3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
96s
max time network
139s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 06:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/2- Orca V3/Orca V3.bat
Size

35KB
MD5

2f1c0a6e88c644e1fe7f7208e0029b14
SHA1

fd11c4fcb106f51db0f94091e2f46b1bd142609b
SHA256

f7e541ae25adf370120698c1d55f77d15c42209378b09b996a12e8a6bf90a996
SHA512

236cbb90131e654f33dca660ba7532ac59e22ce58edaeaa15cfc50c66d738e6ac5b847be11986655ef8c168a1c27c5e4dc01972d7d3a990d3650a16ccab5a2d2
SSDEEP

384:U66Vcy9CzCPhjszIuG4cD1hzGbs7dffqLzVHPAFwH2V09PsB7olKElQKac+iD3MF:Z6Vcy9CzCPhaigxWFoKElQKac+iDDTDO

Score

10^/10

defense_evasion discovery evasion execution exploit

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2784	icacls.exe
2808	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2808	takeown.exe
2784	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2024	sc.exe
1576	sc.exe
1652	sc.exe
1808	sc.exe
4788	sc.exe
2100	sc.exe
4556	sc.exe
3032	sc.exe
4880	sc.exe
2080	sc.exe
4232	sc.exe
4504	sc.exe
528	sc.exe
940	sc.exe
384	sc.exe
648	sc.exe
4528	sc.exe
556	sc.exe
2728	sc.exe
1308	sc.exe
1780	sc.exe
2620	sc.exe
2168	sc.exe
1748	sc.exe
1308	sc.exe
3764	sc.exe
4880	sc.exe
668	sc.exe
4032	sc.exe
1724	sc.exe
4444	sc.exe
3972	sc.exe
2004	sc.exe
1720	sc.exe
4768	sc.exe
4216	sc.exe
3600	sc.exe
2820	sc.exe
4792	sc.exe
5012	sc.exe
4228	sc.exe
3084	sc.exe
3924	sc.exe
3516	sc.exe
1480	sc.exe
3148	sc.exe
3128	sc.exe
932	sc.exe
2080	sc.exe
1872	sc.exe
1744	sc.exe
4204	sc.exe
2264	sc.exe
2168	sc.exe
800	sc.exe
2168	sc.exe
4432	sc.exe
3064	sc.exe
3488	sc.exe
2896	sc.exe
1236	sc.exe
4828	sc.exe
2284	sc.exe
4380	sc.exe

