67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c

Analysis

max time kernel
375s
max time network
372s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
27/03/2025, 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Oneclick-V7.0.bat
Size

201KB
MD5

c8e2a0c12285b709fc839a4c7cbd6e1a
SHA1

cae0726adbd932745e4e4db37c82c5839f632efa
SHA256

67b5e27f2726692662d746c555d403d35293c6bf6eb0f5d8beaba417872a5d9c
SHA512

a99ca57c12ab00bd160747812ef71518cff0db5b8962b6b21694f0e9d7682830642290c8cbef7a83368ea7b302730e3d0930761edae15fca51247ee8f14bdc18
SSDEEP

1536:8PSPKdigMQgPTjIV4QJ8STaggyjH/nvfHH4pXfCWOBEzCLiD15ToSmcj/DB:MfjvvfeTTmcTDB

Score

10^/10

defense_evasion discovery evasion execution exploit persistence privilege_escalation ransomware trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3316	bcdedit.exe
4540	Process not Found
5360	Process not Found
1168	Process not Found

Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe
4816	powershell.exe
4820	Process not Found
1704	Process not Found
2404	powershell.exe
2628	powershell.exe
4484	Process not Found
2864	Process not Found
760	Process not Found
2360	Process not Found
4052	Process not Found
4444	Process not Found
3804	powershell.exe
1616	powershell.exe
832	powershell.exe
2012	Process not Found
5040	Process not Found
4600	Process not Found
5464	Process not Found
5792	Process not Found
5136	Process not Found
4296	Process not Found
6084	Process not Found
3972	Process not Found
1404	Process not Found
5692	Process not Found
3704	Process not Found
5328	Process not Found
4220	Process not Found
3512	Process not Found
3344	Process not Found
1244	powershell.exe
5096	Process not Found
4968	Process not Found
1588	Process not Found
4824	Process not Found
3764	powershell.exe
2600	Process not Found
5832	Process not Found
4436	Process not Found
5680	Process not Found
3108	powershell.exe
4148	powershell.exe
5852	Process not Found
5964	Process not Found
716	Process not Found
380	powershell.exe
2292	Process not Found
3716	Process not Found
5396	Process not Found
3776	Process not Found
4776	Process not Found
4052	powershell.exe
6104	Process not Found
4964	Process not Found
4636	Process not Found
2140	Process not Found
4592	Process not Found
2908	Process not Found
5860	Process not Found
3692	Process not Found
5688	Process not Found
1344	powershell.exe
452	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions\IoPriority = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlc.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions\CpuPriorityClass = "4"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininit.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIADAP.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions\PagePriority = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions\IoPriority = "3"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sihost.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sihost.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fontdrvhost.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fontdrvhost.exe	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fontdrvhost.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sihost.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartMenu.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe\PerfOptions	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIADAP.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlc.exe\PerfOptions	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\PerfOptions\CpuPriorityClass = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions	reg.exe

Possible privilege escalation attempt 11 IoCs

exploit

pid	Process
5512	takeown.exe
3876	icacls.exe
3180	takeown.exe
4708	icacls.exe
2656	icacls.exe
4744	takeown.exe
3148	icacls.exe
3168	takeown.exe
2752	icacls.exe
3668	takeown.exe
4400	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\Geo\Nation	cmd.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
1100	OOSU10.exe
64	NSudoLG.exe
60	NSudoLG.exe
1228	NSudoLG.exe

Modifies file permissions 1 TTPs 11 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3168	takeown.exe
2752	icacls.exe
3180	takeown.exe
3668	takeown.exe
2656	icacls.exe
4400	icacls.exe
5512	takeown.exe
3148	icacls.exe
4708	icacls.exe
4744	takeown.exe
3876	icacls.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\E:	explorer.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
38	raw.githubusercontent.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1892	Process not Found
4484	Process not Found
5376	powercfg.exe
4488	Process not Found
3992	Process not Found
6004	Process not Found
4668	Process not Found
1168	Process not Found
2096	Process not Found
2268	Process not Found

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
1336	powershell.exe
5868	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2104	sc.exe
1932	sc.exe
5384	sc.exe
6132	sc.exe
2456	sc.exe
5368	sc.exe
4516	sc.exe
6012	sc.exe
5960	sc.exe
4812	sc.exe
3828	sc.exe
1176	sc.exe
1680	sc.exe
4468	sc.exe
5764	sc.exe
3488	sc.exe
5396	sc.exe
4076	sc.exe
5352	sc.exe
2460	sc.exe
1392	sc.exe
4380	sc.exe
1644	sc.exe
5284	sc.exe
3516	sc.exe
1244	sc.exe
3700	sc.exe
3328	sc.exe
3084	sc.exe
5928	sc.exe
5384	sc.exe
2240	sc.exe
3396	sc.exe
5832	sc.exe
5188	sc.exe
4400	sc.exe
4640	sc.exe
3068	sc.exe
3684	sc.exe
5224	sc.exe
4200	sc.exe
2272	sc.exe
4364	sc.exe
3876	sc.exe
1872	sc.exe
3884	sc.exe
832	sc.exe
4556	sc.exe
3720	sc.exe
5040	sc.exe
2272	sc.exe
5696	sc.exe
1348	sc.exe
3356	sc.exe
4296	sc.exe
1808	sc.exe
628	sc.exe
2636	sc.exe
4140	sc.exe
4400	sc.exe
3340	sc.exe
5396	sc.exe
4776	sc.exe
384	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Delays execution with timeout.exe 64 IoCs

defense_evasion

pid	Process
6084	Process not Found
2636	timeout.exe
1172	timeout.exe
3300	Process not Found
4464	Process not Found
4516	timeout.exe
60	timeout.exe
4712	timeout.exe
648	timeout.exe
2052	timeout.exe
5292	timeout.exe
1432	Process not Found
4908	Process not Found
4312	timeout.exe
4544	timeout.exe
6080	timeout.exe
1352	timeout.exe
5308	timeout.exe
1144	Process not Found
2696	Process not Found
3316	timeout.exe
2104	timeout.exe
1432	timeout.exe
5488	timeout.exe
5816	timeout.exe
4984	timeout.exe
5396	timeout.exe
1768	timeout.exe
4372	timeout.exe
3632	Process not Found
5716	timeout.exe
2412	timeout.exe
4972	timeout.exe
1476	timeout.exe
3788	timeout.exe
2736	timeout.exe
4808	timeout.exe
5688	timeout.exe
4636	timeout.exe
2952	timeout.exe
3148	Process not Found
4748	Process not Found
2660	timeout.exe
3768	timeout.exe
3252	timeout.exe
888	timeout.exe
3860	timeout.exe
4644	timeout.exe
2552	timeout.exe
2248	timeout.exe
4232	timeout.exe
6060	timeout.exe
4488	timeout.exe
2460	timeout.exe
3772	timeout.exe
5832	timeout.exe
5096	timeout.exe
664	timeout.exe
2696	Process not Found
4076	timeout.exe
5868	timeout.exe
2148	timeout.exe
3980	Process not Found
3388	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 19 IoCs

defense_evasion

pid	Process
5408	taskkill.exe
4964	taskkill.exe
564	taskkill.exe
5904	taskkill.exe
3164	taskkill.exe
2008	taskkill.exe
5664	taskkill.exe
5784	taskkill.exe
4604	taskkill.exe
3880	Process not Found
2868	taskkill.exe
5488	taskkill.exe
1212	taskkill.exe
5752	Process not Found
3760	Process not Found
5180	taskkill.exe
4900	taskkill.exe
4400	Process not Found
3932	Process not Found

Modifies Control Panel 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1"	OOSU10.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\Toolbar	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\Software\Microsoft\Internet Explorer\GPU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	Process not Found

