3b1189ee57ef95b9164a3908f33115d58e34edf0fc856ae256f7ec1910d86f21

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(Full Package) One Click OPT Ver - 6.7/1- One Click OPT/2- Orca V3/Orca V3.bat
Size

35KB
MD5

2f1c0a6e88c644e1fe7f7208e0029b14
SHA1

fd11c4fcb106f51db0f94091e2f46b1bd142609b
SHA256

f7e541ae25adf370120698c1d55f77d15c42209378b09b996a12e8a6bf90a996
SHA512

236cbb90131e654f33dca660ba7532ac59e22ce58edaeaa15cfc50c66d738e6ac5b847be11986655ef8c168a1c27c5e4dc01972d7d3a990d3650a16ccab5a2d2
SSDEEP

384:U66Vcy9CzCPhjszIuG4cD1hzGbs7dffqLzVHPAFwH2V09PsB7olKElQKac+iD3MF:Z6Vcy9CzCPhaigxWFoKElQKac+iDDTDO

Score

10^/10

defense_evasion discovery evasion execution exploit

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3564	icacls.exe
1472	takeown.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1472	takeown.exe
3564	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
436	sc.exe
4440	sc.exe
3292	sc.exe
2168	sc.exe
5000	sc.exe
4292	sc.exe
2552	sc.exe
1564	sc.exe
836	sc.exe
3056	sc.exe
4332	sc.exe
2628	sc.exe
852	sc.exe
1336	sc.exe
3116	sc.exe
2552	sc.exe
3940	sc.exe
4676	sc.exe
4984	sc.exe
836	sc.exe
1244	sc.exe
2252	sc.exe
2552	sc.exe
5040	sc.exe
1428	sc.exe
4016	sc.exe
2428	sc.exe
3972	sc.exe
1248	sc.exe
1440	sc.exe
2060	sc.exe
4548	sc.exe
3520	sc.exe
1960	sc.exe
4912	sc.exe
3152	sc.exe
2908	sc.exe
1136	sc.exe
4016	sc.exe
4864	sc.exe
3956	sc.exe
3292	sc.exe
2412	sc.exe
2372	sc.exe
4292	sc.exe
216	sc.exe
2828	sc.exe
2288	sc.exe
1568	sc.exe
3460	sc.exe
4912	sc.exe
1712	sc.exe
760	sc.exe
4268	sc.exe
428	sc.exe
2320	sc.exe
1248	sc.exe
3316	sc.exe
4284	sc.exe
3444	sc.exe
3940	sc.exe
2012	sc.exe
208	sc.exe
3940	sc.exe

