc.exe

sc config MSDTC start=demand

C:\Windows\system32\sc.exe

sc config MSiSCSI start=demand

C:\Windows\system32\sc.exe

sc config MapsBroker start=delayed-auto

C:\Windows\system32\sc.exe

sc config McpManagementService start=demand

C:\Windows\system32\sc.exe

sc config MessagingService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config MicrosoftEdgeElevationService start=demand

C:\Windows\system32\sc.exe

sc config MixedRealityOpenXRSvc start=demand

C:\Windows\system32\sc.exe

sc config MpsSvc start=auto

C:\Windows\system32\sc.exe

sc config MsKeyboardFilter start=demand

C:\Windows\system32\sc.exe

sc config NPSMSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config NaturalAuthentication start=demand

C:\Windows\system32\sc.exe

sc config NcaSvc start=demand

C:\Windows\system32\sc.exe

sc config NcbService start=demand

C:\Windows\system32\sc.exe

sc config NcdAutoSetup start=demand

C:\Windows\system32\sc.exe

sc config NetSetupSvc start=demand

C:\Windows\system32\sc.exe

sc config NetTcpPortSharing start=disabled

C:\Windows\system32\sc.exe

sc config Netlogon start=demand

C:\Windows\system32\sc.exe

sc config Netman start=demand

C:\Windows\system32\sc.exe

sc config NgcCtnrSvc start=demand

C:\Windows\system32\sc.exe

sc config NgcSvc start=demand

C:\Windows\system32\sc.exe

sc config NlaSvc start=demand

C:\Windows\system32\sc.exe

sc config OneSyncSvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config P9RdrService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PNRPAutoReg start=demand

C:\Windows\system32\sc.exe

sc config PNRPsvc start=demand

C:\Windows\system32\sc.exe

sc config PcaSvc start=demand

C:\Windows\system32\sc.exe

sc config PeerDistSvc start=demand

C:\Windows\system32\sc.exe

sc config PenService_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PerfHost start=demand

C:\Windows\system32\sc.exe

sc config PhoneSvc start=demand

C:\Windows\system32\sc.exe

sc config PimIndexMaintenanceSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config PlugPlay start=demand

C:\Windows\system32\sc.exe

sc config PolicyAgent start=demand

C:\Windows\system32\sc.exe

sc config Power start=auto

C:\Windows\system32\sc.exe

sc config PrintNotify start=demand

C:\Windows\system32\sc.exe

sc config PrintWorkflowUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config ProfSvc start=auto

C:\Windows\system32\sc.exe

sc config PushToInstall start=demand

C:\Windows\system32\sc.exe

sc config QWAVE start=demand

C:\Windows\system32\sc.exe

sc config RasAuto start=demand

C:\Windows\system32\sc.exe

sc config RasMan start=demand

C:\Windows\system32\sc.exe

sc config RemoteAccess start=disabled

C:\Windows\system32\sc.exe

sc config RemoteRegistry start=disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=demand

C:\Windows\system32\sc.exe

sc config RmSvc start=demand

C:\Windows\system32\sc.exe

sc config RpcEptMapper start=auto

C:\Windows\system32\sc.exe

sc config RpcLocator start=demand

C:\Windows\system32\sc.exe

sc config RpcSs start=auto

C:\Windows\system32\sc.exe

sc config SCPolicySvc start=demand

C:\Windows\system32\sc.exe

sc config SCardSvr start=demand

C:\Windows\system32\sc.exe

sc config SDRSVC start=demand

C:\Windows\system32\sc.exe

sc config SEMgrSvc start=demand

C:\Windows\system32\sc.exe

sc config SENS start=auto

C:\Windows\system32\sc.exe

sc config SNMPTRAP start=demand

C:\Windows\system32\sc.exe

sc config SNMPTrap start=demand

C:\Windows\system32\sc.exe

sc config SSDPSRV start=demand

C:\Windows\system32\sc.exe

sc config SamSs start=auto

C:\Windows\system32\sc.exe

sc config ScDeviceEnum start=demand

C:\Windows\system32\sc.exe

sc config Schedule start=auto

C:\Windows\system32\sc.exe

sc config SecurityHealthService start=demand

C:\Windows\system32\sc.exe

sc config Sense start=demand

C:\Windows\system32\sc.exe

sc config SensorDataService start=demand

C:\Windows\system32\sc.exe

sc config SensorService start=demand

C:\Windows\system32\sc.exe

sc config SensrSvc start=demand

C:\Windows\system32\sc.exe

sc config SessionEnv start=demand

C:\Windows\system32\sc.exe

sc config SgrmBroker start=auto

C:\Windows\system32\sc.exe

sc config SharedAccess start=demand

C:\Windows\system32\sc.exe

sc config SharedRealitySvc start=demand

C:\Windows\system32\sc.exe

sc config ShellHWDetection start=auto

C:\Windows\system32\sc.exe

sc config SmsRouter start=demand

C:\Windows\system32\sc.exe

sc config Spooler start=auto

C:\Windows\system32\sc.exe

sc config SstpSvc start=demand

C:\Windows\system32\sc.exe

sc config StateRepository start=demand

C:\Windows\system32\sc.exe

sc config StiSvc start=demand

C:\Windows\system32\sc.exe

sc config StorSvc start=demand

C:\Windows\system32\sc.exe

sc config SysMain start=auto

C:\Windows\system32\sc.exe

sc config SystemEventsBroker start=auto

C:\Windows\system32\sc.exe

sc config TabletInputService start=demand

C:\Windows\system32\sc.exe

sc config TapiSrv start=demand

C:\Windows\system32\sc.exe

sc config TermService start=auto

C:\Windows\system32\sc.exe

sc config TextInputManagementService start=demand

C:\Windows\system32\sc.exe

sc config Themes start=auto

C:\Windows\system32\sc.exe

sc config TieringEngineService start=demand

C:\Windows\system32\sc.exe

sc config TimeBroker start=demand

C:\Windows\system32\sc.exe

sc config TimeBrokerSvc start=demand

C:\Windows\system32\sc.exe

sc config TokenBroker start=demand

C:\Windows\system32\sc.exe

sc config TrkWks start=auto

C:\Windows\system32\sc.exe

sc config TroubleshootingSvc start=demand

C:\Windows\system32\sc.exe

sc config TrustedInstaller start=demand

C:\Windows\system32\sc.exe

sc config UI0Detect start=demand

C:\Windows\system32\sc.exe

sc config UdkUserSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UevAgentService start=disabled

C:\Windows\system32\sc.exe

sc config UmRdpService start=demand

C:\Windows\system32\sc.exe

sc config UnistoreSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UserDataSvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config UserManager start=auto

C:\Windows\system32\sc.exe

sc config UsoSvc start=demand

C:\Windows\system32\sc.exe

sc config VGAuthService start=auto

C:\Windows\system32\sc.exe

sc config VMTools start=auto

C:\Windows\system32\sc.exe

sc config VSS start=demand

C:\Windows\system32\sc.exe

sc config VacSvc start=demand

C:\Windows\system32\sc.exe

sc config VaultSvc start=auto

C:\Windows\system32\sc.exe

sc config W32Time start=demand

C:\Windows\system32\sc.exe

sc config WEPHOSTSVC start=demand

C:\Windows\system32\sc.exe

sc config WFDSConMgrSvc start=demand

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start=demand

C:\Windows\system32\sc.exe

sc config WManSvc start=demand

C:\Windows\system32\sc.exe

sc config WPDBusEnum start=demand

C:\Windows\system32\sc.exe

sc config WSService start=demand

C:\Windows\system32\sc.exe

sc config WSearch start=delayed-auto

C:\Windows\system32\sc.exe

sc config WaaSMedicSvc start=demand

C:\Windows\system32\sc.exe

sc config WalletService start=demand

C:\Windows\system32\sc.exe

sc config WarpJITSvc start=demand

C:\Windows\system32\sc.exe

sc config WbioSrvc start=demand

C:\Windows\system32\sc.exe

sc config Wcmsvc start=auto

C:\Windows\system32\sc.exe

sc config WcsPlugInService start=demand

C:\Windows\system32\sc.exe

sc config WdNisSvc start=demand

C:\Windows\system32\sc.exe

sc config WdiServiceHost start=demand

C:\Windows\system32\sc.exe

sc config WdiSystemHost start=demand

C:\Windows\system32\sc.exe

sc config WebClient start=demand

C:\Windows\system32\sc.exe

sc config Wecsvc start=demand

C:\Windows\system32\sc.exe

sc config WerSvc start=demand

C:\Windows\system32\sc.exe

sc config WiaRpc start=demand

C:\Windows\system32\sc.exe

sc config WinDefend start=auto

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start=demand

C:\Windows\system32\sc.exe

sc config WinRM start=demand

C:\Windows\system32\sc.exe

sc config Winmgmt start=auto

C:\Windows\system32\sc.exe

sc config WlanSvc start=auto

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=demand

C:\Windows\system32\sc.exe

sc config WpnService start=demand

C:\Windows\system32\sc.exe

sc config WpnUserService_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config WwanSvc start=demand