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "80000002"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Cosimo"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Discrete;Continuous"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Hedda - German (Germany)"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "1"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Speech HW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = 49553b76dbc112bcd96e2ce32f82aa3750d88abb05779f5fac65e84c5363077e	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "11.0.2013.1022"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "40C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "40A;C0A"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Adult"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_HW_it-IT.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	OOSU10.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "MS-3082-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "56"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "HKEY_LOCAL_MACHINE/SOFTWARE\\Microsoft\\Speech_OneCore\\AudioOutput\\TokenEnums\\MMAudioOut\\"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\CLSID	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "MS-1040-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "Microsoft Haruka"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "2"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\sidubm.table"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\TTS\\en-US\\MSTTSLocenUS.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_HW_en-US.dat"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{06405088-BC01-4E08-B392-5303E75090C8}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "{0CFAE939-931E-4305-8D05-8C76C254EB34}"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-809364120-1453366396-340093129-1000\{F38492F4-A979-469F-8F6B-F16E1809D5E8}	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-809364120-1453366396-340093129-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eikK = "0"	SearchApp.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5356	reg.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6056	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	powershell.exe
2540	powershell.exe
640	powershell.exe
640	powershell.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
408	powershell.exe
408	powershell.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3164	powershell.exe
3628	taskmgr.exe
3164	powershell.exe
3628	taskmgr.exe
3832	powershell.exe
3832	powershell.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
1336	powershell.exe
1336	powershell.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
5264	powershell.exe
5264	powershell.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
2520	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3516	Process not Found
5556	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	3628	taskmgr.exe
Token: SeSystemProfilePrivilege	3628	taskmgr.exe
Token: SeCreateGlobalPrivilege	3628	taskmgr.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeBackupPrivilege	2692	vssvc.exe
Token: SeRestorePrivilege	2692	vssvc.exe
Token: SeAuditPrivilege	2692	vssvc.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	5264	powershell.exe
Token: SeBackupPrivilege	1712	srtasks.exe
Token: SeRestorePrivilege	1712	srtasks.exe
Token: SeSecurityPrivilege	1712	srtasks.exe
Token: SeTakeOwnershipPrivilege	1712	srtasks.exe
Token: SeBackupPrivilege	1712	srtasks.exe
Token: SeRestorePrivilege	1712	srtasks.exe
Token: SeSecurityPrivilege	1712	srtasks.exe
Token: SeTakeOwnershipPrivilege	1712	srtasks.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeShutdownPrivilege	5376	powercfg.exe
Token: SeCreatePagefilePrivilege	5376	powercfg.exe
Token: SeShutdownPrivilege	5376	powercfg.exe
Token: SeCreatePagefilePrivilege	5376	powercfg.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeIncreaseQuotaPrivilege	3484	powershell.exe
Token: SeSecurityPrivilege	3484	powershell.exe
Token: SeTakeOwnershipPrivilege	3484	powershell.exe
Token: SeLoadDriverPrivilege	3484	powershell.exe
Token: SeSystemProfilePrivilege	3484	powershell.exe
Token: SeSystemtimePrivilege	3484	powershell.exe
Token: SeProfSingleProcessPrivilege	3484	powershell.exe
Token: SeIncBasePriorityPrivilege	3484	powershell.exe
Token: SeCreatePagefilePrivilege	3484	powershell.exe
Token: SeBackupPrivilege	3484	powershell.exe
Token: SeRestorePrivilege	3484	powershell.exe
Token: SeShutdownPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeSystemEnvironmentPrivilege	3484	powershell.exe
Token: SeRemoteShutdownPrivilege	3484	powershell.exe
Token: SeUndockPrivilege	3484	powershell.exe
Token: SeManageVolumePrivilege	3484	powershell.exe
Token: 33	3484	powershell.exe
Token: 34	3484	powershell.exe
Token: 35	3484	powershell.exe
Token: 36	3484	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	5408	taskkill.exe
Token: SeDebugPrivilege	5868	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeIncreaseQuotaPrivilege	3992	powershell.exe
Token: SeSecurityPrivilege	3992	powershell.exe
Token: SeTakeOwnershipPrivilege	3992	powershell.exe
Token: SeLoadDriverPrivilege	3992	powershell.exe
Token: SeSystemProfilePrivilege	3992	powershell.exe
Token: SeSystemtimePrivilege	3992	powershell.exe
Token: SeProfSingleProcessPrivilege	3992	powershell.exe
Token: SeIncBasePriorityPrivilege	3992	powershell.exe
Token: SeCreatePagefilePrivilege	3992	powershell.exe
Token: SeBackupPrivilege	3992	powershell.exe
Token: SeRestorePrivilege	3992	powershell.exe
Token: SeShutdownPrivilege	3992	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe
3628	taskmgr.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
232	StartMenuExperienceHost.exe
756	TextInputHost.exe
756	TextInputHost.exe
2604	SearchApp.exe
3344	TextInputHost.exe
3712	StartMenuExperienceHost.exe
3344	TextInputHost.exe
2480	SearchApp.exe
6088	StartMenuExperienceHost.exe
5800	TextInputHost.exe
5800	TextInputHost.exe
2360	SearchApp.exe
6104	explorer.exe
4896	Process not Found
5320	Process not Found
5320	Process not Found
3748	Process not Found
3544	Process not Found
4168	Process not Found
400	Process not Found
4168	Process not Found
4928	Process not Found
4852	Process not Found
3532	Process not Found
3532	Process not Found
664	Process not Found
5056	Process not Found
2404	Process not Found
4216	Process not Found
2404	Process not Found
2036	Process not Found
3516	Process not Found
3216	Process not Found
5116	Process not Found
3216	Process not Found
3592	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 600	4764	cmd.exe	83
PID 4764 wrote to memory of 600	4764	cmd.exe	83
PID 4764 wrote to memory of 2500	4764	cmd.exe	84
PID 4764 wrote to memory of 2500	4764	cmd.exe	84
PID 2500 wrote to memory of 2820	2500	cmd.exe	85
PID 2500 wrote to memory of 2820	2500	cmd.exe	85
PID 2500 wrote to memory of 4744	2500	cmd.exe	86
PID 2500 wrote to memory of 4744	2500	cmd.exe	86
PID 4764 wrote to memory of 2540	4764	cmd.exe	87
PID 4764 wrote to memory of 2540	4764	cmd.exe	87
PID 4764 wrote to memory of 640	4764	cmd.exe	88
PID 4764 wrote to memory of 640	4764	cmd.exe	88
PID 4764 wrote to memory of 1312	4764	cmd.exe	98
PID 4764 wrote to memory of 1312	4764	cmd.exe	98
PID 4764 wrote to memory of 1856	4764	cmd.exe	99
PID 4764 wrote to memory of 1856	4764	cmd.exe	99
PID 4764 wrote to memory of 2304	4764	cmd.exe	100
PID 4764 wrote to memory of 2304	4764	cmd.exe	100
PID 4764 wrote to memory of 5664	4764	cmd.exe	101
PID 4764 wrote to memory of 5664	4764	cmd.exe	101
PID 4764 wrote to memory of 5876	4764	cmd.exe	102
PID 4764 wrote to memory of 5876	4764	cmd.exe	102
PID 4764 wrote to memory of 3760	4764	cmd.exe	103
PID 4764 wrote to memory of 3760	4764	cmd.exe	103
PID 4764 wrote to memory of 5168	4764	cmd.exe	104
PID 4764 wrote to memory of 5168	4764	cmd.exe	104
PID 4764 wrote to memory of 4640	4764	cmd.exe	105
PID 4764 wrote to memory of 4640	4764	cmd.exe	105
PID 4764 wrote to memory of 5300	4764	cmd.exe	106
PID 4764 wrote to memory of 5300	4764	cmd.exe	106
PID 4764 wrote to memory of 2472	4764	cmd.exe	107
PID 4764 wrote to memory of 2472	4764	cmd.exe	107
PID 4764 wrote to memory of 3316	4764	cmd.exe	108
PID 4764 wrote to memory of 3316	4764	cmd.exe	108
PID 4764 wrote to memory of 444	4764	cmd.exe	109
PID 4764 wrote to memory of 444	4764	cmd.exe	109
PID 4764 wrote to memory of 1068	4764	cmd.exe	110
PID 4764 wrote to memory of 1068	4764	cmd.exe	110
PID 4764 wrote to memory of 408	4764	cmd.exe	111
PID 4764 wrote to memory of 408	4764	cmd.exe	111
PID 4764 wrote to memory of 3164	4764	cmd.exe	112
PID 4764 wrote to memory of 3164	4764	cmd.exe	112
PID 4764 wrote to memory of 1720	4764	cmd.exe	114
PID 4764 wrote to memory of 1720	4764	cmd.exe	114
PID 4764 wrote to memory of 2976	4764	cmd.exe	115
PID 4764 wrote to memory of 2976	4764	cmd.exe	115
PID 4764 wrote to memory of 3196	4764	cmd.exe	116
PID 4764 wrote to memory of 3196	4764	cmd.exe	116
PID 4764 wrote to memory of 2552	4764	cmd.exe	117
PID 4764 wrote to memory of 2552	4764	cmd.exe	117
PID 4764 wrote to memory of 3832	4764	cmd.exe	118
PID 4764 wrote to memory of 3832	4764	cmd.exe	118
PID 4764 wrote to memory of 4488	4764	cmd.exe	125
PID 4764 wrote to memory of 4488	4764	cmd.exe	125
PID 4764 wrote to memory of 2880	4764	cmd.exe	126
PID 4764 wrote to memory of 2880	4764	cmd.exe	126
PID 4764 wrote to memory of 4516	4764	cmd.exe	127
PID 4764 wrote to memory of 4516	4764	cmd.exe	127
PID 4764 wrote to memory of 1892	4764	cmd.exe	128
PID 4764 wrote to memory of 1892	4764	cmd.exe	128
PID 4764 wrote to memory of 5892	4764	cmd.exe	129
PID 4764 wrote to memory of 5892	4764	cmd.exe	129
PID 4764 wrote to memory of 1808	4764	cmd.exe	130
PID 4764 wrote to memory of 1808	4764	cmd.exe	130

