3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/2- Orca V3/Orca V3.bat
Size

35KB
MD5

2f1c0a6e88c644e1fe7f7208e0029b14
SHA1

fd11c4fcb106f51db0f94091e2f46b1bd142609b
SHA256

f7e541ae25adf370120698c1d55f77d15c42209378b09b996a12e8a6bf90a996
SHA512

236cbb90131e654f33dca660ba7532ac59e22ce58edaeaa15cfc50c66d738e6ac5b847be11986655ef8c168a1c27c5e4dc01972d7d3a990d3650a16ccab5a2d2
SSDEEP

384:U66Vcy9CzCPhjszIuG4cD1hzGbs7dffqLzVHPAFwH2V09PsB7olKElQKac+iD3MF:Z6Vcy9CzCPhaigxWFoKElQKac+iDDTDO

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	reg.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2712	cmd.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2200	sc.exe
1368	sc.exe
692	sc.exe
1352	sc.exe
1940	sc.exe
2332	sc.exe
2560	sc.exe
2444	sc.exe
2960	sc.exe
2888	sc.exe
2392	sc.exe
2672	sc.exe
2052	sc.exe
2864	sc.exe
2296	sc.exe
616	sc.exe
2580	sc.exe
320	sc.exe
1028	sc.exe
1388	sc.exe
2752	sc.exe
2176	sc.exe
2344	sc.exe
540	sc.exe
864	sc.exe
2412	sc.exe
2472	sc.exe
700	sc.exe
2224	sc.exe
2460	sc.exe
1528	sc.exe
2080	sc.exe
2164	sc.exe
2064	sc.exe
636	sc.exe
2076	sc.exe
1780	sc.exe
1528	sc.exe
1520	sc.exe
2720	sc.exe
536	sc.exe
1464	sc.exe
1012	sc.exe
1728	sc.exe
1756	sc.exe
2828	sc.exe
2616	sc.exe
1736	sc.exe
2640	sc.exe
2732	sc.exe
2340	sc.exe
1560	sc.exe
2024	sc.exe
1760	sc.exe
1712	sc.exe
2348	sc.exe
2560	sc.exe
2516	sc.exe
2900	sc.exe
2016	sc.exe
2632	sc.exe
2852	sc.exe
1276	sc.exe
596	sc.exe