Delays execution with timeout.exe 16 IoCs

evasion

pid	Process
3796	timeout.exe
2172	timeout.exe
2600	timeout.exe
4240	timeout.exe
376	timeout.exe
4676	timeout.exe
4980	timeout.exe
4768	timeout.exe
432	timeout.exe
4840	timeout.exe
4632	timeout.exe
2016	timeout.exe
780	timeout.exe
1796	timeout.exe
3732	timeout.exe
3200	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3444	taskkill.exe
2512	taskkill.exe
4092	taskkill.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1472	takeown.exe
Token: SeDebugPrivilege	3444	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 3276	5008	cmd.exe	85
PID 5008 wrote to memory of 3276	5008	cmd.exe	85
PID 5008 wrote to memory of 432	5008	cmd.exe	86
PID 5008 wrote to memory of 432	5008	cmd.exe	86
PID 5008 wrote to memory of 1848	5008	cmd.exe	87
PID 5008 wrote to memory of 1848	5008	cmd.exe	87
PID 5008 wrote to memory of 4740	5008	cmd.exe	88
PID 5008 wrote to memory of 4740	5008	cmd.exe	88
PID 5008 wrote to memory of 2364	5008	cmd.exe	89
PID 5008 wrote to memory of 2364	5008	cmd.exe	89
PID 5008 wrote to memory of 4604	5008	cmd.exe	90
PID 5008 wrote to memory of 4604	5008	cmd.exe	90
PID 5008 wrote to memory of 2824	5008	cmd.exe	91
PID 5008 wrote to memory of 2824	5008	cmd.exe	91
PID 5008 wrote to memory of 4368	5008	cmd.exe	92
PID 5008 wrote to memory of 4368	5008	cmd.exe	92
PID 5008 wrote to memory of 1740	5008	cmd.exe	93
PID 5008 wrote to memory of 1740	5008	cmd.exe	93
PID 5008 wrote to memory of 4436	5008	cmd.exe	94
PID 5008 wrote to memory of 4436	5008	cmd.exe	94
PID 5008 wrote to memory of 3152	5008	cmd.exe	95
PID 5008 wrote to memory of 3152	5008	cmd.exe	95
PID 5008 wrote to memory of 3520	5008	cmd.exe	96
PID 5008 wrote to memory of 3520	5008	cmd.exe	96
PID 5008 wrote to memory of 320	5008	cmd.exe	97
PID 5008 wrote to memory of 320	5008	cmd.exe	97
PID 5008 wrote to memory of 4844	5008	cmd.exe	98
PID 5008 wrote to memory of 4844	5008	cmd.exe	98
PID 5008 wrote to memory of 2876	5008	cmd.exe	99
PID 5008 wrote to memory of 2876	5008	cmd.exe	99
PID 5008 wrote to memory of 3352	5008	cmd.exe	100
PID 5008 wrote to memory of 3352	5008	cmd.exe	100
PID 5008 wrote to memory of 4116	5008	cmd.exe	101
PID 5008 wrote to memory of 4116	5008	cmd.exe	101
PID 5008 wrote to memory of 3404	5008	cmd.exe	102
PID 5008 wrote to memory of 3404	5008	cmd.exe	102
PID 5008 wrote to memory of 2296	5008	cmd.exe	103
PID 5008 wrote to memory of 2296	5008	cmd.exe	103
PID 5008 wrote to memory of 3260	5008	cmd.exe	104
PID 5008 wrote to memory of 3260	5008	cmd.exe	104
PID 5008 wrote to memory of 4840	5008	cmd.exe	105
PID 5008 wrote to memory of 4840	5008	cmd.exe	105
PID 5008 wrote to memory of 2992	5008	cmd.exe	107
PID 5008 wrote to memory of 2992	5008	cmd.exe	107
PID 5008 wrote to memory of 2792	5008	cmd.exe	108
PID 5008 wrote to memory of 2792	5008	cmd.exe	108
PID 5008 wrote to memory of 5104	5008	cmd.exe	109
PID 5008 wrote to memory of 5104	5008	cmd.exe	109
PID 5008 wrote to memory of 4084	5008	cmd.exe	110
PID 5008 wrote to memory of 4084	5008	cmd.exe	110
PID 5008 wrote to memory of 4756	5008	cmd.exe	111
PID 5008 wrote to memory of 4756	5008	cmd.exe	111
PID 5008 wrote to memory of 3544	5008	cmd.exe	112
PID 5008 wrote to memory of 3544	5008	cmd.exe	112
PID 5008 wrote to memory of 3968	5008	cmd.exe	113
PID 5008 wrote to memory of 3968	5008	cmd.exe	113
PID 5008 wrote to memory of 2832	5008	cmd.exe	114
PID 5008 wrote to memory of 2832	5008	cmd.exe	114
PID 5008 wrote to memory of 3024	5008	cmd.exe	115
PID 5008 wrote to memory of 3024	5008	cmd.exe	115
PID 5008 wrote to memory of 2288	5008	cmd.exe	116
PID 5008 wrote to memory of 2288	5008	cmd.exe	116
PID 5008 wrote to memory of 3896	5008	cmd.exe	117
PID 5008 wrote to memory of 3896	5008	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\(Full Package) One Click OPT Ver - 6.7\1- One Click OPT\2- Orca V3\Orca V3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3276
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:432
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineUA" /Disable
  2⤵
  PID:1848
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "MicrosoftEdgeUpdateTaskMachineCore" /Disable
  2⤵
  PID:4740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:2364
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:4604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /Disable
  2⤵
  PID:2824
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "update-sys" /Disable
  2⤵
  PID:4368
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /Disable
  2⤵
  PID:1740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /Disable
  2⤵
  PID:4436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:3152
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:3520
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /Disable
  2⤵
  PID:320
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /Disable
  2⤵
  PID:4844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /Disable
  2⤵
  PID:2876
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:3352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /Disable
  2⤵
  PID:4116
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /Disable
  2⤵
  PID:3404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:2296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /Disable
  2⤵
  PID:3260
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4840
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineUA" /F
  2⤵
  PID:2992
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "MicrosoftEdgeUpdateTaskMachineCore" /F
  2⤵
  PID:2792
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Reporting Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:5104
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "OneDrive Standalone Update Task-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:4084
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-S-1-5-21-2240390734-3588247625-2595490332-1001" /F
  2⤵
  PID:4756
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "update-sys" /F
  2⤵
  PID:3544
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UNP\RunUpdateNotificationMgr" /F
  2⤵
  PID:3968
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work" /F
  2⤵
  PID:2832
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /F
  2⤵
  PID:3024
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /F
  2⤵
  PID:2288
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work" /F
  2⤵
  PID:3896
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Schedule Work" /F
  2⤵
  PID:2096
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Start Oobe Expedite Work" /F
  2⤵
  PID:4172
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\Report policies" /F
  2⤵
  PID:2660
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScan_LicenseAccepted" /F
  2⤵
  PID:4372
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\StartOobeAppsScanAfterUpdate" /F
  2⤵
  PID:312
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /F
  2⤵
  PID:3320
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "\Microsoft\Windows\UpdateOrchestrator\UUS Failover Task" /F
  2⤵
  PID:4504
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2172
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3564
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2600
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3444
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:780
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:3604
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:2492
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:3956
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4016
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:3200
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:1164
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:1340
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:1404
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3940
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:5000
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  - Launches sc.exe
  PID:2428
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:3992
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:4876
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:1384
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:2624
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:1928
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:4768
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  PID:532
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4912
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1244
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:224
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  - Launches sc.exe
  PID:836
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  PID:4348
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:3976
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:4440
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:1276
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:3256
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:3056
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  - Launches sc.exe
  PID:2552
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:3388
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:1712
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:4044
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:2364
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:4604
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  - Launches sc.exe
  PID:1336
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:460
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:2100
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:1848
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  PID:2004
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3316
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:3020
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  - Launches sc.exe
  PID:2168
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:4508
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:4320
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  PID:2876
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:3116
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:2704
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:4528
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4240
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5040