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0"	OOSU10.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1"	OOSU10.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

cURL User-Agent 2 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	27	curl/8.7.1
HTTP User-Agent header	38	curl/8.7.1

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Oneclick-V7.0.bat"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild" 2>nul | findstr "REG_SZ"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"
    3⤵
    PID:2820
- - C:\Windows\system32\findstr.exe
    findstr "REG_SZ"
    3⤵
    PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Windows 11 not detected, we recommend running *Win 11 22H2 or 23H2* for the best results' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Although this doesn''t mean you have to use Win 11.' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\system32\sc.exe
  sc qc "TrustedInstaller"
  2⤵
  PID:1312
- C:\Windows\system32\find.exe
  find "START_TYPE"
  2⤵
  PID:1856
- C:\Windows\system32\find.exe
  find "DISABLED"
  2⤵
  PID:2304
- C:\Windows\system32\curl.exe
  curl -s -L "https://github.com/QuakedK/Oneclick/raw/refs/heads/main/Downloads/OneclickTools.zip" -o "C:\\Oneclick Tools.zip"
  2⤵
  PID:5664
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5876
- C:\Windows\system32\tar.exe
  tar -xf "C:\\Oneclick Tools.zip" --strip-components=1
  2⤵
  PID:3760
- C:\Windows\system32\sc.exe
  sc query "WinDefend"
  2⤵
  PID:5168
- C:\Windows\system32\find.exe
  find "STATE"
  2⤵
  PID:4640
- C:\Windows\system32\find.exe
  find "RUNNING"
  2⤵
  PID:5300
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2472
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3316
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:444
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Recommended!' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:1720
- C:\Windows\system32\reg.exe
  reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:2976
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:3196
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Checkpoint-Computer -Description 'OneClick V7.0 Restore Point'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:4488
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2880
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4516
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1892
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /t REG_DWORD /d 0 /f
  2⤵
  PID:5892
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "PublishUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:1808
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "UploadUserActivities" /t REG_DWORD /d 0 /f
  2⤵
  PID:236
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\location" /v "Value" /t REG_SZ /d "Deny" /f
  2⤵
  PID:3708
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Sensor\Overrides\{BFA794E4-F964-4FDB-90F6-51056BFE4B44}" /v "SensorPermissionState" /t REG_DWORD /d 0 /f
  2⤵
  PID:2648
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\lfsvc\Service\Configuration" /v "Status" /t REG_DWORD /d 0 /f
  2⤵
  PID:628
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\Maps" /v "AutoUpdateEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:4876
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3252
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:4392
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2952
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Remove-Item -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\StorageSense\Parameters\StoragePolicy' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2736
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v Flags /t REG_SZ /d 506 /f
  2⤵
  PID:1788
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2104
- C:\Windows\system32\reg.exe
  reg.exe add "HKU\.DEFAULT\Control Panel\Keyboard" /v InitialKeyboardIndicators /t REG_DWORD /d 80000002 /f
  2⤵
  - Modifies data under HKEY_USERS
  PID:3700
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "New-Item -Path 'HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}' -Name 'InprocServer32' -Force -Value ''"
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5264
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4312
- C:\Windows\system32\reg.exe
  reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d 0 /f
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:1644
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:1860
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d 1 /f
  2⤵
  PID:784
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3388
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v TaskbarDa /t REG_DWORD /d 0 /f
  2⤵
  PID:5380
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4076
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "DragFullWindows" /t REG_SZ /d "0" /f
  2⤵
  PID:1308
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "200" /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop\WindowMetrics" /v "MinAnimate" /t REG_SZ /d "0" /f
  2⤵
  PID:4984
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Keyboard" /v "KeyboardDelay" /t REG_DWORD /d 0 /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d 0 /f
  2⤵
  PID:5008
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d 0 /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d 0 /f
  2⤵
  PID:4360
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d 3 /f
  2⤵
  PID:1992
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d 0 /f
  2⤵
  PID:2200
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d 0 /f
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarDa" /t REG_DWORD /d 0 /f
  2⤵
  PID:4084
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d 0 /f
  2⤵
  PID:4032
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name 'UserPreferencesMask' -Type Binary -Value ([byte[]](144,18,3,128,16,0,0,0))"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_FSEBehavior /t REG_DWORD /d 2 /f
  2⤵
  PID:1224
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4296
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_DXGIHonorFSEWindowsCompatible /t REG_DWORD /d 1 /f
  2⤵
  PID:5708
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_HonorUserFSEBehaviorMode /t REG_DWORD /d 1 /f
  2⤵
  PID:4656
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v GameDVR_EFSEFeatureFlags /t REG_DWORD /d 0 /f
  2⤵
  PID:4380
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
  2⤵
  PID:5216
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v BingSearchEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4636
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2412
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d 0 /f
  2⤵
  PID:6100
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:3524
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3772
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers" /v "HwSchMode" /t REG_DWORD /d 2 /f
  2⤵
  PID:2240
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:60
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize /v EnableTransparency /t REG_DWORD /d 0 /f
  2⤵
  - Modifies registry key
  PID:5356
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4712
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseSpeed /t REG_SZ /d 0 /f
  2⤵
  PID:1320
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold1 /t REG_SZ /d 0 /f
  2⤵
  PID:5132
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseThreshold2 /t REG_SZ /d 0 /f
  2⤵
  PID:1752
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5688
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Power" /v HibernateEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5592
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FlyoutMenuSettings" /v ShowHibernateOption /t REG_DWORD /d 0 /f
  2⤵
  PID:4028
- C:\Windows\system32\powercfg.exe
  powercfg.exe /hibernate off
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5376
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5832
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  - Launches sc.exe
  PID:1680
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  - Launches sc.exe
  PID:4468
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5868
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:1008
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "Value" /t REG_DWORD /d 0 /f
  2⤵
  PID:3176
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5488
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v DisabledComponents /t REG_DWORD /d 1 /f
  2⤵
  PID:1112
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2636
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d 255 /f
  2⤵
  PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Disable-NetAdapterBinding -Name '*' -ComponentID ms_tcpip6"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /f /v EnableLUA /t REG_DWORD /d 0