C:\Windows\system32\sc.exe

sc config XblAuthManager start=demand

C:\Windows\system32\sc.exe

sc config XblGameSave start=demand

C:\Windows\system32\sc.exe

sc config XboxGipSvc start=demand

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start=demand

C:\Windows\system32\sc.exe

sc config autotimesvc start=demand

C:\Windows\system32\sc.exe

sc config bthserv start=demand

C:\Windows\system32\sc.exe

sc config camsvc start=demand

C:\Windows\system32\sc.exe

sc config cbdhsvc_dc2a4 start=demand

C:\Windows\system32\sc.exe

sc config cloudidsvc start=demand

C:\Windows\system32\sc.exe

sc config dcsvc start=demand

C:\Windows\system32\sc.exe

sc config defragsvc start=demand

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start=demand

C:\Windows\system32\sc.exe

sc config diagsvc start=demand

C:\Windows\system32\sc.exe

sc config dmwappushservice start=demand

C:\Windows\system32\sc.exe

sc config dot3svc start=demand

C:\Windows\system32\sc.exe

sc config edgeupdate start=demand

C:\Windows\system32\sc.exe

sc config edgeupdatem start=demand

C:\Windows\system32\sc.exe

sc config embeddedmode start=demand

C:\Windows\system32\sc.exe

sc config fdPHost start=demand

C:\Windows\system32\sc.exe

sc config fhsvc start=demand

C:\Windows\system32\sc.exe

sc config gpsvc start=auto

C:\Windows\system32\sc.exe

sc config hidserv start=demand

C:\Windows\system32\sc.exe

sc config icssvc start=demand

C:\Windows\system32\sc.exe

sc config iphlpsvc start=auto

C:\Windows\system32\sc.exe

sc config lfsvc start=demand

C:\Windows\system32\sc.exe

sc config lltdsvc start=demand

C:\Windows\system32\sc.exe

sc config lmhosts start=demand

C:\Windows\system32\sc.exe

sc config mpssvc start=auto

C:\Windows\system32\sc.exe

sc config msiserver start=demand

C:\Windows\system32\sc.exe

sc config netprofm start=demand

C:\Windows\system32\sc.exe

sc config nsi start=auto

C:\Windows\system32\sc.exe

sc config p2pimsvc start=demand

C:\Windows\system32\sc.exe

sc config p2psvc start=demand

C:\Windows\system32\sc.exe

sc config perceptionsimulation start=demand

C:\Windows\system32\sc.exe

sc config pla start=demand

C:\Windows\system32\sc.exe

sc config seclogon start=demand

C:\Windows\system32\sc.exe

sc config shpamsvc start=disabled

C:\Windows\system32\sc.exe

sc config smphost start=demand

C:\Windows\system32\sc.exe

sc config spectrum start=demand

C:\Windows\system32\sc.exe

sc config sppsvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config ssh-agent start=disabled

C:\Windows\system32\sc.exe

sc config svsvc start=demand

C:\Windows\system32\sc.exe

sc config swprv start=demand

C:\Windows\system32\sc.exe

sc config tiledatamodelsvc start=auto

C:\Windows\system32\sc.exe

sc config tzautoupdate start=disabled

C:\Windows\system32\sc.exe

sc config uhssvc start=disabled

C:\Windows\system32\sc.exe

sc config upnphost start=demand

C:\Windows\system32\sc.exe

sc config vds start=demand

C:\Windows\system32\sc.exe

sc config vm3dservice start=demand

C:\Windows\system32\sc.exe

sc config vmicguestinterface start=demand

C:\Windows\system32\sc.exe

sc config vmicheartbeat start=demand

C:\Windows\system32\sc.exe

sc config vmickvpexchange start=demand

C:\Windows\system32\sc.exe

sc config vmicrdv start=demand

C:\Windows\system32\sc.exe

sc config vmicshutdown start=demand

C:\Windows\system32\sc.exe

sc config vmictimesync start=demand

C:\Windows\system32\sc.exe

sc config vmicvmsession start=demand

C:\Windows\system32\sc.exe

sc config vmicvss start=demand

C:\Windows\system32\sc.exe

sc config vmvss start=demand

C:\Windows\system32\sc.exe

sc config wbengine start=demand

C:\Windows\system32\sc.exe

sc config wcncsvc start=demand

C:\Windows\system32\sc.exe

sc config webthreatdefsvc start=demand

C:\Windows\system32\sc.exe

sc config webthreatdefusersvc_dc2a4 start=auto

C:\Windows\system32\sc.exe

sc config wercplsupport start=demand

C:\Windows\system32\sc.exe

sc config wisvc start=demand

C:\Windows\system32\sc.exe

sc config wlidsvc start=demand

C:\Windows\system32\sc.exe

sc config wlpasvc start=demand

C:\Windows\system32\sc.exe

sc config wmiApSrv start=demand

C:\Windows\system32\sc.exe

sc config workfolderssvc start=demand

C:\Windows\system32\sc.exe

sc config wscsvc start=delayed-auto

C:\Windows\system32\sc.exe

sc config wuauserv start=demand

C:\Windows\system32\sc.exe

sc config wudfsvc start=demand

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\bcdedit.exe

bcdedit /set {current} bootmenupolicy Legacy

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"

C:\Windows\system32\reg.exe

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild

C:\Windows\system32\findstr.exe

findstr /r /c:"CurrentBuild"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"

C:\Windows\system32\Taskmgr.exe

"C:\Windows\system32\Taskmgr.exe"

C:\Windows\system32\timeout.exe

timeout /t 2

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences

C:\Windows\system32\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"

C:\Windows\system32\icacls.exe

icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction SilentlyContinue"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\curl.exe

curl -s -g -k -L -# -o "C:\Oneclick Tools\OOShutup10\OOSU10.exe" "https://dl5.oo-software.com/files/ooshutup10/OOSU10.exe"

C:\Windows\system32\curl.exe

curl -s -L -o "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" "https://drive.google.com/uc?export=download&id=1v7N241A58mn__45YSQCsn2lelrz7yR6_"

C:\Oneclick Tools\OOShutup10\OOSU10.exe

"C:\Oneclick Tools\OOShutup10\OOSU10.exe" "C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg" /quiet

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f

C:\Windows\system32\reg.exe

reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\sc.exe

sc config wlidsvc start= disabled

C:\Windows\system32\sc.exe

sc config DisplayEnhancementService start= disabled

C:\Windows\system32\sc.exe

sc config DiagTrack start= disabled

C:\Windows\system32\sc.exe

sc config DusmSvc start= disabled

C:\Windows\system32\sc.exe

sc config TabletInputService start= disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start= disabled

C:\Windows\system32\sc.exe

sc config Fax start= disabled

C:\Windows\system32\sc.exe

sc config SharedAccess start= disabled

C:\Windows\system32\sc.exe

sc config lfsvc start= disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start= disabled