Delays execution with timeout.exe 16 IoCs

evasion

pid	Process
3312	timeout.exe
2576	timeout.exe
2900	timeout.exe
2244	timeout.exe
1900	timeout.exe
560	timeout.exe
2652	timeout.exe
800	timeout.exe
4264	timeout.exe
3312	timeout.exe
1408	timeout.exe
480	timeout.exe
5084	timeout.exe
4812	timeout.exe
2432	timeout.exe
2824	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5008	taskkill.exe
4872	taskkill.exe
2992	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2808	takeown.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	2992	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 4768	3728	cmd.exe	81
PID 3728 wrote to memory of 4768	3728	cmd.exe	81
PID 3728 wrote to memory of 480	3728	cmd.exe	82
PID 3728 wrote to memory of 480	3728	cmd.exe	82
PID 3728 wrote to memory of 4444	3728	cmd.exe	83
PID 3728 wrote to memory of 4444	3728	cmd.exe	83
PID 3728 wrote to memory of 3260	3728	cmd.exe	84
PID 3728 wrote to memory of 3260	3728	cmd.exe	84
PID 3728 wrote to memory of 4508	3728	cmd.exe	85
PID 3728 wrote to memory of 4508	3728	cmd.exe	85
PID 3728 wrote to memory of 872	3728	cmd.exe	86
PID 3728 wrote to memory of 872	3728	cmd.exe	86
PID 3728 wrote to memory of 2976	3728	cmd.exe	87
PID 3728 wrote to memory of 2976	3728	cmd.exe	87
PID 3728 wrote to memory of 904	3728	cmd.exe	88
PID 3728 wrote to memory of 904	3728	cmd.exe	88
PID 3728 wrote to memory of 3164	3728	cmd.exe	89
PID 3728 wrote to memory of 3164	3728	cmd.exe	89
PID 3728 wrote to memory of 348	3728	cmd.exe	90
PID 3728 wrote to memory of 348	3728	cmd.exe	90
PID 3728 wrote to memory of 1352	3728	cmd.exe	91
PID 3728 wrote to memory of 1352	3728	cmd.exe	91
PID 3728 wrote to memory of 1792	3728	cmd.exe	92
PID 3728 wrote to memory of 1792	3728	cmd.exe	92
PID 3728 wrote to memory of 3044	3728	cmd.exe	93
PID 3728 wrote to memory of 3044	3728	cmd.exe	93
PID 3728 wrote to memory of 1552	3728	cmd.exe	94
PID 3728 wrote to memory of 1552	3728	cmd.exe	94
PID 3728 wrote to memory of 8	3728	cmd.exe	95
PID 3728 wrote to memory of 8	3728	cmd.exe	95
PID 3728 wrote to memory of 2320	3728	cmd.exe	96
PID 3728 wrote to memory of 2320	3728	cmd.exe	96
PID 3728 wrote to memory of 1208	3728	cmd.exe	97
PID 3728 wrote to memory of 1208	3728	cmd.exe	97
PID 3728 wrote to memory of 4540	3728	cmd.exe	100
PID 3728 wrote to memory of 4540	3728	cmd.exe	100
PID 3728 wrote to memory of 2972	3728	cmd.exe	101
PID 3728 wrote to memory of 2972	3728	cmd.exe	101
PID 3728 wrote to memory of 4760	3728	cmd.exe	102
PID 3728 wrote to memory of 4760	3728	cmd.exe	102
PID 3728 wrote to memory of 5084	3728	cmd.exe	103
PID 3728 wrote to memory of 5084	3728	cmd.exe	103
PID 3728 wrote to memory of 3640	3728	cmd.exe	106
PID 3728 wrote to memory of 3640	3728	cmd.exe	106
PID 3728 wrote to memory of 2504	3728	cmd.exe	107
PID 3728 wrote to memory of 2504	3728	cmd.exe	107
PID 3728 wrote to memory of 3968	3728	cmd.exe	108
PID 3728 wrote to memory of 3968	3728	cmd.exe	108
PID 3728 wrote to memory of 764	3728	cmd.exe	109
PID 3728 wrote to memory of 764	3728	cmd.exe	109
PID 3728 wrote to memory of 224	3728	cmd.exe	110
PID 3728 wrote to memory of 224	3728	cmd.exe	110
PID 3728 wrote to memory of 332	3728	cmd.exe	111
PID 3728 wrote to memory of 332	3728	cmd.exe	111
PID 3728 wrote to memory of 568	3728	cmd.exe	112
PID 3728 wrote to memory of 568	3728	cmd.exe	112
PID 3728 wrote to memory of 560	3728	cmd.exe	113
PID 3728 wrote to memory of 560	3728	cmd.exe	113
PID 3728 wrote to memory of 2408	3728	cmd.exe	114
PID 3728 wrote to memory of 2408	3728	cmd.exe	114
PID 3728 wrote to memory of 1228	3728	cmd.exe	115
PID 3728 wrote to memory of 1228	3728	cmd.exe	115
PID 3728 wrote to memory of 4924	3728	cmd.exe	116
PID 3728 wrote to memory of 4924	3728	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\2- Orca V3\Orca V3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4768
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable
  2⤵
  PID:4444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable
  2⤵
  PID:3260
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:4508
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:2976
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-sys" /Disable
  2⤵
  PID:904
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /Disable
  2⤵
  PID:3164
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /Disable
  2⤵
  PID:348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:1352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:1792
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /Disable
  2⤵
  PID:3044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /Disable
  2⤵
  PID:1552
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /Disable
  2⤵
  PID:8
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:2320
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /Disable
  2⤵
  PID:1208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /Disable
  2⤵
  PID:4540
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:2972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /Disable
  2⤵
  PID:4760
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:5084
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineUA" /F
  2⤵
  PID:3640
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore" /F
  2⤵
  PID:2504
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:3968
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:764
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:224
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-sys" /F
  2⤵
  PID:332
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /F
  2⤵
  PID:568
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /F
  2⤵
  PID:560
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /F
  2⤵
  PID:2408
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /F
  2⤵
  PID:1228
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /F
  2⤵
  PID:4924
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /F
  2⤵
  PID:3540
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /F
  2⤵
  PID:1844
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /F
  2⤵
  PID:4900
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /F
  2⤵
  PID:1932
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /F
  2⤵
  PID:528
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /F
  2⤵
  PID:2096
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /F
  2⤵
  PID:2620
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:800
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2784
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2576
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4264
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:612
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:4372
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:564
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:668
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:3440
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  - Launches sc.exe
  PID:2004
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:4404
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  - Launches sc.exe
  PID:2024
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:1560
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:1136
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  - Launches sc.exe
  PID:4432
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:4752
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:1404
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:3000
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:1600
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  - Launches sc.exe
  PID:648
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:3672
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:3096
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:3464
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  PID:4020
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:4284
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  PID:1236
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:2820
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:3696
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:932
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:2464
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:1876
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  PID:4696
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4032
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:3312
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  - Launches sc.exe
  PID:4204
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:3332
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:3228
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  - Launches sc.exe
  PID:4528
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:436
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:1432
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:3868
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  PID:2904
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:2836
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:3584
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:3896
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:480
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:1500
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:3260
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  - Launches sc.exe
  PID:4788
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1480
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:3592
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:1860
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2432
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4400
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4216
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /fd
  2⤵
  PID:1192
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2120
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:116