  2⤵
  - UAC bypass
  PID:2712
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2660
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4348
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4544
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:4444
- C:\Windows\system32\sc.exe
  sc config ALG start=demand
  2⤵
  PID:3884
- C:\Windows\system32\sc.exe
  sc config AppIDSvc start=demand
  2⤵
  PID:6004
- C:\Windows\system32\sc.exe
  sc config AppMgmt start=demand
  2⤵
  PID:2744
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=demand
  2⤵
  PID:1932
- C:\Windows\system32\sc.exe
  sc config AppVClient start=disabled
  2⤵
  PID:5912
- C:\Windows\system32\sc.exe
  sc config AppXSvc start=demand
  2⤵
  PID:2500
- C:\Windows\system32\sc.exe
  sc config Appinfo start=demand
  2⤵
  - Launches sc.exe
  PID:4400
- C:\Windows\system32\sc.exe
  sc config AssignedAccessManagerSvc start=disabled
  2⤵
  PID:1172
- C:\Windows\system32\sc.exe
  sc config AudioEndpointBuilder start=auto
  2⤵
  PID:1988
- C:\Windows\system32\sc.exe
  sc config AudioSrv start=auto
  2⤵
  PID:3740
- C:\Windows\system32\sc.exe
  sc config Audiosrv start=auto
  2⤵
  PID:4436
- C:\Windows\system32\sc.exe
  sc config AxInstSV start=demand
  2⤵
  PID:5512
- C:\Windows\system32\sc.exe
  sc config BDESVC start=demand
  2⤵
  PID:5348
- C:\Windows\system32\sc.exe
  sc config BFE start=auto
  2⤵
  PID:5188
- C:\Windows\system32\sc.exe
  sc config BITS start=delayed-auto
  2⤵
  PID:1192
- C:\Windows\system32\sc.exe
  sc config BTAGService start=demand
  2⤵
  PID:5344
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:384
- C:\Windows\system32\sc.exe
  sc config BluetoothUserService_dc2a4 start=demand
  2⤵
  PID:3640
- C:\Windows\system32\sc.exe
  sc config BrokerInfrastructure start=auto
  2⤵
  PID:3684
- C:\Windows\system32\sc.exe
  sc config Browser start=demand
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=auto
  2⤵
  PID:692
- C:\Windows\system32\sc.exe
  sc config BthHFSrv start=auto
  2⤵
  PID:5316
- C:\Windows\system32\sc.exe
  sc config CDPSvc start=demand
  2⤵
  PID:1800
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc_dc2a4 start=auto
  2⤵
  PID:5860
- C:\Windows\system32\sc.exe
  sc config COMSysApp start=demand
  2⤵
  PID:4472
- C:\Windows\system32\sc.exe
  sc config CaptureService_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:3396
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=demand
  2⤵
  PID:2904
- C:\Windows\system32\sc.exe
  sc config ClipSVC start=demand
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config ConsentUxUserSvc_dc2a4 start=demand
  2⤵
  PID:648
- C:\Windows\system32\sc.exe
  sc config CoreMessagingRegistrar start=auto
  2⤵
  - Launches sc.exe
  PID:1244
- C:\Windows\system32\sc.exe
  sc config CredentialEnrollmentManagerUserSvc_dc2a4 start=demand
  2⤵
  PID:5768
- C:\Windows\system32\sc.exe
  sc config CryptSvc start=auto
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config CscService start=demand
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config DPS start=auto
  2⤵
  - Launches sc.exe
  PID:2104
- C:\Windows\system32\sc.exe
  sc config DcomLaunch start=auto
  2⤵
  - Launches sc.exe
  PID:3700
- C:\Windows\system32\sc.exe
  sc config DcpSvc start=demand
  2⤵
  PID:5956
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start=demand
  2⤵
  PID:1212
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationBrokerSvc_dc2a4 start=demand
  2⤵
  PID:4900
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=demand
  2⤵
  PID:3304
- C:\Windows\system32\sc.exe
  sc config DeviceInstall start=demand
  2⤵
  PID:3752
- C:\Windows\system32\sc.exe
  sc config DevicePickerUserSvc_dc2a4 start=demand
  2⤵
  PID:3292
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_dc2a4 start=demand
  2⤵
  PID:1504
- C:\Windows\system32\sc.exe
  sc config Dhcp start=auto
  2⤵
  PID:112
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:5264
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start=disabled
  2⤵
  PID:4312
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start=auto
  2⤵
  - Launches sc.exe
  PID:1644
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start=demand
  2⤵
  PID:1860
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=demand
  2⤵
  PID:784
- C:\Windows\system32\sc.exe
  sc config Dnscache start=auto
  2⤵
  PID:5960
- C:\Windows\system32\sc.exe
  sc config DoSvc start=delayed-auto
  2⤵
  PID:2664
- C:\Windows\system32\sc.exe
  sc config DsSvc start=demand
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config DsmSvc start=demand
  2⤵
  PID:2748
- C:\Windows\system32\sc.exe
  sc config DusmSvc start=auto
  2⤵
  PID:640
- C:\Windows\system32\sc.exe
  sc config EFS start=demand
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc config EapHost start=demand
  2⤵
  - Launches sc.exe
  PID:4076
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=demand
  2⤵
  PID:4644
- C:\Windows\system32\sc.exe
  sc config EventLog start=auto
  2⤵
  PID:3068
- C:\Windows\system32\sc.exe
  sc config EventSystem start=auto
  2⤵
  PID:5804
- C:\Windows\system32\sc.exe
  sc config FDResPub start=demand
  2⤵
  PID:4200
- C:\Windows\system32\sc.exe
  sc config Fax start=demand
  2⤵
  - Launches sc.exe
  PID:2272
- C:\Windows\system32\sc.exe
  sc config FontCache start=auto
  2⤵
  PID:5088
- C:\Windows\system32\sc.exe
  sc config FrameServer start=demand
  2⤵
  PID:3140
- C:\Windows\system32\sc.exe
  sc config FrameServerMonitor start=demand
  2⤵
  PID:5816
- C:\Windows\system32\sc.exe
  sc config GraphicsPerfSvc start=demand
  2⤵
  PID:952
- C:\Windows\system32\sc.exe
  sc config HomeGroupListener start=demand
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config HomeGroupProvider start=demand
  2⤵
  - Launches sc.exe
  PID:3356
- C:\Windows\system32\sc.exe
  sc config HvHost start=demand
  2⤵
  PID:5724
- C:\Windows\system32\sc.exe
  sc config IEEtwCollectorService start=demand
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc config IKEEXT start=demand
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc config InstallService start=demand
  2⤵
  PID:5808
- C:\Windows\system32\sc.exe
  sc config InventorySvc start=demand
  2⤵
  PID:1912
- C:\Windows\system32\sc.exe
  sc config IpxlatCfgSvc start=demand
  2⤵
  PID:5240
- C:\Windows\system32\sc.exe
  sc config KeyIso start=auto
  2⤵
  - Launches sc.exe
  PID:5224
- C:\Windows\system32\sc.exe
  sc config KtmRm start=demand
  2⤵
  PID:232
- C:\Windows\system32\sc.exe
  sc config LSM start=auto
  2⤵
  PID:2520
- C:\Windows\system32\sc.exe
  sc config LanmanServer start=auto
  2⤵
  PID:2588
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start=auto
  2⤵
  PID:1224
- C:\Windows\system32\sc.exe
  sc config LicenseManager start=demand
  2⤵
  - Launches sc.exe
  PID:4296
- C:\Windows\system32\sc.exe
  sc config LxpSvc start=demand
  2⤵
  PID:5708
- C:\Windows\system32\sc.exe
  sc config MSDTC start=disabled
  2⤵
  PID:4656
- C:\Windows\system32\sc.exe
  sc config MSiSCSI start=demand
  2⤵
  PID:4380
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=delayed-auto
  2⤵
  PID:5216
- C:\Windows\system32\sc.exe
  sc config McpManagementService start=demand
  2⤵
  PID:4636
- C:\Windows\system32\sc.exe
  sc config MessagingService_dc2a4 start=demand
  2⤵
  - Launches sc.exe
  PID:5284
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start=demand
  2⤵
  PID:5992
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start=demand
  2⤵
  PID:396
- C:\Windows\system32\sc.exe
  sc config MpsSvc start=auto
  2⤵
  PID:1760
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start=demand
  2⤵
  PID:3652
- C:\Windows\system32\sc.exe
  sc config NPSMSvc_dc2a4 start=demand
  2⤵
  PID:688
- C:\Windows\system32\sc.exe
  sc config NaturalAuthentication start=demand
  2⤵
  PID:2044
- C:\Windows\system32\sc.exe
  sc config NcaSvc start=demand
  2⤵
  PID:5720
- C:\Windows\system32\sc.exe
  sc config NcbService start=demand
  2⤵
  PID:5276
- C:\Windows\system32\sc.exe
  sc config NcdAutoSetup start=demand
  2⤵
  PID:408
- C:\Windows\system32\sc.exe
  sc config NetSetupSvc start=demand
  2⤵
  PID:5364
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start=disabled
  2⤵
  PID:2716
- C:\Windows\system32\sc.exe
  sc config Netlogon start=demand
  2⤵
  PID:5688
- C:\Windows\system32\sc.exe
  sc config Netman start=demand
  2⤵
  PID:5592
- C:\Windows\system32\sc.exe
  sc config NgcCtnrSvc start=demand
  2⤵
  PID:5568
- C:\Windows\system32\sc.exe
  sc config NgcSvc start=demand
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config NlaSvc start=demand
  2⤵
  PID:2396
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_dc2a4 start=auto
  2⤵
  PID:2140
- C:\Windows\system32\sc.exe
  sc config P9RdrService_dc2a4 start=demand
  2⤵
  PID:3532