C:\Windows\system32\sc.exe

sc config SessionEnv start= disabled

C:\Windows\system32\sc.exe

sc config MicrosoftEdgeElevationService start= disabled

C:\Windows\system32\sc.exe

sc config edgeupdate start= disabled

C:\Windows\system32\sc.exe

sc config edgeupdatem start= disabled

C:\Windows\system32\sc.exe

sc config autotimesvc start= disabled

C:\Windows\system32\sc.exe

sc config CscService start= disabled

C:\Windows\system32\sc.exe

sc config TermService start= disabled

C:\Windows\system32\sc.exe

sc config SensorDataService start= disabled

C:\Windows\system32\sc.exe

sc config SensorService start= disabled

C:\Windows\system32\sc.exe

sc config SensrSvc start= disabled

C:\Windows\system32\sc.exe

sc config shpamsvc start= disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start= disabled

C:\Windows\system32\sc.exe

sc config PhoneSvc start= disabled

C:\Windows\system32\sc.exe

sc config TapiSrv start= disabled

C:\Windows\system32\sc.exe

sc config UevAgentService start= disabled

C:\Windows\system32\sc.exe

sc config WalletService start= disabled

C:\Windows\system32\sc.exe

sc config TokenBroker start= disabled

C:\Windows\system32\sc.exe

sc config WebClient start= disabled

C:\Windows\system32\sc.exe

sc config MixedRealityOpenXRSvc start= disabled

C:\Windows\system32\sc.exe

sc config stisvc start= disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start= disabled

C:\Windows\system32\sc.exe

sc config icssvc start= disabled

C:\Windows\system32\sc.exe

sc config Wecsvc start= disabled

C:\Windows\system32\sc.exe

sc config XboxGipSvc start= disabled

C:\Windows\system32\sc.exe

sc config XblAuthManager start= disabled

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start= disabled

C:\Windows\system32\sc.exe

sc config XblGameSave start= disabled

C:\Windows\system32\sc.exe

sc config SEMgrSvc start= disabled

C:\Windows\system32\sc.exe

sc config iphlpsvc start= disabled

C:\Windows\system32\sc.exe

sc config Backupper Service start= disabled

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start= disabled

C:\Windows\system32\sc.exe

sc config BDESVC start= disabled

C:\Windows\system32\sc.exe

sc config cbdhsvc start= disabled

C:\Windows\system32\sc.exe

sc config CDPSvc start= disabled

C:\Windows\system32\sc.exe

sc config CDPUserSvc start= disabled

C:\Windows\system32\sc.exe

sc config DevQueryBroker start= disabled

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc start= disabled

C:\Windows\system32\sc.exe

sc config dmwappushservice start= disabled

C:\Windows\system32\sc.exe

sc config DispBrokerDesktopSvc start= disabled

C:\Windows\system32\sc.exe

sc config TrkWks start= disabled

C:\Windows\system32\sc.exe

sc config dLauncherLoopback start= disabled

C:\Windows\system32\sc.exe

sc config EFS start= disabled

C:\Windows\system32\sc.exe

sc config fdPHost start= disabled

C:\Windows\system32\sc.exe

sc config FDResPub start= disabled

C:\Windows\system32\sc.exe

sc config IKEEXT start= disabled

C:\Windows\system32\sc.exe

sc config NPSMSvc start= disabled

C:\Windows\system32\sc.exe

sc config WPDBusEnum start= disabled

C:\Windows\system32\sc.exe

sc config PcaSvc start= disabled

C:\Windows\system32\sc.exe

sc config RasMan start= disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start=disabled

C:\Windows\system32\sc.exe

sc config ShellHWDetection start= disabled

C:\Windows\system32\sc.exe

sc config SSDPSRV start= disabled

C:\Windows\system32\sc.exe

sc config SysMain start= disabled

C:\Windows\system32\sc.exe

sc config OneSyncSvc start= disabled

C:\Windows\system32\sc.exe

sc config lmhosts start= disabled

C:\Windows\system32\sc.exe

sc config UserDataSvc start= disabled

C:\Windows\system32\sc.exe

sc config UnistoreSvc start= disabled

C:\Windows\system32\sc.exe

sc config Wcmsvc start= disabled

C:\Windows\system32\sc.exe

sc config FontCache start= disabled

C:\Windows\system32\sc.exe

sc config W32Time start= disabled

C:\Windows\system32\sc.exe

sc config tzautoupdate start= disabled

C:\Windows\system32\sc.exe

sc config DsSvc start= disabled

C:\Windows\system32\sc.exe

sc config DevicesFlowUserSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config diagsvc start= disabled

C:\Windows\system32\sc.exe

sc config DialogBlockingService start= disabled

C:\Windows\system32\sc.exe

sc config PimIndexMaintenanceSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config MessagingService_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config AppVClient start= disabled

C:\Windows\system32\sc.exe

sc config MsKeyboardFilter start= disabled

C:\Windows\system32\sc.exe

sc config NetTcpPortSharing start= disabled

C:\Windows\system32\sc.exe

sc config ssh-agent start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config OneSyncSvc_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config wercplsupport start= disabled

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start= disabled

C:\Windows\system32\sc.exe

sc config WerSvc start= disabled

C:\Windows\system32\sc.exe

sc config WpnUserService_5f1ad start= disabled

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start= disabled

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDInstallLauncher" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDLinkUpdate" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "ModifyLinkUpdate" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "SoftMakerUpdater" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "StartCN" /f

C:\Windows\system32\schtasks.exe

schtasks /DELETE /TN "StartDVR" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc stop uhssvc

C:\Windows\system32\sc.exe

sc stop upfc

C:\Windows\system32\sc.exe

sc stop PushToInstall

C:\Windows\system32\sc.exe

sc stop BITS

C:\Windows\system32\sc.exe

sc stop InstallService

C:\Windows\system32\sc.exe

sc stop uhssvc

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop LanmanServer

C:\Windows\system32\sc.exe

sc config BITS start= disabled

C:\Windows\system32\sc.exe

sc config InstallService start= disabled

C:\Windows\system32\sc.exe

sc config uhssvc start= disabled

C:\Windows\system32\sc.exe

sc config UsoSvc start= disabled

C:\Windows\system32\sc.exe

sc config wuauserv start= disabled

C:\Windows\system32\sc.exe

sc config LanmanServer start= disabled

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config RemoteRegistry start= disabled

C:\Windows\system32\sc.exe

sc config RemoteAccess start= disabled

C:\Windows\system32\sc.exe

sc config WinRM start= disabled

C:\Windows\system32\sc.exe

sc config RmSvc start= disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config PrintNotify start= disabled

C:\Windows\system32\sc.exe

sc config Spooler start= disabled

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config PrintNotify start= disabled

C:\Windows\system32\sc.exe

sc config Spooler start= disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config NlaSvc start= disabled

C:\Windows\system32\sc.exe

sc config LanmanWorkstation start= disabled

C:\Windows\system32\sc.exe

sc config BFE start= demand

C:\Windows\system32\sc.exe

sc config Dnscache start= demand

C:\Windows\system32\sc.exe

sc config WinHttpAutoProxySvc start= demand

C:\Windows\system32\sc.exe

sc config Dhcp start= auto

C:\Windows\system32\sc.exe

sc config DPS start= auto

C:\Windows\system32\sc.exe

sc config lmhosts start= disabled

C:\Windows\system32\sc.exe

sc config nsi start= auto

C:\Windows\system32\sc.exe

sc config Wcmsvc start= disabled

C:\Windows\system32\sc.exe

sc config Winmgmt start= auto

C:\Windows\system32\sc.exe

sc config WlanSvc start= demand

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config ALG start=disabled

C:\Windows\system32\sc.exe

sc config AJRouter start=disabled

C:\Windows\system32\sc.exe

sc config XblAuthManager start=disabled

C:\Windows\system32\sc.exe

sc config XblGameSave start=disabled

C:\Windows\system32\sc.exe

sc config XboxNetApiSvc start=disabled

C:\Windows\system32\sc.exe

sc config WSearch start=disabled

C:\Windows\system32\sc.exe

sc config lfsvc start=disabled

C:\Windows\system32\sc.exe

sc config RemoteRegistry start=disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=disabled