Delays execution with timeout.exe 16 IoCs

evasion

pid	Process
1072	timeout.exe
2800	timeout.exe
1836	timeout.exe
2500	timeout.exe
2844	timeout.exe
3032	timeout.exe
3068	timeout.exe
2324	timeout.exe
1604	timeout.exe
3004	timeout.exe
2876	timeout.exe
1560	timeout.exe
1108	timeout.exe
2232	timeout.exe
884	timeout.exe
1636	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2932	taskkill.exe
3068	taskkill.exe
2948	taskkill.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2824	2712	cmd.exe	31
PID 2712 wrote to memory of 2824	2712	cmd.exe	31
PID 2712 wrote to memory of 2824	2712	cmd.exe	31
PID 2712 wrote to memory of 3004	2712	cmd.exe	32
PID 2712 wrote to memory of 3004	2712	cmd.exe	32
PID 2712 wrote to memory of 3004	2712	cmd.exe	32
PID 2712 wrote to memory of 2744	2712	cmd.exe	33
PID 2712 wrote to memory of 2744	2712	cmd.exe	33
PID 2712 wrote to memory of 2744	2712	cmd.exe	33
PID 2712 wrote to memory of 2808	2712	cmd.exe	34
PID 2712 wrote to memory of 2808	2712	cmd.exe	34
PID 2712 wrote to memory of 2808	2712	cmd.exe	34
PID 2712 wrote to memory of 2996	2712	cmd.exe	35
PID 2712 wrote to memory of 2996	2712	cmd.exe	35
PID 2712 wrote to memory of 2996	2712	cmd.exe	35
PID 2712 wrote to memory of 2716	2712	cmd.exe	36
PID 2712 wrote to memory of 2716	2712	cmd.exe	36
PID 2712 wrote to memory of 2716	2712	cmd.exe	36
PID 2712 wrote to memory of 2652	2712	cmd.exe	37
PID 2712 wrote to memory of 2652	2712	cmd.exe	37
PID 2712 wrote to memory of 2652	2712	cmd.exe	37
PID 2712 wrote to memory of 2856	2712	cmd.exe	38
PID 2712 wrote to memory of 2856	2712	cmd.exe	38
PID 2712 wrote to memory of 2856	2712	cmd.exe	38
PID 2712 wrote to memory of 2576	2712	cmd.exe	39
PID 2712 wrote to memory of 2576	2712	cmd.exe	39
PID 2712 wrote to memory of 2576	2712	cmd.exe	39
PID 2712 wrote to memory of 2692	2712	cmd.exe	40
PID 2712 wrote to memory of 2692	2712	cmd.exe	40
PID 2712 wrote to memory of 2692	2712	cmd.exe	40
PID 2712 wrote to memory of 1236	2712	cmd.exe	41
PID 2712 wrote to memory of 1236	2712	cmd.exe	41
PID 2712 wrote to memory of 1236	2712	cmd.exe	41
PID 2712 wrote to memory of 2804	2712	cmd.exe	42
PID 2712 wrote to memory of 2804	2712	cmd.exe	42
PID 2712 wrote to memory of 2804	2712	cmd.exe	42
PID 2712 wrote to memory of 2020	2712	cmd.exe	43
PID 2712 wrote to memory of 2020	2712	cmd.exe	43
PID 2712 wrote to memory of 2020	2712	cmd.exe	43
PID 2712 wrote to memory of 2544	2712	cmd.exe	44
PID 2712 wrote to memory of 2544	2712	cmd.exe	44
PID 2712 wrote to memory of 2544	2712	cmd.exe	44
PID 2712 wrote to memory of 2568	2712	cmd.exe	45
PID 2712 wrote to memory of 2568	2712	cmd.exe	45
PID 2712 wrote to memory of 2568	2712	cmd.exe	45
PID 2712 wrote to memory of 2600	2712	cmd.exe	46
PID 2712 wrote to memory of 2600	2712	cmd.exe	46
PID 2712 wrote to memory of 2600	2712	cmd.exe	46
PID 2712 wrote to memory of 2628	2712	cmd.exe	47
PID 2712 wrote to memory of 2628	2712	cmd.exe	47
PID 2712 wrote to memory of 2628	2712	cmd.exe	47
PID 2712 wrote to memory of 2056	2712	cmd.exe	48
PID 2712 wrote to memory of 2056	2712	cmd.exe	48
PID 2712 wrote to memory of 2056	2712	cmd.exe	48
PID 2712 wrote to memory of 2612	2712	cmd.exe	49
PID 2712 wrote to memory of 2612	2712	cmd.exe	49
PID 2712 wrote to memory of 2612	2712	cmd.exe	49
PID 2712 wrote to memory of 2052	2712	cmd.exe	50
PID 2712 wrote to memory of 2052	2712	cmd.exe	50
PID 2712 wrote to memory of 2052	2712	cmd.exe	50
PID 2712 wrote to memory of 2232	2712	cmd.exe	51
PID 2712 wrote to memory of 2232	2712	cmd.exe	51
PID 2712 wrote to memory of 2232	2712	cmd.exe	51
PID 2712 wrote to memory of 448	2712	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\2- Orca V3\Orca V3.bat"
1⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2824
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable
  2⤵
  PID:2744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable
  2⤵
  PID:2808
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:2996
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:2716
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:2652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-sys" /Disable
  2⤵
  PID:2856
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /Disable
  2⤵
  PID:2576
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /Disable
  2⤵
  PID:2692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:1236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:2804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /Disable
  2⤵
  PID:2020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /Disable
  2⤵
  PID:2544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /Disable
  2⤵
  PID:2568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:2600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /Disable
  2⤵
  PID:2628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /Disable
  2⤵
  PID:2056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:2612
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /Disable
  2⤵
  PID:2052
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2232
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineUA" /F
  2⤵
  PID:448
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore" /F
  2⤵
  PID:2880
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:1304
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:1272
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:2252
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-sys" /F
  2⤵
  PID:2588
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /F
  2⤵
  PID:2408
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /F
  2⤵
  PID:2396
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /F
  2⤵
  PID:1840
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /F
  2⤵
  PID:2084
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /F
  2⤵
  PID:2912
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /F
  2⤵
  PID:2484
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /F
  2⤵
  PID:2852
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /F
  2⤵
  PID:2784
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /F
  2⤵
  PID:2800
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /F
  2⤵
  PID:1036
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /F
  2⤵
  PID:540
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /F
  2⤵
  PID:2860
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2876
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2844
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1072
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:1060
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:476
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:588
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  - Launches sc.exe
  PID:320
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  PID:1408
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:2492
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:2384
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:2352
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:2736
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  PID:2144
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:2120
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:2512
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  - Launches sc.exe
  PID:2224
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2200
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:2100
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  - Launches sc.exe
  PID:2392
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:2404
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:2112
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:444
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:1088
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1756
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:1836
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2340
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:1992
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  - Launches sc.exe
  PID:864
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1028
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:2428
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:964
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  - Launches sc.exe
  PID:2516
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:2504
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  - Launches sc.exe
  PID:1940
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:1000
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  - Launches sc.exe
  PID:636
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1520
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:2344
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:2360
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  - Launches sc.exe
  PID:1368
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1560
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  PID:1584
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  - Launches sc.exe
  PID:2472
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2024
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:1740
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:1324
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2444
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:1744
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:2476
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3032
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1652
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /fd
  2⤵
  PID:2328
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1624
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2240
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:2320
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1512
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:2940