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4816
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:576
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3984
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:1928
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3112
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:2428
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3676
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:528
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:2096
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:1232
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  - Launches sc.exe
  PID:940
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:3816
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:2040
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:3788
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:1072
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1724
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:2316
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  PID:4672
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:3516
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:3056
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:3996
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:824
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  - Launches sc.exe
  PID:1576
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  - Launches sc.exe
  PID:4880
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3148
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  - Launches sc.exe
  PID:1652
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  - Launches sc.exe
  PID:1808
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  - Launches sc.exe
  PID:2264
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:3364
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  - Launches sc.exe
  PID:3488
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3600
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:1800
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:2336
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:4120
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2896
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:1092
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:4020
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:4284
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:4408
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  sc config Backupper Service" start= disabled
  2⤵
  - Launches sc.exe
  PID:1236
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2820
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  - Launches sc.exe
  PID:1720
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:3696
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:932
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:2712
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:3120
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  - Launches sc.exe
  PID:4792
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:2996
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  - Launches sc.exe
  PID:4228
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:4520
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:4524
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:4460
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  - Launches sc.exe
  PID:3084
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  - Launches sc.exe
  PID:4768
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:2624
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  - Launches sc.exe
  PID:2100
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:3748
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:3772
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:1968
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:3200
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:2072
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:1728
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:2240
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:5028
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:1312
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:5100
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1748
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:4180
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  - Launches sc.exe
  PID:4444
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:3128
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  - Launches sc.exe
  PID:2080
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:392
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  - Launches sc.exe
  PID:4556
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:2504
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  - Launches sc.exe
  PID:1308
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:240
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:2284
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:396
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  - Launches sc.exe
  PID:4232
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  - Launches sc.exe
  PID:556
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:4160
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3764
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:384
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:2244
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4828
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:4380
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:800
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:2808
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:3444
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:3604
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:2576
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:2020
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:5008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:1296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:1984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:4872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:2756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:3924
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:3244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:4996
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:1476
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:3092
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:3440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:2004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:4404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:2024
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:1560
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:1136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:4432
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:4752
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:1404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:3000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:1600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:3672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:3096
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:3972
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:3804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:2652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:2912
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:1656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:4320
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:4592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:3736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:1548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:1364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:4656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:1888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:4780
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:4516
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:4800
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:4268
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:4544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:2804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:2900
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:3136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:1788
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:4956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:4940
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:4812
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:4440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:4784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:1968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:3200
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:2072
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:1728
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:2240
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:5028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:1312
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:5100
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:1748
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:4180
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:4444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:3128
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:2080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:392
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:4556
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:2504
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:1308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:240
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:2284