C:\Windows\system32\sc.exe

sc config SEMgrSvc start=disabled

C:\Windows\system32\sc.exe

sc config SCardSvr start=disabled

C:\Windows\system32\sc.exe

sc config Netlogon start=disabled

C:\Windows\system32\sc.exe

sc config CscService start=disabled

C:\Windows\system32\sc.exe

sc config icssvc start=disabled

C:\Windows\system32\sc.exe

sc config wisvc start=disabled

C:\Windows\system32\sc.exe

sc config RetailDemo start=disabled

C:\Windows\system32\sc.exe

sc config WalletService start=disabled

C:\Windows\system32\sc.exe

sc config Fax start=disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start=disabled

C:\Windows\system32\sc.exe

sc config iphlpsvc start=disabled

C:\Windows\system32\sc.exe

sc config wcncsvc start=disabled

C:\Windows\system32\sc.exe

sc config fhsvc start=disabled

C:\Windows\system32\sc.exe

sc config PhoneSvc start=disabled

C:\Windows\system32\sc.exe

sc config seclogon start=disabled

C:\Windows\system32\sc.exe

sc config FrameServer start=disabled

C:\Windows\system32\sc.exe

sc config WbioSrvc start=disabled

C:\Windows\system32\sc.exe

sc config StiSvc start=disabled

C:\Windows\system32\sc.exe

sc config PcaSvc start=disabled

C:\Windows\system32\sc.exe

sc config DPS start=disabled

C:\Windows\system32\sc.exe

sc config MapsBroker start=disabled

C:\Windows\system32\sc.exe

sc config bthserv start=disabled

C:\Windows\system32\sc.exe

sc config BDESVC start=disabled

C:\Windows\system32\sc.exe

sc config BthAvctpSvc start=disabled

C:\Windows\system32\sc.exe

sc config WpcMonSvc start=disabled

C:\Windows\system32\sc.exe

sc config DiagTrack start=disabled

C:\Windows\system32\sc.exe

sc config CertPropSvc start=disabled

C:\Windows\system32\sc.exe

sc config WdiServiceHost start=disabled

C:\Windows\system32\sc.exe

sc config lmhosts start=disabled

C:\Windows\system32\sc.exe

sc config WdiSystemHost start=disabled

C:\Windows\system32\sc.exe

sc config TrkWks start=disabled

C:\Windows\system32\sc.exe

sc config WerSvc start=disabled

C:\Windows\system32\sc.exe

sc config TabletInputService start=disabled

C:\Windows\system32\sc.exe

sc config EntAppSvc start=disabled

C:\Windows\system32\sc.exe

sc config Spooler start=disabled

C:\Windows\system32\sc.exe

sc config BcastDVRUserService start=disabled

C:\Windows\system32\sc.exe

sc config WMPNetworkSvc start=disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start=disabled

C:\Windows\system32\sc.exe

sc config DmEnrollmentSvc start=disabled

C:\Windows\system32\sc.exe

sc config PNRPAutoReg start=disabled

C:\Windows\system32\sc.exe

sc config wlidsvc start=disabled

C:\Windows\system32\sc.exe

sc config AXInstSV start=disabled

C:\Windows\system32\sc.exe

sc config lfsvc start=disabled

C:\Windows\system32\sc.exe

sc config NcbService start=disabled

C:\Windows\system32\sc.exe

sc config DeviceAssociationService start=disabled

C:\Windows\system32\sc.exe

sc config StorSvc start=disabled

C:\Windows\system32\sc.exe

sc config TieringEngineService start=disabled

C:\Windows\system32\sc.exe

sc config DPS start=disabled

C:\Windows\system32\sc.exe

sc config Themes start=disabled

C:\Windows\system32\sc.exe

sc config AppReadiness start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config HvHost start=disabled

C:\Windows\system32\sc.exe

sc config vmickvpexchange start=disabled

C:\Windows\system32\sc.exe

sc config vmicguestinterface start=disabled

C:\Windows\system32\sc.exe

sc config vmicshutdown start=disabled

C:\Windows\system32\sc.exe

sc config vmicheartbeat start=disabled

C:\Windows\system32\sc.exe

sc config vmicvmsession start=disabled

C:\Windows\system32\sc.exe

sc config vmicrdv start=disabled

C:\Windows\system32\sc.exe

sc config vmictimesync start=disabled

C:\Windows\system32\sc.exe

sc config vmicvss start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config edgeupdate start=disabled

C:\Windows\system32\sc.exe

sc config edgeupdatem start=disabled

C:\Windows\system32\sc.exe

sc config GoogleChromeElevationService start=disabled

C:\Windows\system32\sc.exe

sc config gupdate start=disabled

C:\Windows\system32\sc.exe

sc config gupdatem start=disabled

C:\Windows\system32\sc.exe

sc config BraveElevationService start=disabled

C:\Windows\system32\sc.exe

sc config brave start=disabled

C:\Windows\system32\sc.exe

sc config bravem start=disabled

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\sc.exe

sc config NcbService start=disabled

C:\Windows\system32\sc.exe

sc config jhi_service start=disabled

C:\Windows\system32\sc.exe

sc config WMIRegistrationService start=disabled

C:\Windows\system32\sc.exe

sc config "Intel(R) TPM Provisioning Service" start=disabled

C:\Windows\system32\sc.exe

sc config ipfsvc start=disabled

C:\Windows\system32\sc.exe

sc config igccservice start=disabled

C:\Windows\system32\sc.exe

sc config cplspcon start=disabled

C:\Windows\system32\sc.exe

sc config esifsvc start=disabled

C:\Windows\system32\sc.exe

sc config LMS start=disabled

C:\Oneclick Tools\NSudo\NSudoLG.exe

"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD Bloat.bat"

C:\Windows\system32\timeout.exe

timeout 1

C:\Oneclick Tools\NSudo\NSudoLG.exe

"C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleaner Update" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerCrashReporting" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleaner Update" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerCrashReporting" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F

C:\Windows\system32\schtasks.exe

schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\taskkill.exe

taskkill.exe /F /IM "OneDrive.exe"

C:\Windows\system32\taskkill.exe

taskkill.exe /F /IM "explorer.exe"

C:\Windows\system32\reg.exe

reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"

C:\Windows\system32\reg.exe

reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f

C:\Windows\system32\reg.exe

reg unload "hku\Default"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "OneDrive*" /f

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\UsoClient.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\UUS\amd64\MoUsoCoreWorker.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\taskkill.exe

taskkill /F /IM WidgetService.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Widgets.exe

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\System32\smartscreen.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\takeown.exe

takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host '(Recommended)' -ForegroundColor White -BackgroundColor Red"

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption /format:list

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup " /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "8m56aq " /t REG_SZ /d "" /f

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunNotification" /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /f

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsMaps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingSports* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingNews* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.BingFinance* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.VP9VideoExtensions* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.OneNote* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Office.Sway* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsStore* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.StorePurchaseApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Xbox.TCUI* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGamingOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxGameOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxIdentityProvider* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.XboxSpeechToTextOverlay* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Phone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.CommsPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Appconnector* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MinecraftUWP* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Wallet* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.ZuneVideo* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsCalculator* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.GroupMe10* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSaga* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *king.com.CandyCrushSodaSaga* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ShazamEntertainmentLtd.Shazam* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Flipboard.Flipboard* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *9E2F88E3.Twitter* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ClearChannelRadioDigital.iHeartRadio* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *D5EA27B7.Duolingo-LearnLanguagesforFree* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *AdobeSystemsIncorporated.AdobePhotoshopExpress* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *PandoraMediaInc.29680B314EFC2* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *46928bounde.EclipseManager* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *ActiproSoftwareLLC.562882FEEB491* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SpotifyAB.SpotifyMusic* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Advertising.Xaml* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.RemoteDesktop* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.NetworkSpeedTest* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Todos* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Windows.Search* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49784 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49791 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
DE 93.90.192.112:443 dl5.oo-software.com tcp
N/A 127.0.0.1:49958 tcp
N/A 127.0.0.1:49962 tcp
GB 142.250.187.206:443 drive.google.com tcp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.195:80 c.pki.goog tcp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
GB 142.250.187.227:80 o.pki.goog tcp
N/A 127.0.0.1:49968 tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:51254 tcp
N/A 127.0.0.1:51257 tcp
GB 142.250.187.206:443 drive.google.com tcp
N/A 127.0.0.1:51515 tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
N/A 127.0.0.1:51518 tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
N/A 127.0.0.1:51577 tcp
N/A 127.0.0.1:51580 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO4F86FEB7\0- Read Me Important.txt