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:1016
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1564
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:2276
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1996
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:2280
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:1976
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:904
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:2104
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  - Launches sc.exe
  PID:2460
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:2828
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:1612
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  - Launches sc.exe
  PID:2752
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:2684
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:860
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:2832
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  PID:288
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:2064
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  - Launches sc.exe
  PID:1528
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:2604
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:2548
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:2580
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  - Launches sc.exe
  PID:2616
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  - Launches sc.exe
  PID:2672
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  PID:1056
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  PID:2052
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:2872
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:2216
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:1156
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:1160
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:644
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2412
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  - Launches sc.exe
  PID:1276
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:2648
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1736
- C:\Windows\system32\sc.exe
  sc config Backupper Service" start= disabled
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2960
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  PID:2976
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1388
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:584
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2640
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  - Launches sc.exe
  PID:2888
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:536
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  - Launches sc.exe
  PID:692
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:2884
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  - Launches sc.exe
  PID:2900
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:2608
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:3056
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  PID:2964
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:3068
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  - Launches sc.exe
  PID:1352
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:2440
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  - Launches sc.exe
  PID:596
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  - Launches sc.exe
  PID:700
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:1968
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:1980
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  - Launches sc.exe
  PID:2016
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  - Launches sc.exe
  PID:2176
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  - Launches sc.exe
  PID:2080
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:3028
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2076
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:2204
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:2156
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:1808
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  - Launches sc.exe
  PID:2164
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:1876
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:2124
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:3036
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:408
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:2448
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:868
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:2264
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  - Launches sc.exe
  PID:2332
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:2292
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:1444
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:852
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  - Launches sc.exe
  PID:616
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:1412
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:1884
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  - Launches sc.exe
  PID:1464
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:2316
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:2500
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:916
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:928
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:1772
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:2196
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:3016
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:1540
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:1936
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:3052
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:1544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:2688
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:2336
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:340
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:1308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:1872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:2140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:2000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:2324
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:1684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:3020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:2464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:1652
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:816
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:1624
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:2480
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:2320
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:1512
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:1572
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:1564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:2456
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:2280
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:1976
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:2172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:904
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:2104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:2460
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:2012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:2828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:1580
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:2296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:1612
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:2752
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:2684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:860
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:2832
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:288
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:2064
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:2732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:1528
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:2720
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:2724
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:2604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:2548
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:2560
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:2580
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:2616
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:2672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:1056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:2388
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:2052
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:2872
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:2216
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:1156
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:1160
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:644
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:2412
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:1276
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:2648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:1736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:2952
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:2960
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:2976
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:1388
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:584
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:2640
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:2888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:536
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:2884
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:2900