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4624
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /fd
  2⤵
  PID:960
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:920
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4676
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4032
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4068
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4328
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4468
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:4628
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1476
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:4864
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3712
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:1620
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:4092
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  - Launches sc.exe
  PID:2060
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:1352
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  PID:3216
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:3400
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  - Launches sc.exe
  PID:4548
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:2492
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4284
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2252
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  - Launches sc.exe
  PID:4016
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  PID:1508
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:2772
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  - Launches sc.exe
  PID:1248
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3940
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  - Launches sc.exe
  PID:5000
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:2428
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:4324
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  PID:4800
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:1876
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1428
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:3700
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3972
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  - Launches sc.exe
  PID:428
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:532
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  - Launches sc.exe
  PID:4912
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  - Launches sc.exe
  PID:2828
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  PID:2204
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:4364
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2012
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:1960
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:3756
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:1132
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:2852
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3056
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2552
- C:\Windows\system32\sc.exe
  sc config Backupper Service" start= disabled
  2⤵
  PID:3388
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:1136
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  - Launches sc.exe
  PID:4332
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:4884
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:1172
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:1604
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:460
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:3376
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:3736
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2628
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  - Launches sc.exe
  PID:3152
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  - Launches sc.exe
  PID:3520
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  - Launches sc.exe
  PID:852
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:2732
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  PID:4844
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:4320
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:2876
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  - Launches sc.exe
  PID:3116
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:2704
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  - Launches sc.exe
  PID:2320
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:1632
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2288
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  - Launches sc.exe
  PID:3292
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:3724
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:2296
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:4504
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  - Launches sc.exe
  PID:5040
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:312
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  PID:4920
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:4624
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:4372
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  - Launches sc.exe
  PID:760
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:1472
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  - Launches sc.exe
  PID:4676
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:2408
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:3720
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:3188
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  - Launches sc.exe
  PID:2412
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:2248
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:4460
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:2600
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:508
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  PID:756
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  - Launches sc.exe
  PID:4864
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:1708
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:1036
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:1796
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:2060
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:1352
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:3216
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:3400
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:1692
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:4908
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:2596
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:228
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:1508
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:2772
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:1248
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:3940
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:5000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:3992
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:1384
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:1428
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:4768
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:1772
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:3124
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:1244
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:224
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:2956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:1568
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:2012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:3460
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:3256
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:2068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:388
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:4740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:1136
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:4332
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:4884
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:1172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:1604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:2100
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:4436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:3316
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:3740
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:3088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:1436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:4720
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:748
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:3732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:3404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:864
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:3968
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:2288
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:1908
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:4240
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:4504
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:3016
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:3004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:3012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:4372
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:956
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:3564
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:4676
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:1716
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:4040
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:4328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:3420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:4628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:2616
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:508
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:3464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:4080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:2036
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:4184
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:2060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:1352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:3216
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:2492
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:5092
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:5056