MD5 3b97c92ec207c9c8f69c9d30a9f6931e
SHA1 bb176cce7cdcee7ad5f6eac54f9c63c6dbcad5e8
SHA256 95b0007bbb1b1c7f228716c1dad53d031a596d4376e24d4480e24180b6d70d79
SHA512 88f16a86d25b40149debcaae119be8bb397901ead5981b61a8a454cb29d5292f50d352d3011dc043ddb5b9923a410f5ac9b028f3321d06948b589d6a090c05c0

C:\Users\Admin\Desktop\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\1- Oneclick V6.7 (Ultimate Performance)\Oneclick V6.7.bat

MD5 4acd7d1e7294d4ab4e9db8977d5135e4
SHA1 07c5474fcd09ff5843df3f776d665dcf0eef4284
SHA256 b66cd5d6a39c016d0c39e270bed5cc8dbeb1920b3f827d78bc9d36a4a1e3f84f
SHA512 d45a1a26440116df843fbef3bc86a727267cc687f59f9062ef9a66c08a3581c9903d568303d5700dacaad7f5e398601211841328e1784989822d644a426b2d36

C:\Oneclick Tools.zip

MD5 d2be90c23063c07c5bf6e02c9400ac35
SHA1 c2ca99de035c17ba9b7912c26725efffe290b1db
SHA256 9422365acf6002368d3752faa01d4a428adee1fe902fce397d024dabb4e009b3
SHA512 13935887c0bb2006e65c0fd65cd625ac467d52425cbd084b21ae7246a1b97ed2a92916fa62fabf561e2bf0d610aa3dc4fd7e945d86d37280d8eabf2a0b46909e

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 069c37bf9e39b121efb7a28ece933aee
SHA1 eaef2e55b66e543a14a6780c23bb83fe60f2f04d
SHA256 485db8db6b497d31d428aceea416da20d88f7bde88dbfd6d59e3e7eee0a75ae8
SHA512 f4562071143c2ebc259a20cbb45b133c863f127a5750672b7a2af47783c7cdc56dcf1064ae83f54e5fc0bb4e93826bf2ab4ef6e604f955bf594f2cbd641db796

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_despnq1i.sat.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2464-72-0x0000018D74820000-0x0000018D74842000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 04493ed4421328d5e40252891bfe515a
SHA1 ab8a4e3909ff849549ea989049ed30b490f274e7
SHA256 3b14b48326a1201fc8b9667201c15392e52f7f5819c2aadafe19cbb72b08be51
SHA512 c8ca89143763a72f4ce8f10ffa2e161b59d41454bad0f71fcb4c7e9c8861a5d99bdc787907761bfb8439afad1f0557a1338bbb1054f5810de807633f515d5a76

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d06571a616d1849ac0d44af1a97b4b2
SHA1 4df5b8d5cd0f1ebf4182483468286c94a95300e7
SHA256 b5a1a1befdcedf856a21719d1a969c4f6a1d1b96eed413e7a604b1a331766b25
SHA512 28717032d20bb74cbcfdaa560c3bfd896c177cabd3ce5a5feaf7bdb764b34cf6be926e0afc41fbf0ff50f2bbaffd254962c9d228bef2e5e4ab0f942fa4e434b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bfc02ee40e30ee8b3668a1a8cd74542
SHA1 d05325b60c6e4c1bd331e89319efe02f2271b268
SHA256 3798b25b810408a6e503f3bfc54da533f57bffd83250d3b24b2730e34f66348f
SHA512 6c871a3e8017f37a65b002f88318b787d0d24d1cfb107bc66b22032857a960b6805975436b00bfcdf7874d74c8a774eb1376aaa895e38778af1f12a162cabc0a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35e5f4dac536c65c6061063c0bcc1680
SHA1 33de1ee54ad4af6ef7de46de372878664e40dbae
SHA256 43d8e45c4f9ba7df3e8db0338838023fea62e5d4f0abf87a6fe78c01804893cb
SHA512 ba5cb333699e07024d3193061fe883b4a88351ed9bfb387342ae76811874d8707cde193fd986746ad95b172e0941f56c810121af478b95120806106239408c31

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 73899b79c7c73a155bd762fff36ac1cb
SHA1 87cd5cfb64ea3e80d268adaf7946dbf20497943c
SHA256 1bc07acc4fcc1f6097520ed8bce5c1e04c0642a0575c3dc3672725bd87234a7b
SHA512 5f8e98dba3f99e70a72fc4a1421fe403155fddae33099d438e072729ab56ba904a8589252fab5ceb55b3f773cf4744760cbed25244bd94defad6226e3a8a9828

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3a924916719c590c164e2306f5b3ad4
SHA1 6b99d5b4cadd988deb3f825c38d3b2ca62beed11
SHA256 a27f9ddc3e18b923f1d3d92f243a12cba4ca3c9e8f8a89af19de0ee4546dc3e1
SHA512 29ae7e3aae34556f47bb349850a2d7c6549c1226ce8c7d93fe13929e2e9efbe49377e44e4157f1b2be4c81e0c39e86b1df8e81f011dee76261ef361545c868be

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3c70d512dd3f5823d1843b174b15cd6
SHA1 014accda56aa5efd4cdd3ce3dbe3badf6952d4bf
SHA256 d8037878878bf3a871c26a233ff70f2666309b3622c368b7ab40431b21c2937b
SHA512 d9f555f3550c5ca9fa8357a9281e9d5e05ca668cfac20c851142441de6ceae9ad40172d697627ff25121083d532be84ec32bb98d239d5be284feeb425f74367a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 86b1713eaecef659d820ebc2388ef31c
SHA1 5a2c44be4c8c56f247083963fad0f6c81c8e08e8
SHA256 43a1afa2ea409a5a220b6dbf138a1679b1909e1fa38d9e1355ab884b74337bcf
SHA512 6043e649abe15314e4a6b767decf0caf098299d911a13b3eb45ee0e42def0aac9d36425992bc9fed1bf63a87a162bd7554e882dbfbf6a2855ee26272aae4553f

memory/1984-146-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-148-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-147-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-158-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-157-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-156-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-154-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-155-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-153-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/1984-152-0x000001C7BA510000-0x000001C7BA511000-memory.dmp

memory/4500-163-0x000002054B1C0000-0x000002054B1D0000-memory.dmp

memory/4500-160-0x000002054B190000-0x000002054B1A0000-memory.dmp

memory/4500-167-0x000002054BD80000-0x000002054BD81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7274a07d1b80de6f66290b47588cee3b
SHA1 d926b384806c755fe6b9d03f68852765aabb5703
SHA256 5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8
SHA512 b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/4728-189-0x000001D56A190000-0x000001D56A1B4000-memory.dmp

memory/4728-188-0x000001D56A190000-0x000001D56A1BA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 238f0a5701700be966cc85a76ecbfc19
SHA1 c69446816c9c6c0657e8705ca08459440b6e1d53
SHA256 cc30ae0053060d4c608f9d564635315e1d660d155ba8b6293af36251c968a41b
SHA512 791ac376e0847291081b606efbb1cd0869af56f81f9854cefe237d33f74a41f4ae6519957df82b98f6bbdc78e3f22e3f0350f2b5cd06fbee4e78e7900558edd1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb1d69b71a38dfe81ac0d2020830faf9
SHA1 1f8baf6d137b5138ee40c725f9138e1cdd2a71fd
SHA256 5ca132239020780c2a57681b9b6960880f23c03daa982d03cb3142cb923f5001
SHA512 dba787451922e7bd2d863ba23774d80200acf58243617d0c54e5b3941fa4a47e2c7f8ba43ed91580fdc82884db7bb22bbaec0ee9ca286faab6c1d827b62896fe