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:2532
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:2608
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:3056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:2964
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3068
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  - Launches sc.exe
  PID:1760
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:1352
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:2440
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:596
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:700
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:1008
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1780
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:2736
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:1432
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  PID:2208
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2348
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:2180
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2160
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2124
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:2404
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2112
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:408
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2284
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1148
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:868
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:1756
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:1812
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:2332
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:2340
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:1956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:1256
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:1300
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:2428
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:964
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:1620
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:1044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:2496
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:1940
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:1616
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:1000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:636
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:884
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  - Launches sc.exe
  PID:2344
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  PID:3008
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:1368
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1560
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:1864
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  - Launches sc.exe
  PID:1012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:1820
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:1524
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1636
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:1676
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:1456
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:2140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:2000
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2324
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:3032
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  - Launches sc.exe
  PID:2632
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:2328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:2312
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:2240
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:2320
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:2988
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:1016
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:2424
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:1996
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:1984
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:1960
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:1768
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1728
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:1144
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:2772
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1604
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  - Launches sc.exe
  PID:1712
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:2816
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:2756
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  PID:3004
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:2032
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:2684
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  PID:860
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  PID:2832
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  PID:288
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  - Launches sc.exe
  PID:2064
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:2732
- C:\Windows\system32\sc.exe
  sc config logi_lamparray_service start=disabled
  2⤵
  - Launches sc.exe
  PID:1528
- C:\Windows\system32\sc.exe
  sc config LGHUBUpdaterService start=disabled
  2⤵
  PID:2720
- C:\Windows\system32\sc.exe
  sc config SteelSeriesGGUpdateServiceProxy start=disabled
  2⤵
  PID:2724
- C:\Windows\system32\sc.exe
  sc config RzActionSvc start=disabled
  2⤵
  PID:2604
- C:\Windows\system32\sc.exe
  sc config RazerElevationService start=disabled
  2⤵
  PID:2548
- C:\Windows\system32\sc.exe
  sc config RazerGameManagerService start=disabled
  2⤵
  - Launches sc.exe
  PID:2560
- C:\Windows\system32\sc.exe
  sc config RazerGameManagerService3 start=disabled
  2⤵
  - Launches sc.exe
  PID:2580
- C:\Windows\system32\sc.exe
  sc config RazerSynapseService start=disabled
  2⤵
  PID:2616
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:2672
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:1056
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:2388
- C:\Windows\system32\sc.exe
  sc config GigabyteUpdateService start=disabled
  2⤵
  - Launches sc.exe
  PID:2052
- C:\Windows\system32\sc.exe
  sc config CCleanerBrowserElevationService start=disabled
  2⤵
  PID:2872
- C:\Windows\system32\sc.exe
  sc config ccleaner start=disabled
  2⤵
  PID:2216
- C:\Windows\system32\sc.exe
  sc config ccleanerm start=disabled
  2⤵
  PID:1156
- C:\Windows\system32\sc.exe
  sc config CCleanerPerformanceOptimizerService start=disabled
  2⤵
  PID:1160
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:644
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:2412
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:1276
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:2648
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:1736
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:2952
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:2960
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  - Launches sc.exe
  PID:2852
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:2784
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2800
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  - Launches sc.exe
  PID:2864
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  - Launches sc.exe
  PID:540
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:2868
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:2876
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:2844
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:2932
- C:\Windows\system32\sc.exe
  sc config AMD Crash Defender Service start=disabled
  2⤵
  PID:2972
- C:\Windows\system32\sc.exe
  sc config AMD External Events Utility start=disabled
  2⤵
  PID:2984
- C:\Windows\system32\sc.exe
  sc config AUEPLauncher start=disabled
  2⤵
  PID:112
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1108
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:1760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:1352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:2440
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:596
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:1968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:1980
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:2016
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:2152
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:2136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:2068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:2736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:1432
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:2208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:2348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:2180
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:2200
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:2392
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:2124
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:2244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:408
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:1088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:868
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1836
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:2332
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:1992
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:864
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:852
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:716
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:1412
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:2524
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:1464
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:2504
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2500