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=demand
  2⤵
  PID:2976
- C:\Windows\system32\sc.exe
  sc config PNRPsvc start=demand
  2⤵
  PID:3012
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=demand
  2⤵
  PID:5320
- C:\Windows\system32\sc.exe
  sc config PeerDistSvc start=demand
  2⤵
  PID:3480
- C:\Windows\system32\sc.exe
  sc config PenService_dc2a4 start=demand
  2⤵
  PID:1700
- C:\Windows\system32\sc.exe
  sc config PerfHost start=demand
  2⤵
  PID:1552
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=demand
  2⤵
  PID:3244
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_dc2a4 start=demand
  2⤵
  PID:4720
- C:\Windows\system32\sc.exe
  sc config PlugPlay start=demand
  2⤵
  - Launches sc.exe
  PID:5764
- C:\Windows\system32\sc.exe
  sc config PolicyAgent start=demand
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc config Power start=auto
  2⤵
  PID:5468
- C:\Windows\system32\sc.exe
  sc config PrintNotify start=demand
  2⤵
  PID:4768
- C:\Windows\system32\sc.exe
  sc config PrintWorkflowUserSvc_dc2a4 start=demand
  2⤵
  PID:4156
- C:\Windows\system32\sc.exe
  sc config ProfSvc start=auto
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc config PushToInstall start=demand
  2⤵
  PID:1396
- C:\Windows\system32\sc.exe
  sc config QWAVE start=demand
  2⤵
  PID:3880
- C:\Windows\system32\sc.exe
  sc config RasAuto start=demand
  2⤵
  PID:5632
- C:\Windows\system32\sc.exe
  sc config RasMan start=demand
  2⤵
  PID:3484
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start=disabled
  2⤵
  PID:4848
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:2640
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=demand
  2⤵
  PID:2712
- C:\Windows\system32\sc.exe
  sc config RmSvc start=demand
  2⤵
  PID:1304
- C:\Windows\system32\sc.exe
  sc config RpcEptMapper start=auto
  2⤵
  PID:5092
- C:\Windows\system32\sc.exe
  sc config RpcLocator start=demand
  2⤵
  - Launches sc.exe
  PID:4812
- C:\Windows\system32\sc.exe
  sc config RpcSs start=auto
  2⤵
  PID:1516
- C:\Windows\system32\sc.exe
  sc config SCPolicySvc start=demand
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=demand
  2⤵
  PID:4972
- C:\Windows\system32\sc.exe
  sc config SDRSVC start=demand
  2⤵
  - Launches sc.exe
  PID:4516
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=demand
  2⤵
  PID:1892
- C:\Windows\system32\sc.exe
  sc config SENS start=auto
  2⤵
  PID:116
- C:\Windows\system32\sc.exe
  sc config SNMPTRAP start=demand
  2⤵
  - Launches sc.exe
  PID:1808
- C:\Windows\system32\sc.exe
  sc config SNMPTrap start=demand
  2⤵
  PID:5596
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start=demand
  2⤵
  PID:4684
- C:\Windows\system32\sc.exe
  sc config SamSs start=auto
  2⤵
  PID:5936
- C:\Windows\system32\sc.exe
  sc config ScDeviceEnum start=demand
  2⤵
  PID:4432
- C:\Windows\system32\sc.exe
  sc config Schedule start=auto
  2⤵
  PID:3708
- C:\Windows\system32\sc.exe
  sc config SecurityHealthService start=demand
  2⤵
  PID:2648
- C:\Windows\system32\sc.exe
  sc config Sense start=demand
  2⤵
  - Launches sc.exe
  PID:628
- C:\Windows\system32\sc.exe
  sc config SensorDataService start=demand
  2⤵
  PID:4876
- C:\Windows\system32\sc.exe
  sc config SensorService start=demand
  2⤵
  PID:2960
- C:\Windows\system32\sc.exe
  sc config SensrSvc start=demand
  2⤵
  PID:1548
- C:\Windows\system32\sc.exe
  sc config SessionEnv start=demand
  2⤵
  PID:4068
- C:\Windows\system32\sc.exe
  sc config SgrmBroker start=auto
  2⤵
  PID:2456
- C:\Windows\system32\sc.exe
  sc config SharedAccess start=demand
  2⤵
  PID:2968
- C:\Windows\system32\sc.exe
  sc config SharedRealitySvc start=demand
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start=auto
  2⤵
  PID:2360
- C:\Windows\system32\sc.exe
  sc config SmsRouter start=demand
  2⤵
  PID:3312
- C:\Windows\system32\sc.exe
  sc config Spooler start=auto
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=demand
  2⤵
  PID:1168
- C:\Windows\system32\sc.exe
  sc config StateRepository start=demand
  2⤵
  PID:4248
- C:\Windows\system32\sc.exe
  sc config StiSvc start=demand
  2⤵
  PID:3116
- C:\Windows\system32\sc.exe
  sc config StorSvc start=demand
  2⤵
  PID:3168
- C:\Windows\system32\sc.exe
  sc config SysMain start=auto
  2⤵
  PID:2752
- C:\Windows\system32\sc.exe
  sc config SystemEventsBroker start=auto
  2⤵
  PID:3768
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=demand
  2⤵
  PID:2008
- C:\Windows\system32\sc.exe
  sc config TapiSrv start=demand
  2⤵
  PID:2024
- C:\Windows\system32\sc.exe
  sc config TermService start=auto
  2⤵
  PID:948
- C:\Windows\system32\sc.exe
  sc config TextInputManagementService start=demand
  2⤵
  PID:4176
- C:\Windows\system32\sc.exe
  sc config Themes start=auto
  2⤵
  PID:4424
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=demand
  2⤵
  PID:3064
- C:\Windows\system32\sc.exe
  sc config TimeBroker start=demand
  2⤵
  PID:4512
- C:\Windows\system32\sc.exe
  sc config TimeBrokerSvc start=demand
  2⤵
  PID:1124
- C:\Windows\system32\sc.exe
  sc config TokenBroker start=demand
  2⤵
  PID:3848
- C:\Windows\system32\sc.exe
  sc config TrkWks start=auto
  2⤵
  PID:3108
- C:\Windows\system32\sc.exe
  sc config TroubleshootingSvc start=demand
  2⤵
  PID:3964
- C:\Windows\system32\sc.exe
  sc config TrustedInstaller start=demand
  2⤵
  PID:3092
- C:\Windows\system32\sc.exe
  sc config UI0Detect start=demand
  2⤵
  PID:324
- C:\Windows\system32\sc.exe
  sc config UdkUserSvc_dc2a4 start=demand
  2⤵
  PID:3712
- C:\Windows\system32\sc.exe
  sc config UevAgentService start=disabled
  2⤵
  PID:516
- C:\Windows\system32\sc.exe
  sc config UmRdpService start=demand
  2⤵
  PID:4648
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc_dc2a4 start=demand
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc config UserDataSvc_dc2a4 start=demand
  2⤵
  PID:8
- C:\Windows\system32\sc.exe
  sc config UserManager start=auto
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc config UsoSvc start=demand
  2⤵
  PID:5716
- C:\Windows\system32\sc.exe
  sc config VGAuthService start=auto
  2⤵
  - Launches sc.exe
  PID:3488
- C:\Windows\system32\sc.exe
  sc config VMTools start=auto
  2⤵
  PID:968
- C:\Windows\system32\sc.exe
  sc config VSS start=demand
  2⤵
  PID:4196
- C:\Windows\system32\sc.exe
  sc config VacSvc start=demand
  2⤵
  PID:3648
- C:\Windows\system32\sc.exe
  sc config VaultSvc start=auto
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config W32Time start=demand
  2⤵
  PID:3180
- C:\Windows\system32\sc.exe
  sc config WEPHOSTSVC start=demand
  2⤵
  PID:1040
- C:\Windows\system32\sc.exe
  sc config WFDSConMgrSvc start=demand
  2⤵
  - Launches sc.exe
  PID:5696
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=demand
  2⤵
  PID:2332
- C:\Windows\system32\sc.exe
  sc config WManSvc start=demand
  2⤵
  PID:4492
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start=demand
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  sc config WSService start=demand
  2⤵
  PID:536
- C:\Windows\system32\sc.exe
  sc config WSearch start=delayed-auto
  2⤵
  PID:2200
- C:\Windows\system32\sc.exe
  sc config WaaSMedicSvc start=demand
  2⤵
  PID:3824
- C:\Windows\system32\sc.exe
  sc config WalletService start=demand
  2⤵
  PID:4932
- C:\Windows\system32\sc.exe
  sc config WarpJITSvc start=demand
  2⤵
  PID:5244
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=demand
  2⤵
  - Launches sc.exe
  PID:5396
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start=auto
  2⤵
  PID:5248
- C:\Windows\system32\sc.exe
  sc config WcsPlugInService start=demand
  2⤵
  PID:5140
- C:\Windows\system32\sc.exe
  sc config WdNisSvc start=demand
  2⤵
  PID:1312
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=demand
  2⤵
  - Launches sc.exe
  PID:1872
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=demand
  2⤵
  PID:2304
- C:\Windows\system32\sc.exe
  sc config WebClient start=demand
  2⤵
  PID:832
- C:\Windows\system32\sc.exe
  sc config Wecsvc start=demand
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config WerSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3340
- C:\Windows\system32\sc.exe
  sc config WiaRpc start=demand
  2⤵
  PID:5136
- C:\Windows\system32\sc.exe
  sc config WinDefend start=auto
  2⤵
  PID:5148
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start=demand
  2⤵
  - Launches sc.exe
  PID:3328
- C:\Windows\system32\sc.exe
  sc config WinRM start=demand
  2⤵
  PID:4652
- C:\Windows\system32\sc.exe
  sc config Winmgmt start=auto
  2⤵
  PID:756
- C:\Windows\system32\sc.exe
  sc config WlanSvc start=auto
  2⤵
  PID:5836
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=demand
  2⤵
  PID:380
- C:\Windows\system32\sc.exe
  sc config WpnService start=demand
  2⤵
  PID:4640
- C:\Windows\system32\sc.exe
  sc config WpnUserService_dc2a4 start=auto
  2⤵
  PID:404
- C:\Windows\system32\sc.exe
  sc config WwanSvc start=demand