C:\Oneclick Tools\OOShutup10\OOSU10.exe

MD5 4803e06db91fdb8b6d1b65c0010d2f87
SHA1 f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c
SHA256 beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b
SHA512 f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

memory/404-216-0x000002B60EE90000-0x000002B60F080000-memory.dmp

memory/404-217-0x000002B610CD0000-0x000002B610CFC000-memory.dmp

memory/404-218-0x000002B6296D0000-0x000002B629776000-memory.dmp

memory/404-219-0x000002B610D00000-0x000002B610D1A000-memory.dmp

memory/404-220-0x000002B629830000-0x000002B6298EA000-memory.dmp

C:\Oneclick Tools\OOShutup10\Quaked OOshutup10.cfg

MD5 109f47ced5da3f92362c49069fc4624e
SHA1 79b611073aa0006f1bb4058a6ecb6f3cc97391d6
SHA256 2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b
SHA512 55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

C:\Oneclick Tools\NSudo\NSudoLG.exe

MD5 423129ddb24fb923f35b2dd5787b13dd
SHA1 575e57080f33fa87a8d37953e973d20f5ad80cfd
SHA256 5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7
SHA512 d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb6bbad04121efc4b28aafcfb2098c9b
SHA1 874882a3749c41301505e95510f761491c465073
SHA256 bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5
SHA512 7ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3

memory/1948-238-0x000002CB5B930000-0x000002CB5B956000-memory.dmp

memory/1948-237-0x000002CB5B430000-0x000002CB5B43A000-memory.dmp

memory/1948-236-0x000002CB5B410000-0x000002CB5B42C000-memory.dmp

memory/1868-243-0x000001E0C2280000-0x000001E0C2380000-memory.dmp

memory/1868-293-0x000001E8C49E0000-0x000001E8C4A00000-memory.dmp

memory/1868-285-0x000001E8C4F20000-0x000001E8C4F40000-memory.dmp

memory/1868-269-0x000001E8C4820000-0x000001E8C4840000-memory.dmp

memory/1868-257-0x000001E8C4860000-0x000001E8C4880000-memory.dmp

memory/1868-242-0x000001E0C2280000-0x000001E0C2380000-memory.dmp

memory/1868-241-0x000001E0C2280000-0x000001E0C2380000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 70c91e55fe182a7b11ff383b0dbdd172
SHA1 b3e7063b1d6dbcd05bab520d8c54c6ee88be78b6
SHA256 20a2bab78c6744ab81aedd1c713053fe52d50755d347c8a667dc85f93c686a6f
SHA512 0f373234d24bebf1ce1d2b4ed10fb2e341aaaaac9a98000a11b5b8c9a0df969ff9af6059c14e9f41ccb8441dfb6e9933150b82a72e8c24bf2a028bd30d22038e

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133756424482338871.txt

MD5 b221598e5fa5f499996c78cc4e3d974e
SHA1 a94a162f081b6118e5059ac20e6726778e782ebe
SHA256 1f633eaf0f40fc16bfc90a7e686be0c49129cca2580f8a93f4a18912c4722de9
SHA512 4be73764475c805de40e3c5f7a4e12ccc62590c10584eb950d5ce5d8e7fdad6b1740325b5cae77d0d05446e64d05cbc4e259dc7def0c55b45151176c6c7d77da

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HJS5TRU2\microsoftwindows.client[1].xml

MD5 439229379761282d0ad2553fe1b12385
SHA1 5a46f5c717303557006293d9a1739e1f776c6dbb
SHA256 909c20c3b622ea9eed0e65b5b19ff956ff707b1c33a588d1f100ba8874bbf7a5
SHA512 bbe2d1cf0f1d669b944324085938d69c231e2114372f59e45b51cc47813d4575e486b68435780518670c1af306aa41c5554d7e55633514df879972ea44611a98

memory/1868-395-0x000001E8D9B10000-0x000001E8D9B30000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 32811684ac013cef9fb7de56188ec0b9
SHA1 c5cd0d0a5307189d75c987c82d9db6348547fd16
SHA256 0b03ab36327c0a993436487676b10284602e10e9837b21c79c9996780bcbe172
SHA512 472332d44e2e9b6f3024dc9f1ec2649cbb3ac2940bc237bd877756e3f32ed4275626e035c0e0865c2cfbbb226b682a4044a0973dc4f7898f77f6c0df59498d63

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1e061b3383a83e8b835f080b461a37f0
SHA1 cd95057b2b08facdeaea073035ca88d9c5aaf8c0
SHA256 e1c5bc8053f119c13ca427ef0092042bee4244d44ff2f7ee84c49a14e5b861e6
SHA512 722ddd8a2a6d94240359c582b3f4ae8435fe1506ef27ccd725b68ebc9f1d52e1f3b05a7325b5d2e800b8b0f44050cfd3ad5c3b3892f815e3400afea83e6c01b0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4338fc72e39eaddb43a21a62e7764a57
SHA1 d4bdb16dcda6d517f0e7cfd420bc3807c1a802f8
SHA256 03ab0afe61f8f9f40713cc56f3489d7660f90863286033197fbfb7953eab31d5
SHA512 6da5d8a9ee12a91c766d506f791bd857b7e0aeb7bb9833f4732e1b0238793ad0e5e41ef3e48e65fd710ab0977fddeb0bb22ee5a5b80cbea8091223529e75c385

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 690566e4b1d42e237d33e96481f5d28e
SHA1 bb132f17d1bc80d6bacfe2a2bfb00cbeebb13f0e
SHA256 6df89b54a71e11eb08052e21549295e1931e0f25415da3276934867f67df79a8
SHA512 845492723ffe51cea54ea438bede4afe92b0aee1390a8642a8b85cf989fae4fa2e6cc19cf066db531d95cf43da456292d274ac165c4a27ab1e65838c90b311ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 290a4366e31f5dabb0875818baf3927e
SHA1 3492d28bc3614a72b3e7631e64dbbd7e3b710580
SHA256 08b275dcc671db58a9e38542c5784731c0bd841c13e92bb6135b1ede252616c1
SHA512 5f14c07d6f4b3e84f4b42d409a6388d879d39f8b671673001171ba6bccae5494c66e4f3a5069d7d73b35050ae200a3887331e093173d617bd5ad6c6f32ced3f6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cbb34cda293c9a5b7f0c2f56492293e8
SHA1 736e478f6a77df444944357800a6b79c77aa456f
SHA256 d5cac63fd588fd14c550cc0b4b3466282210394282659bcff48513e953d5aa75
SHA512 a002e7bf881bf72e792ec34119e42c4a793430bfbbaa7dc7f56b56e935f727108b8d2b4877d6d726d89d01ff23ebdef788790b2352159dd7ee22c371acba365b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a236fd7e82e49b9094cf51d36d28fae5
SHA1 b827df1433f5a1920d1b4032284f4b8c5d48b8fa
SHA256 4807190696818d9b0cb5dcec1a6baf1d0c8f9fd22cfbd25afc94aa60397456ca
SHA512 8070c1e2a34a31c8ebfaddab982f3c8e8598d557a3eb695b837f2947dadbf0ecb646c00e543a3181448202269a6cc9b833c4bf75417d5b0232eeff69a177a457

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0399eeb989e6cbd60604167b97c1dcd4
SHA1 225c2d43f7d5d0889d999408fd9ff4a1352cf4a3
SHA256 9ec655af69ecfd9d8aece95399628ec41fdce39faa7e7e7517a2a5db46ad612a
SHA512 f2d3e010c468016e8184eec48aed81f16e7a5c86bc5f1d9b18b69c4264f88a5f31979e475edcb8a6fe681fd59da7c4a0c2e2533800e5f19babd0f800055222f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02db820e8fc517654c1ef3f0c7d6a788
SHA1 50aaa48e9d6be5dfb5c2dce89a8217153a03f4da
SHA256 a12dba169f2897a287c79f1183022f0af95a25b77f1f7ac1a86c354d16bf8e41
SHA512 be28cf77f23d23f58fa14a5888d0239091f1bcb12b025b6fc8ae16f3e7932f672bc45102c04eb72257d265c159d7a41ff0953e92db0dd60b0a6b3186d7215ede

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57645cfeaf683e9c1b6a5476bd6e5964
SHA1 a9201ec8135335b21cc7a5607b952a51ee8c08a6
SHA256 4e1414d1af81a01d28b742ff3f18fd54436163166e007796311cdbeec6df128b
SHA512 08587fde0e37309dd8c0fd6ba1a479628a5d1d4f6974ef93e9b8f8255866e8d0522192a721b61d5f93e1169812c91ac5ddd0761f8725ae9f73a5fae5b955b969