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:2800
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:2372
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:1512
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:4888
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:1344
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:3784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:3992
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:1384
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:1428
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:376
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:4300
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:4712
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:4304
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  - Launches sc.exe
  PID:836
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  PID:4348
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1960
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  - Launches sc.exe
  PID:3460
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  - Launches sc.exe
  PID:436
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:3876
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3956
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2552
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:1712
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4640
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4604
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1336
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:2952
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4344
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3736
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4176
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3520
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3304
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:2380
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:372
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:852
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:2732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:4844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:3352
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:3224
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:2008
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:5020
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:2680
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:3492
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:1088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:3040
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:2296
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:1432
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:2464
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4632
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:2172
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  - Launches sc.exe
  PID:208
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:5064
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:2408
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4676
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:3188
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:4468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:4328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:3420
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4980
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  - Launches sc.exe
  PID:3444
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:3712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:3464
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:1620
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1796
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:4184
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:2060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:3604
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:4060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:1692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:4284
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:3200
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:1164
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  - Launches sc.exe
  PID:2372
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:2772
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  - Launches sc.exe
  PID:1248
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  - Launches sc.exe
  PID:3940
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:5000
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:3272
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:2624
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:776
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  PID:1384
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:4776
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4768
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:3124
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:4432
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  - Launches sc.exe
  PID:1568
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:3276
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  - Launches sc.exe
  PID:4440
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  PID:4260
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  PID:2700
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  PID:2328
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  PID:1388
- C:\Windows\system32\sc.exe
  sc config logi_lamparray_service start=disabled
  2⤵
  PID:436
- C:\Windows\system32\sc.exe
  sc config LGHUBUpdaterService start=disabled
  2⤵
  - Launches sc.exe
  PID:216
- C:\Windows\system32\sc.exe
  sc config SteelSeriesGGUpdateServiceProxy start=disabled
  2⤵
  PID:432
- C:\Windows\system32\sc.exe
  sc config RzActionSvc start=disabled
  2⤵
  PID:368
- C:\Windows\system32\sc.exe
  sc config RazerElevationService start=disabled
  2⤵
  - Launches sc.exe
  PID:2908
- C:\Windows\system32\sc.exe
  sc config RazerGameManagerService start=disabled
  2⤵
  PID:4740
- C:\Windows\system32\sc.exe
  sc config RazerGameManagerService3 start=disabled
  2⤵
  - Launches sc.exe
  PID:1136
- C:\Windows\system32\sc.exe
  sc config RazerSynapseService start=disabled
  2⤵
  PID:2824
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:4368
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  PID:1172
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config GigabyteUpdateService start=disabled
  2⤵
  - Launches sc.exe
  PID:4984
- C:\Windows\system32\sc.exe
  sc config CCleanerBrowserElevationService start=disabled
  2⤵
  PID:2100
- C:\Windows\system32\sc.exe
  sc config ccleaner start=disabled
  2⤵
  PID:4436
- C:\Windows\system32\sc.exe
  sc config ccleanerm start=disabled
  2⤵
  - Launches sc.exe
  PID:1440
- C:\Windows\system32\sc.exe
  sc config CCleanerPerformanceOptimizerService start=disabled
  2⤵
  - Launches sc.exe
  PID:4268
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  - Launches sc.exe
  PID:1564
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:3304
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:2380
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:3484
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:3740
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:3088
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:1436
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  PID:4720
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  PID:748
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3732
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:2704
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  PID:864
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  - Launches sc.exe
  PID:3292
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:212
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:1908
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:5040
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:2296
- C:\Windows\system32\sc.exe
  sc config AMD Crash Defender Service start=disabled
  2⤵
  PID:4504
- C:\Windows\system32\sc.exe
  sc config AMD External Events Utility start=disabled
  2⤵
  PID:312
- C:\Windows\system32\sc.exe
  sc config AUEPLauncher start=disabled
  2⤵
  PID:4396
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3796
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:2840
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:908
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:2628
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:1644
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:3448
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:4780
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:3544
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:2096
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:4172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:2796
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:1208
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:4372
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:760
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:4964
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:5028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:4068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:4040
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:4468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:4328
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:3420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:1476
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:5012
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:2016
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:4092
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:2616
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:2036
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:3532
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:2060
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:3604
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:4060
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:1692
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:4284
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3200