Malware Analysis Report

2025-06-16 00:41

Sample ID 241110-z6jw2awbkc
Target test.bat
SHA256 6a9182c301e4b1ac8de1e5dc35630233e8c406e5184d9f64b8174506d36fab85
Tags
evasion execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a9182c301e4b1ac8de1e5dc35630233e8c406e5184d9f64b8174506d36fab85

Threat Level: Known bad

The file test.bat was found to be: Known bad.

Malicious Activity Summary

evasion execution

Disables service(s)

Launches sc.exe

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:19

Reported

2024-11-10 21:22

Platform

win7-20241023-en

Max time kernel

119s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"

Signatures

Disables service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2100 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\test.bat"

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisablediagnosticTracing" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /Disabling

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disabling

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /Disabling

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disabling

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnablingTransparency" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaCapabilities" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsAssignedAccess" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsWindowsHelloActive" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchSafeSearch" /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\SearchCompanion" /v "DisablingContentFileUpdates" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisablingWebSearch" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DoNotUseWebResults" /t REG_DWORD /d "1" /f

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Process Termination" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"RPC Events" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Filtering Platform Connection" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"DPAPI Activity" /success:Disabling /failure:Disabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"IPsec Driver" /success: /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Other System Events" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Security State Change" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Security System Extension" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"System Integrity" /success:Disabling /failure:Enabling

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnablingFeeds" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisablingNotificationCenter" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\sc.exe

sc config DiagTrack start= Disabled

C:\Windows\system32\sc.exe

sc config dmwappushservice start= Disabled

C:\Windows\system32\sc.exe

sc config DPS start= Disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start= Disabled

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 21:19

Reported

2024-11-10 21:23

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

209s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"

Signatures

Disables service(s)

evasion execution

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\!USER_SID! C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\auditpol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 3820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1340 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 1888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 4180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1340 wrote to memory of 3604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\test.bat"

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack" /v "ShowedToastAtLevel" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_CURRENT_USER\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Diagnostics\Performance" /v "DisablediagnosticTracing" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}" /v "ScenarioExecutionEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /Disabling

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disabling

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /Disabling

C:\Windows\system32\schtasks.exe

schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"

C:\Windows\system32\schtasks.exe

schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disabling

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnablingTransparency" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "CortanaCapabilities" /t REG_SZ /d "" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsAssignedAccess" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "IsWindowsHelloActive" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchSafeSearch" /t REG_DWORD /d 3 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Microsoft\PolicyManager\default\Experience\AllowCortana" /v "value" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\SearchCompanion" /v "DisablingContentFileUpdates" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DisablingWebSearch" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\Windows Search" /v "DoNotUseWebResults" /t REG_DWORD /d "1" /f

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Process Termination" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"RPC Events" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Filtering Platform Connection" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"DPAPI Activity" /success:Disabling /failure:Disabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"IPsec Driver" /success: /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Other System Events" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Security State Change" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"Security System Extension" /success:Disabling /failure:Enabling

C:\Windows\system32\auditpol.exe

Auditpol /set /subcategory:"System Integrity" /success:Disabling /failure:Enabling

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\AutoLogger-Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DiagLog" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\Diagtrack-Listener" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\WiFiSession" /v "Start" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v "EnablingFeeds" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Control Panel\International\User Profile" /v "HttpAcceptLanguageOptOut" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\System" /v "EnablingActivityFeed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance" /v "MaintenanceDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_NOTIFICATION_SOUND" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings" /v "NOC_GLOBAL_SETTING_ALLOW_CRITICAL_TOASTS_ABOVE_LOCK" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\QuietHours" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.AutoPlay" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.LowDisk" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Print.Notification" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.WiFiNetworkManager" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisablingNotificationCenter" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTAGService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bthserv" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BthAvctpSvc" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BluetoothUserService" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\sc.exe

sc config DiagTrack start= Disabled

C:\Windows\system32\sc.exe

sc config dmwappushservice start= Disabled

C:\Windows\system32\sc.exe

sc config DPS start= Disabled

C:\Windows\system32\sc.exe

sc config diagnosticshub.standardcollector.service start= Disabled

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "CdpSessionUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\CDP" /v "NearShareChannelUserAuthzPolicy" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Accessibility" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\AppSync" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\BrowserSettings" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\DesktopTheme" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\PackageState" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Personalization" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\StartLayout" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Windows" /v "Enabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnablingSmartScreen" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost" /v "EnablingWebContentEvaluation" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "OemPreInstalledAppsEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "ContentDeliveryAllowed" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContentEnabled" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "PreInstalledAppsEverEnabled" /t REG_DWORD /d "0"

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKU\!USER_SID!\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\bam" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dam" /v "Start" /t REG_DWORD /d "4" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnablingTransparency" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A