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0952827d7b05e59bbcba9485a624cbb
SHA1 8479125258bd3f7b7e2dcdca7a14612ca03ab10c
SHA256 819dcccd9dc5848fa19acf6175dcdab9bd2a1ef5edc6753a0dcee6fc13d21240
SHA512 6ebbef69766656343e4df6f45f9dcc9ba370eb2f30a3bc83746f85a0ac9f942e58f80352a2ef4a4122ebf95d8010020cc3d2c6cb817ff000d3d5b8d41ecca789

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f0635599de2c45f13bc9182b2c5bb463
SHA1 74e2714467887e419bdab75d545a64e34590e287
SHA256 694c81bd357960865815fa26e4e9c55c2e37ac727e4fdca4aca416114a2b5a95
SHA512 046671febcac9672f6aff3cc6f15b584fea535c371b882120d0854d20406c6d5669072a823845fca08007f80d5a2d3058eaadd6003199d6b5dd3c351ee9a7d7a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bb2919371112884fa7bcea5db0579382
SHA1 a8e2e8a234af399778f48a1e9f9d5ee261549d25
SHA256 27d3bc72ecfebff704f0334e11e4f795dee138536df55868ca0a6255a31774b9
SHA512 041a1e88c5f2171cc52ec2c16e6290819287b76196b0bb6e8818ed118de2cf5d88d06a9fd65b0b1eff783f66911693cf2520a7072c5627fda0d077b2a4673f64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6986f616ac97fb18cf0b185340d907c5
SHA1 01e20bc1ac230ac833b811164d194dd8a9918860
SHA256 8f0c6d493545b710864ac9fbcf0c10f8f2c68aa05799f6945aae2f4b93dddd7d
SHA512 8dc6d79d64729689a1ea4629a890d6e7b1c9cddeb072079b346a2c4846e92b8703a2b19aaa753cf87d74d0dbd39ebcdee1454bf00a58a2d21f7ede958fbcfc12

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1e2b5fde461eab77db6a1d06356164a2
SHA1 1a69edb86f7c162d800c06fb2541efded2045df4
SHA256 4cec01afe1b359f4ea8a246634c00d138261bad57079f1fd887d09739d115766
SHA512 c3fe6a0acbfbabc8278f0d336b1a3b820ce286177627ad05da358503916c1ae1e0165b74e75a735cbbda4752550369b9767b5382bb4f51f810c6dd584e132fe3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6ca1b0e6fa3e854ebdb8b67e78ee0ab7
SHA1 c6ec0b6d207d1fdbd0f8d954c7184c997546f610
SHA256 4b714becbc8d873ee8cb136d3d892b8b1c2c7f7987ef1e41fef2713e312b250b
SHA512 889fb8f2c206ac55e9d214977f76a1376eb564af3186534e761039e16344d772716965454977960a604f869ad41d39858a6b704484847b998104a35d1d9e6c83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c704b9773388c99030b20baa1940271
SHA1 d7e1cd97d0f1710841bcb4cae16d0a6368b48d38
SHA256 687fdb25ff381baa9f082d0056c104ae5153d6f7e482b597746e23d692e09cf8
SHA512 c7eeeaaebd440999e0529b847b1a3df7958af805af44f0a68be72eddd0f111b11fb30d5e8f10970ed66f213c03dd16fd44278b775754b192fb591895f3d97203

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9b131b7ea927032776dcc0af2b59519d
SHA1 ace78d56c0efb66f4ab2548642d7644827b5701a
SHA256 019d2cdaa3f17bba88c37b6078293c524414a198d8540b5ea92adc288de9284d
SHA512 4f0c3faf5993e4798f05de9262bc9f954bf022d7aa562bbde1050146e83257ee70eb49f74a032c6ef2d7d7a4f12373116e338bb30a8cf86b2d7f0e082d705897

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 37107ab5a98362176f37cb3205664060
SHA1 dbc8bc9b74f539aa7404ec405c7e2a908c1ac1ec
SHA256 57ae257ebf026535dee1ce3738faa5e01deeb4e35583374d597d44a6f244ea34
SHA512 8a9b8af499a2ad61f40ef53069f4e5ce6a24f9848c89b8215d24a9247fe2bf487bfa1847207624a27d8a3e40da6c9f74bff5e0c7bf8258d706ef4d206fe2aa84

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6de27b8a6f6d1c5724dce86b58fb1d7f
SHA1 f5fcb98a4fe3879f180362f83c1971f55708b56c
SHA256 e9e3f4b6c61fc0931f407ad370bf6a287b93fa50174646b2a2cc84b2ed342819
SHA512 597a04bbbf4639c35a586488ab55d8183a6bd041da8a67a62daf7c3087b098ac90659033ae83d380789d6404a08b2389a9297e523a7f7e9e4602853bd9cb30fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e6761ebd0d08c2817aab0cd8929083f6
SHA1 185c0dc6d2018b91839444926665e5e7834d6ee2
SHA256 c7b4e497632a03e9e91f9e8c1b3e3fadedfc1c86c22d009a7fd073a66f809f4f
SHA512 60470c0e9ffdccd759a858c215bb950bab39aa50f52d62555bb06bf4c165d17ff5d9a2ca0970c9685fb83725379cbbc7bef3cb31ed8bcd57f7dba34fd1e9442e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 88f9ea1d100f5352ec61d1dc90d457e9
SHA1 106a2f1a0efad68d3a6c4224e6e8ea97803444d0
SHA256 b6f2fbe74673599fa5b2b66b726d21acd156b6470de6d2512da49c4dbf7f7a77
SHA512 ee27cf000804e89583b60fc75f36ca06e96269b5ffca55e1843dabc4e30296ac7cdc67d8918873a91ba9af922a2669382626975800d8354f718c3e0d7ebdc333

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 57e9d82eedb4a66e1d1331556a6973f3
SHA1 55e4f7e3c217e71dcb29192307be13fcf9133d9a
SHA256 0ea63d1e12cd5212188085802a450afe91b7f915445dabb77eaf9085de21f5df
SHA512 c8638d71b6f0555ce5ccdef4b252da84af2fd744025c57a687d71cc9c869b86677bcdd8760239b2d5d1edd121739dac2d7682ab372382b0720c30da86ffb997b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4cc815d8de1f03786c53bbc5d8a987d3
SHA1 c3ad86ff978b501e2038b78ab2c7defd1e3b9b0d
SHA256 1065299433ed75de29dadead305eb8e0c677bdb8cb952550ea41c3cb964d2a96
SHA512 47868cc4588fd4f07268114335b34dc94b11b2013bfa0ab1e3e5addff94d92f50d45c7cf4d9efd1a98e301747f109ee369f67e7b9302cfd183660648a5fccd22

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0193d08b80f38c2261328217a97d5c1e
SHA1 b28ba65b981c2ea1f59a57cd408ae3066d11971c
SHA256 3bdaab9f2abbaa26184a084a4d15cbfca295a168803f7913a01a83b51306e49c
SHA512 5f119ec654b90ecb86ae793c7d0569df168890d8485d69c35b8662253d23b796fbecbfe3d0c1db405ca204c25b96380ed79d4797316becdfb457d1cf9e09fe74

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd9a77b53ba9ba68bb8dedcc001c1ddb
SHA1 2502db42ac0bf7f02892265df6fe8ccc83edcd83
SHA256 43ffb8b8e22a6c9f1d1ab7b6b881eda6b27a0113e51d5658debc347735b5f376
SHA512 bba1cf446a472213ff6bd0cd500366163e9e3bff714f8bdc0502ffaaeecf62e36f9935e14d763de136d731effc1ab72e756350ef6762108964a4ed389aac1507

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9df4389e6ecc8e02274bb8fdd5cf5df2
SHA1 30b337d4dbd1228dfe18783337467af398883252
SHA256 51b2b774b06300fb196872e5f7b72ed981197eb64f1ea11bd4eaf3e6d7a3cb78
SHA512 639bb0f91b25d90cf8dacc774914c184e4817e7c1fa01b4ba0a0468122b000abeb6dd19844a7d41d7a7757d6dd2af36af602ac3bc742db11176fe7590b90ac69