  2⤵
  PID:2524
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=demand
  2⤵
  PID:2120
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=demand
  2⤵
  PID:444
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start=demand
  2⤵
  PID:3772
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=demand
  2⤵
  - Launches sc.exe
  PID:3516
- C:\Windows\system32\sc.exe
  sc config autotimesvc start=demand
  2⤵
  PID:60
- C:\Windows\system32\sc.exe
  sc config bthserv start=demand
  2⤵
  PID:1756
- C:\Windows\system32\sc.exe
  sc config camsvc start=demand
  2⤵
  PID:1864
- C:\Windows\system32\sc.exe
  sc config cbdhsvc_dc2a4 start=demand
  2⤵
  PID:1524
- C:\Windows\system32\sc.exe
  sc config cloudidsvc start=demand
  2⤵
  - Launches sc.exe
  PID:5352
- C:\Windows\system32\sc.exe
  sc config dcsvc start=demand
  2⤵
  PID:4584
- C:\Windows\system32\sc.exe
  sc config defragsvc start=demand
  2⤵
  PID:1740
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=demand
  2⤵
  PID:3052
- C:\Windows\system32\sc.exe
  sc config diagsvc start=demand
  2⤵
  PID:4332
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start=demand
  2⤵
  PID:4028
- C:\Windows\system32\sc.exe
  sc config dot3svc start=demand
  2⤵
  PID:5376
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=demand
  2⤵
  - Launches sc.exe
  PID:5832
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=demand
  2⤵
  PID:1572
- C:\Windows\system32\sc.exe
  sc config embeddedmode start=demand
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc config fdPHost start=demand
  2⤵
  PID:2556
- C:\Windows\system32\sc.exe
  sc config fhsvc start=demand
  2⤵
  PID:3196
- C:\Windows\system32\sc.exe
  sc config gpsvc start=auto
  2⤵
  PID:2552
- C:\Windows\system32\sc.exe
  sc config hidserv start=demand
  2⤵
  PID:2068
- C:\Windows\system32\sc.exe
  sc config icssvc start=demand
  2⤵
  PID:5488
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=auto
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc config lfsvc start=demand
  2⤵
  - Launches sc.exe
  PID:2636
- C:\Windows\system32\sc.exe
  sc config lltdsvc start=demand
  2⤵
  PID:3992
- C:\Windows\system32\sc.exe
  sc config lmhosts start=demand
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config mpssvc start=auto
  2⤵
  PID:5732
- C:\Windows\system32\sc.exe
  sc config msiserver start=demand
  2⤵
  PID:5332
- C:\Windows\system32\sc.exe
  sc config netprofm start=demand
  2⤵
  PID:4536
- C:\Windows\system32\sc.exe
  sc config nsi start=auto
  2⤵
  PID:5648
- C:\Windows\system32\sc.exe
  sc config p2pimsvc start=demand
  2⤵
  PID:2788
- C:\Windows\system32\sc.exe
  sc config p2psvc start=demand
  2⤵
  - Launches sc.exe
  PID:3720
- C:\Windows\system32\sc.exe
  sc config perceptionsimulation start=demand
  2⤵
  - Launches sc.exe
  PID:1348
- C:\Windows\system32\sc.exe
  sc config pla start=demand
  2⤵
  PID:3272
- C:\Windows\system32\sc.exe
  sc config seclogon start=demand
  2⤵
  PID:5000
- C:\Windows\system32\sc.exe
  sc config shpamsvc start=disabled
  2⤵
  PID:3348
- C:\Windows\system32\sc.exe
  sc config smphost start=disabled
  2⤵
  PID:4592
- C:\Windows\system32\sc.exe
  sc config spectrum start=demand
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc config sppsvc start=delayed-auto
  2⤵
  PID:2660
- C:\Windows\system32\sc.exe
  sc config ssh-agent start=disabled
  2⤵
  PID:4348
- C:\Windows\system32\sc.exe
  sc config svsvc start=demand
  2⤵
  PID:4544
- C:\Windows\system32\sc.exe
  sc config swprv start=demand
  2⤵
  PID:4444
- C:\Windows\system32\sc.exe
  sc config tiledatamodelsvc start=auto
  2⤵
  - Launches sc.exe
  PID:3884
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start=disabled
  2⤵
  PID:6004
- C:\Windows\system32\sc.exe
  sc config uhssvc start=disabled
  2⤵
  PID:2744
- C:\Windows\system32\sc.exe
  sc config upnphost start=demand
  2⤵
  - Launches sc.exe
  PID:1932
- C:\Windows\system32\sc.exe
  sc config vds start=demand
  2⤵
  PID:5912
- C:\Windows\system32\sc.exe
  sc config vm3dservice start=demand
  2⤵
  PID:2500
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=demand
  2⤵
  PID:4400
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=demand
  2⤵
  PID:1172
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=demand
  2⤵
  PID:1988
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=demand
  2⤵
  PID:3740
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=demand
  2⤵
  PID:4436
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=demand
  2⤵
  PID:5512
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=demand
  2⤵
  PID:5348
- C:\Windows\system32\sc.exe
  sc config vmicvss start=demand
  2⤵
  - Launches sc.exe
  PID:5188
- C:\Windows\system32\sc.exe
  sc config vmvss start=demand
  2⤵
  PID:1192
- C:\Windows\system32\sc.exe
  sc config wbengine start=demand
  2⤵
  PID:5344
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=demand
  2⤵
  PID:384
- C:\Windows\system32\sc.exe
  sc config webthreatdefsvc start=demand
  2⤵
  PID:3640
- C:\Windows\system32\sc.exe
  sc config webthreatdefusersvc_dc2a4 start=auto
  2⤵
  PID:3684
- C:\Windows\system32\sc.exe
  sc config wercplsupport start=demand
  2⤵
  PID:1628
- C:\Windows\system32\sc.exe
  sc config wisvc start=demand
  2⤵
  PID:692
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=demand
  2⤵
  PID:5316
- C:\Windows\system32\sc.exe
  sc config wlpasvc start=demand
  2⤵
  - Launches sc.exe
  PID:2460
- C:\Windows\system32\sc.exe
  sc config wmiApSrv start=demand
  2⤵
  PID:1168
- C:\Windows\system32\sc.exe
  sc config workfolderssvc start=demand
  2⤵
  PID:4248
- C:\Windows\system32\sc.exe
  sc config wscsvc start=delayed-auto
  2⤵
  PID:3116
- C:\Windows\system32\sc.exe
  sc config wuauserv start=demand
  2⤵
  PID:3168
- C:\Windows\system32\sc.exe
  sc config wudfsvc start=demand
  2⤵
  PID:2752
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:648
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:2736
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:1788
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:1616
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2776
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:4140
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:2268
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:3828
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:3308
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:5784
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /Disable
  2⤵
  PID:6128
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\MareBackup" /Disable
  2⤵
  PID:1648
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:3104
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:1672
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:704
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:452
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
  2⤵
  PID:3384
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v ContentDeliveryAllowed /t REG_DWORD /d 0 /f
  2⤵
  PID:5640
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v OemPreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4580
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:784
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v PreInstalledAppsEverEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5960
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SilentInstalledAppsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2664
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338387Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4728
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338388Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2748
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-338389Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SubscribedContent-353698Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2280
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v SystemPaneSuggestionsEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4708
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableWindowsConsumerFeatures /t REG_DWORD /d 1 /f
  2⤵
  PID:4984
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v NumberOfSIUFInPeriod /t REG_DWORD /d 0 /f
  2⤵
  PID:4856
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v DoNotShowFeedbackNotifications /t REG_DWORD /d 1 /f
  2⤵
  PID:5008
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\CloudContent" /v DisableTailoredExperiencesWithDiagnosticData /t REG_DWORD /d 1 /f
  2⤵
  PID:2312
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo" /v DisabledByGroupPolicy /t REG_DWORD /d 1 /f
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v Disabled /t REG_DWORD /d 1 /f
  2⤵
  PID:6064
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config" /v DODownloadMode /t REG_DWORD /d 1 /f
  2⤵
  PID:4120