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:4816
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:576
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:3984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:1928
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:4676
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:3112
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:2428
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:384
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2244
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:4004
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  - Launches sc.exe
  PID:2728
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:4428
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:4504
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:1780
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:1872
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1744
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:3528
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  - Launches sc.exe
  PID:5012
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  - Launches sc.exe
  PID:3516
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  PID:3056
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  PID:3996
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:824
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1576
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4880
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2172
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:3148
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4468
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1808
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1408
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1716
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:4192
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:3828
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:4764
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:1612
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:2280
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:2092
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:2368
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:3464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:2592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:4284
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:4408
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:2388
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:4700
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:3500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:2512
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2824
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  - Launches sc.exe
  PID:932
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  PID:2712
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:4032
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3312
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:3012
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:4268
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:4544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:2804
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2900
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:2836
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:3584
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:3896
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:1904
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1900
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:3216
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:2164
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:1500
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:5028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:1312
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:5100
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:1748
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:4180
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:4444
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  - Launches sc.exe
  PID:3128
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  - Launches sc.exe
  PID:2080
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:392
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:2504
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1308
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:240
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  - Launches sc.exe
  PID:2284
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:560
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:4816
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:576
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:3984
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  PID:1928
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:4676
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:3112
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  PID:2428
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:384
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  PID:2096
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  - Launches sc.exe
  PID:4380
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:800
- C:\Windows\system32\sc.exe
  sc config logi_lamparray_service start=disabled
  2⤵
  PID:4828
- C:\Windows\system32\sc.exe
  sc config LGHUBUpdaterService start=disabled
  2⤵
  PID:4428
- C:\Windows\system32\sc.exe
  sc config SteelSeriesGGUpdateServiceProxy start=disabled
  2⤵
  - Launches sc.exe
  PID:4504
- C:\Windows\system32\sc.exe
  sc config RzActionSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1780
- C:\Windows\system32\sc.exe
  sc config RazerElevationService start=disabled
  2⤵
  - Launches sc.exe
  PID:1872
- C:\Windows\system32\sc.exe
  sc config RazerGameManagerService start=disabled
  2⤵
  - Launches sc.exe
  PID:3064
- C:\Windows\system32\sc.exe
  sc config RazerGameManagerService3 start=disabled
  2⤵
  PID:1744
- C:\Windows\system32\sc.exe
  sc config RazerSynapseService start=disabled
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  - Launches sc.exe
  PID:3032
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:2988
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:2764
- C:\Windows\system32\sc.exe
  sc config GigabyteUpdateService start=disabled
  2⤵
  PID:4584
- C:\Windows\system32\sc.exe
  sc config CCleanerBrowserElevationService start=disabled
  2⤵
  PID:5012
- C:\Windows\system32\sc.exe
  sc config ccleaner start=disabled
  2⤵
  PID:4264
- C:\Windows\system32\sc.exe
  sc config ccleanerm start=disabled
  2⤵
  PID:2756
- C:\Windows\system32\sc.exe
  sc config CCleanerPerformanceOptimizerService start=disabled
  2⤵
  - Launches sc.exe
  PID:3924
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:824
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:1576
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  - Launches sc.exe
  PID:4880
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:3148
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:1652
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:1808
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1408
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:3488
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:3600
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:1800
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:2780
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  - Launches sc.exe
  PID:4216
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:2896
- C:\Windows\system32\sc.exe
  sc config AMD Crash Defender Service start=disabled
  2⤵
  PID:1092
- C:\Windows\system32\sc.exe
  sc config AMD External Events Utility start=disabled
  2⤵
  - Launches sc.exe
  PID:3972
- C:\Windows\system32\sc.exe
  sc config AUEPLauncher start=disabled
  2⤵
  PID:4412
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:3688
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:1656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:4012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:4592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:3732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:3852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:2832
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:3668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:2720
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:3504
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:3424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:3564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:3904
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:4100
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:3496
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:3612
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:1548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:1364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:2292
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:1888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:4780
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:1812
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3312
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:4244
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:4528
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:4460
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:4228
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:2492
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:3784
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:2844
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:2904
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:4940
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4812