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39b74cb4f53320d69e53ec7133fd6079
SHA1 4130a7bee0a62db8d6418ec8f74d70fe8b5ea196
SHA256 9f677578a6cf21d1280c7220d11184a56f6d32e714de9ce91631dc9261527070
SHA512 573d732a49d6c1ef4ede95fdd3ed7631082b8bc085728211574c4a555e465e232029c51fe34af5dac4bec3069057b526554bfd4afbc31e2365e9de9ae55fae2f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1244183154f408d2db7b49129a8e6db6
SHA1 3cfb4ebd836f4636665bf099c8c2e269a2bc80c3
SHA256 921acd90c96c5d11ddffbaced67627a84c9beaaaa1de48bc0ee952b78440aad3
SHA512 669b7555e3313ca704c181acc4f0e55f59970ad9dcc913b051b7ddbf241cf433b57c22c04468001bd07e68fd865cb5b3e12d2f29a9930ff00bf1125fa6a5f37b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 439b4fb358f2572fcf1bcd7f1375fd87
SHA1 19487c5c6774f6d40ad746d0428ca7075bfdd01c
SHA256 5bebe58b7bd91158a79cae6607327a39cd4c54106e69804817ba48072be5e566
SHA512 6bdfbc990014c270b38592a97c0ba635890d988abe7f7c7866322b8dca6db26a2dddf3a3c6426f56b21e0ae0280b2f498722cf4af254760fbe53b96ea1ade8cf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 33772d29bdd550f69ad48411a88fe076
SHA1 b8e3157b8b84b53ef8e15428d7eef1a6f3362f88
SHA256 9189778f37b586262e03b6a111950ccea0665d4dd30ea0578a490a1a2a66d621
SHA512 93f2577e93de7bce645fa9de5f6090b4d7e9f8ea844a4c2230f056be0c463dfdad3a9c3ebed6e38d5f0dea722597ad3a6853096859291cb3df9dbc13eac58de2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b04b0fca96913d10874a5a52390b575b
SHA1 5701469979579da2cb79a5317ef919ea596ef065
SHA256 723e6b5e98d4ec34df030fbf460ffb8b728e6cfd9982867ae6d03700e0dcd8a5
SHA512 c36acae46306813344b0665b76b20553eed19a591ad0a687697fff1890b9f3d50696b4b67065d680ed4a2f5f9620bd7756709edded70e10468c71909a6e273ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bc795813febe531502ea380341939cde
SHA1 54da183397b8b5e7783357172c827a9a77f6b826
SHA256 e7d77d3c60dd0f02cc5546cae216f964a277fff0a2f37c572276d1591292b4f9
SHA512 06b1babeaa710abeb41aa342318e23e33c7998c7f6ae5045e1fa5fe9268aa26bb803f03395cb8a7e49016f090b222275c56fd51be2298325dda0b0eea8aa885f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cdb978c64fd6e4817c076e02bec9f321
SHA1 4da9900c0b44853322b36de4907f24f6a33c9780
SHA256 6b1ebc649a3821a9493aaed3c02e66a0e3e0794b5d8838273dbc003fe57ab3e1
SHA512 1365906be4ad53c85556c3ec675ebe7e064ccfb820371282742f8d84bf8d9b63cf641e913629ca46e26ac9aa18d6d9368844099c0d277260b2a24807d35b0cf1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a5ec0ff4e30cd14428898de3963645d
SHA1 7802024052ae981f9d2f1d6e2beb994ee9e21484
SHA256 2b8a1f40ae9f44a9b455af282c0c46c32fffe010b9c18061a20972ce8f6c2c56
SHA512 2e872d5212c30b55865b6d28d452fa5448aec266a7e93e130209e97482b552c856326adabb12c0f0ab3c1faee7f618c7ad908f650ea82f593e261135862e9b9f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 018e2644e95c0cebe22cf3b01a2f04ef
SHA1 f73e4974451213f79af0349aa82e8ed5bb51e730
SHA256 917000a16bfb81b337ada47ace3fc17d2e3ec65ada9c593ed1416be767a7be9e
SHA512 0f69ca949644f72a722fab3a42f847a7bfa0b8bede95d855258897461b184af5b6cbc6af5dfc27ee1dd3f502c99fdc142519b3416015658792f69715fde5cea1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bf4eec47cc01819a6977cbf0213ed025
SHA1 fd9bdf4a8243060b364c25dfd8bd2ddf56bc3454
SHA256 1c4b08daa3f7249c34eab9a9c9b179a83ed333d3299b3d1fe0b778eebb3035e6
SHA512 4c0a752f586b5680d48980ebb43615b3b5bf52e76924eeeef5dbd19d3c413f0db85bd7b99a99085644964b6e82e860f15c632051aee23db774c128224fded7e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 af39a78ec0d56c9f996af7f58b412a6a
SHA1 8826ee35da28c256885f2a4a766778b0d4ca42bf
SHA256 9ce363ebda0dd2316dce7e9ef5fcc192ee2dd20d7917e20365cb94bdf55c72c5
SHA512 2d8065add3f328d90cd0cd6b32ccad8b63cc618780a92d88ea66e23adf42a9496908af67c73c574c8585f48e94e9a8827b2804b73d4a50263c74a50766c421dd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 198048253ae45611eb45bea91d51dd00
SHA1 d0893584b21fe73de16eb9b6c1c93928cc09123b
SHA256 35c0c0e9e55d950be1e94fa013578dbf5c2e1bbdd6c5c30a68303d1dde86af70
SHA512 9773a0c760476f3a1a8935955fcd260d6e71a83f44b5c85f0208832bc3831db0157194eda29e30d1c606dbbf6994f32bc0fcad344414f85b7e19b958169557e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb0f7161aab9a59840d429314eacfbfa
SHA1 213886b9f9702603231e2af8cba7b68fbc741bb2
SHA256 625d77502e605e164f4447c3b7b318ce6d6f11a0fddb7d641a53f95d043cdc65
SHA512 d0a49e064832e4a301a519b9c13ceb647e339e134775259b2aaa361794244be9bef32178c6e10cb9333980281aefc7761cecc3508ea55a5568388b8e0aea8630

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a0b13590459c6ffb8c52a0a10ae388db
SHA1 c7fae31628fd7864ae3ac40d5265e40012f3050d
SHA256 96837918d1718fc445e32fe0aec80e0d73d37eccbb3a502d72548cdef9edd314
SHA512 2e13f803faf4848f71fbc6c055954b2371b23a9875c05a4f722b707df9663362052359071bcdb31657988f3bb5f706f2fe10759923661691f3e0f746cfc0de2a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2922d1fe9108c92b4a380aac3cfb264
SHA1 716e847ad1724edb14ded806eecf8101e3b97583
SHA256 b586660ebac6fade8e62cc29f88b7a4b991d98b92bbb4bb27846f73e4e0b3db4
SHA512 31a4f01d15ab5ebf16d4de8c4dd2c53e67810a6411753ae48ed2011ae3e25f8db6e73da4726eae181043c1bf48f5b500c18f83cc91ec102adcb285c6d8a2e815

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 54ea21b23f8e591c905c42525db46a5a
SHA1 a77fb28b1f608fc59ea041d1d2c365ca2e7630bb
SHA256 6d112ef9a96272747210823847d65a4a01210f9e038e060339df5de7b901b565
SHA512 d466ebb859d5eb631f944973c252a95ff08d206e1fc838478b92af2c5f290d9de3cd3a8b2aa9c3ad5d3f7aa165ba0d2ace8c7dcb41d8f342628322f44cce4c67

memory/4340-1373-0x000001F644FD0000-0x000001F644FD1000-memory.dmp

memory/4340-1374-0x000001F644FF0000-0x000001F644FF1000-memory.dmp

memory/4340-1375-0x000001F644FF0000-0x000001F644FF1000-memory.dmp

memory/4340-1376-0x000001F644FF0000-0x000001F644FF1000-memory.dmp

memory/4340-1377-0x000001F644FF0000-0x000001F644FF1000-memory.dmp