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v fAllowToGetHelp /t REG_DWORD /d 0 /f
  2⤵
  PID:1300
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\OperationStatusManager" /v EnthusiastMode /t REG_DWORD /d 1 /f
  2⤵
  PID:4264
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowTaskViewButton /t REG_DWORD /d 0 /f
  2⤵
  PID:2928
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\People" /v PeopleBand /t REG_DWORD /d 0 /f
  2⤵
  PID:4760
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v LaunchTo /t REG_DWORD /d 1 /f
  2⤵
  PID:4780
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f
  2⤵
  PID:5004
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v SearchOrderConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:5368
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v SystemResponsiveness /t REG_DWORD /d 0 /f
  2⤵
  PID:1340
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v NetworkThrottlingIndex /t REG_DWORD /d 4294967295 /f
  2⤵
  PID:5724
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v MenuShowDelay /t REG_DWORD /d 1 /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Desktop" /v AutoEndTasks /t REG_DWORD /d 1 /f
  2⤵
  PID:5240
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v ClearPageFileAtShutdown /t REG_DWORD /d 0 /f
  2⤵
  PID:5224
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v Start /t REG_DWORD /d 2 /f
  2⤵
  PID:232
- C:\Windows\system32\reg.exe
  reg add "HKCU\Control Panel\Mouse" /v MouseHoverTime /t REG_SZ /d 400 /f
  2⤵
  PID:2520
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v IRPStackSize /t REG_DWORD /d 30 /f
  2⤵
  PID:2588
- C:\Windows\system32\reg.exe
  reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds" /v EnableFeeds /t REG_DWORD /d 0 /f
  2⤵
  PID:1224
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Feeds" /v ShellFeedsTaskbarViewMode /t REG_DWORD /d 2 /f
  2⤵
  PID:5160
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAMeetNow /t REG_DWORD /d 1 /f
  2⤵
  PID:4692
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "GPU Priority" /t REG_DWORD /d 8 /f
  2⤵
  PID:5184
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v Priority /t REG_DWORD /d 6 /f
  2⤵
  PID:4372
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile\Tasks\Games" /v "Scheduling Category" /t REG_SZ /d High /f
  2⤵
  PID:4380
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d 0 /f
  2⤵
  PID:5216
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4636
- C:\Windows\system32\bcdedit.exe
  bcdedit /set {current} bootmenupolicy Legacy
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild 2>nul | findstr /r /c:"CurrentBuild"
  2⤵
  PID:3524
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuild
    3⤵
    PID:1068
- - C:\Windows\system32\findstr.exe
    findstr /r /c:"CurrentBuild"
    3⤵
    PID:64
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -Command "Start-Process taskmgr.exe -WindowStyle Hidden"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- - C:\Windows\system32\Taskmgr.exe
    "C:\Windows\system32\Taskmgr.exe"
    3⤵
    PID:5688
- C:\Windows\system32\timeout.exe
  timeout /t 2
  2⤵
  - Delays execution with timeout.exe
  PID:888
- C:\Windows\system32\reg.exe
  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences
  2⤵
  PID:2300
- C:\Windows\system32\taskkill.exe
  taskkill /f /im taskmgr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5408
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\TaskManager" /v Preferences /t REG_BINARY /d 0000000000000000000000000000000000000000000000000000000000000000 /f
  2⤵
  PID:1392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-Item -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MyComputer\\NameSpace\\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}' -Recurse -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious use of AdjustPrivilegeToken
  PID:5868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
  2⤵
  PID:2636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(Get-CimInstance -ClassName Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum / 1kb"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control' -Name 'SvcHostSplitThresholdInKB' -Type DWord -Value 0 -Force"
  2⤵
  PID:4844
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger" /deny SYSTEM:(OI)(CI)F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3148
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3564
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4972
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4744
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4440
- C:\Oneclick Tools\OOshutup10\OOSU10.exe
  "C:\Oneclick Tools\OOshutup10\OOSU10.exe" "C:\Oneclick Tools\OOshutup10\QuakedOOshutup10.cfg" /quiet
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Modifies Control Panel
  - Modifies registry class
  - System policy modification
  PID:1100
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:6080
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4228
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:3252
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4392
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2952
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5612
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4000
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\WinHttpAutoProxySvc" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2560
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\BcastDVRUserService" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3464
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\xbgm" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:3216
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5236
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5860
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4472
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "MicrophoneCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1800
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
  2⤵
  PID:4248
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "2" /f
  2⤵
  PID:3116
- C:\Windows\system32\reg.exe
  reg add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3168
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:2752
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3768
- C:\Windows\system32\sc.exe
  sc config wlidsvc start= disabled
  2⤵
  PID:2008
- C:\Windows\system32\sc.exe
  sc config DisplayEnhancementService start= disabled
  2⤵
  PID:2024
- C:\Windows\system32\sc.exe
  sc config DiagTrack start= disabled
  2⤵
  PID:1616
- C:\Windows\system32\sc.exe
  sc config DusmSvc start= disabled
  2⤵
  PID:2776
- C:\Windows\system32\sc.exe
  sc config TabletInputService start= disabled
  2⤵
  - Launches sc.exe
  PID:4140
- C:\Windows\system32\sc.exe
  sc config RetailDemo start= disabled
  2⤵
  PID:2268
- C:\Windows\system32\sc.exe
  sc config Fax start= disabled
  2⤵
  - Launches sc.exe
  PID:3828
- C:\Windows\system32\sc.exe
  sc config SharedAccess start= disabled
  2⤵
  PID:3308
- C:\Windows\system32\sc.exe
  sc config lfsvc start= disabled
  2⤵
  PID:5784
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start= disabled
  2⤵
  PID:6128
- C:\Windows\system32\sc.exe
  sc config SessionEnv start= disabled
  2⤵
  PID:1648
- C:\Windows\system32\sc.exe
  sc config MicrosoftEdgeElevationService start= disabled
  2⤵
  PID:3104
- C:\Windows\system32\sc.exe
  sc config edgeupdate start= disabled
  2⤵
  PID:1672
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start= disabled
  2⤵
  PID:704
- C:\Windows\system32\sc.exe
  sc config autotimesvc start= disabled
  2⤵
  PID:452
- C:\Windows\system32\sc.exe
  sc config CscService start= disabled
  2⤵
  PID:3384
- C:\Windows\system32\sc.exe
  sc config TermService start= disabled
  2⤵
  PID:5640
- C:\Windows\system32\sc.exe
  sc config SensorDataService start= disabled
  2⤵
  PID:8
- C:\Windows\system32\sc.exe
  sc config SensorService start= disabled
  2⤵
  PID:1692
- C:\Windows\system32\sc.exe
  sc config SensrSvc start= disabled
  2⤵
  PID:5716
- C:\Windows\system32\sc.exe
  sc config shpamsvc start= disabled
  2⤵
  PID:1712
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start= disabled
  2⤵
  PID:968
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start= disabled
  2⤵
  PID:4196
- C:\Windows\system32\sc.exe
  sc config TapiSrv start= disabled
  2⤵
  PID:3648
- C:\Windows\system32\sc.exe
  sc config UevAgentService start= disabled
  2⤵
  PID:900
- C:\Windows\system32\sc.exe
  sc config WalletService start= disabled
  2⤵
  PID:4076
- C:\Windows\system32\sc.exe
  sc config TokenBroker start= disabled
  2⤵
  PID:4644
- C:\Windows\system32\sc.exe
  sc config WebClient start= disabled
  2⤵
  - Launches sc.exe
  PID:3068
- C:\Windows\system32\sc.exe
  sc config MixedRealityOpenXRSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4364
- C:\Windows\system32\sc.exe
  sc config stisvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4200
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start= disabled
  2⤵
  PID:5088
- C:\Windows\system32\sc.exe
  sc config icssvc start= disabled
  2⤵
  PID:1316
- C:\Windows\system32\sc.exe
  sc config Wecsvc start= disabled
  2⤵
  PID:536
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  PID:2200
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  PID:3356
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  PID:5244
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start= disabled
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5040
- C:\Windows\system32\sc.exe
  sc config Backupper Service start= disabled
  2⤵
  PID:4664
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start= disabled
  2⤵
  PID:1312
- C:\Windows\system32\sc.exe
  sc config BDESVC start= disabled
  2⤵
  PID:5928
- C:\Windows\system32\sc.exe
  sc config cbdhsvc start= disabled
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc config CDPSvc start= disabled
  2⤵
  PID:5384
- C:\Windows\system32\sc.exe
  sc config CDPUserSvc start= disabled
  2⤵
  PID:832
- C:\Windows\system32\sc.exe
  sc config DevQueryBroker start= disabled
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc start= disabled
  2⤵
  PID:3340
- C:\Windows\system32\sc.exe
  sc config dmwappushservice start= disabled
  2⤵
  PID:5136
- C:\Windows\system32\sc.exe
  sc config DispBrokerDesktopSvc start= disabled
  2⤵
  PID:5148
- C:\Windows\system32\sc.exe
  sc config TrkWks start= disabled
  2⤵
  PID:3328
- C:\Windows\system32\sc.exe
  sc config dLauncherLoopback start= disabled
  2⤵
  PID:4736
- C:\Windows\system32\sc.exe
  sc config EFS start= disabled
  2⤵
  PID:2652
- C:\Windows\system32\sc.exe
  sc config fdPHost start= disabled
  2⤵
  PID:1232
- C:\Windows\system32\sc.exe
  sc config FDResPub start= disabled
  2⤵
  - Launches sc.exe
  PID:6012
- C:\Windows\system32\sc.exe
  sc config IKEEXT start= disabled
  2⤵
  PID:5168
- C:\Windows\system32\sc.exe
  sc config NPSMSvc start= disabled
  2⤵
  PID:4896
- C:\Windows\system32\sc.exe
  sc config WPDBusEnum start= disabled
  2⤵
  PID:4188
- C:\Windows\system32\sc.exe
  sc config PcaSvc start= disabled
  2⤵
  PID:2616
- C:\Windows\system32\sc.exe
  sc config RasMan start= disabled
  2⤵
  PID:404
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:5992
- C:\Windows\system32\sc.exe
  sc config SstpSvc start=disabled
  2⤵
  PID:2832
- C:\Windows\system32\sc.exe
  sc config ShellHWDetection start= disabled
  2⤵
  PID:3652
- C:\Windows\system32\sc.exe
  sc config SSDPSRV start= disabled
  2⤵
  PID:64
- C:\Windows\system32\sc.exe
  sc config SysMain start= disabled
  2⤵
  PID:792
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc start= disabled
  2⤵
  PID:4716
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:5352
- C:\Windows\system32\sc.exe
  sc config UserDataSvc start= disabled
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc config UnistoreSvc start= disabled
  2⤵
  PID:4112
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:3516
- C:\Windows\system32\sc.exe
  sc config FontCache start= disabled
  2⤵
  PID:1864
- C:\Windows\system32\sc.exe
  sc config W32Time start= disabled
  2⤵
  PID:2716
- C:\Windows\system32\sc.exe
  sc config tzautoupdate start= disabled
  2⤵
  PID:2116
- C:\Windows\system32\sc.exe
  sc config DsSvc start= disabled
  2⤵
  PID:5688
- C:\Windows\system32\sc.exe
  sc config DevicesFlowUserSvc_5f1ad start= disabled
  2⤵
  PID:4332
- C:\Windows\system32\sc.exe
  sc config diagsvc start= disabled
  2⤵
  PID:4028
- C:\Windows\system32\sc.exe
  sc config DialogBlockingService start= disabled
  2⤵
  PID:5156
- C:\Windows\system32\sc.exe
  sc config PimIndexMaintenanceSvc_5f1ad start= disabled
  2⤵
  PID:5192
- C:\Windows\system32\sc.exe
  sc config MessagingService_5f1ad start= disabled
  2⤵
  PID:3536
- C:\Windows\system32\sc.exe
  sc config AppVClient start= disabled
  2⤵
  PID:6044
- C:\Windows\system32\sc.exe
  sc config MsKeyboardFilter start= disabled
  2⤵
  PID:4292
- C:\Windows\system32\sc.exe
  sc config NetTcpPortSharing start= disabled
  2⤵
  PID:5832
- C:\Windows\system32\sc.exe
  sc config ssh-agent start= disabled
  2⤵
  PID:3164
- C:\Windows\system32\sc.exe
  sc config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1392
- C:\Windows\system32\sc.exe
  sc config OneSyncSvc_5f1ad start= disabled
  2⤵
  PID:1700
- C:\Windows\system32\sc.exe
  sc config wercplsupport start= disabled
  2⤵
  PID:5488
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start= disabled
  2⤵
  PID:400
- C:\Windows\system32\sc.exe
  sc config WerSvc start= disabled
  2⤵
  PID:2556
- C:\Windows\system32\sc.exe
  sc config WpnUserService_5f1ad start= disabled
  2⤵
  PID:4696
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= disabled
  2⤵
  PID:2220
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDInstallLauncher" /f
  2⤵
  PID:3244
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDLinkUpdate" /f
  2⤵
  PID:4536
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "AMDRyzenMasterSDKTask" /f
  2⤵
  PID:5648
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "Driver Easy Scheduled Scan" /f
  2⤵
  PID:5868
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "ModifyLinkUpdate" /f
  2⤵
  PID:5252
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "SoftMakerUpdater" /f
  2⤵
  PID:1776
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartCN" /f
  2⤵
  PID:4572
- C:\Windows\system32\schtasks.exe
  schtasks /DELETE /TN "StartDVR" /f
  2⤵
  PID:2248
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
  2⤵
  PID:1396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\PcaPatchDbTask" /Disable
  2⤵
  PID:3512
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /Disable
  2⤵
  PID:4552
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /Disable
  2⤵
  PID:4592
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /Disable
  2⤵
  PID:2660
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /Disable
  2⤵
  PID:5792
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /Disable
  2⤵
  PID:3348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Defrag\ScheduledDefrag" /Disable
  2⤵
  PID:4804
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device" /Disable
  2⤵
  PID:4608
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Device Information\Device User" /Disable
  2⤵
  PID:2936
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /Disable
  2⤵
  PID:1404
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Diagnosis\Scheduled" /Disable
  2⤵
  PID:600
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskCleanup\SilentCleanup" /Disable
  2⤵
  PID:5800
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /Disable
  2⤵
  PID:1980
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /Disable
  2⤵
  PID:3884
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DiskFootprint\StorageSense" /Disable
  2⤵
  PID:5844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:6004
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\EnterpriseMgmt\MDMMaintenenceTask" /Disable
  2⤵
  PID:5892
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClient" /Disable
  2⤵
  PID:6088
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /Disable
  2⤵
  PID:236
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /Disable
  2⤵
  PID:4684
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures" /Disable
  2⤵
  PID:4436
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataFlushing" /Disable
  2⤵
  PID:5596
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting" /Disable
  2⤵
  PID:764
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Flighting\OneSettings\RefreshCache" /Disable
  2⤵
  PID:5912
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\LocalUserSyncDataAvailable" /Disable
  2⤵
  PID:5636
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\MouseSyncDataAvailable" /Disable
  2⤵
  PID:6068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\PenSyncDataAvailable" /Disable
  2⤵
  PID:4668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Input\TouchpadSyncDataAvailable" /Disable
  2⤵
  PID:2844
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\International\Synchronize Language Settings" /Disable
  2⤵
  PID:5348
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
  2⤵
  PID:5360
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources" /Disable
  2⤵
  PID:3252
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Uninstallation" /Disable
  2⤵
  PID:4392
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:2952
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /Disable
  2⤵
  PID:5612
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Cellular" /Disable
  2⤵
  PID:4000
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Management\Provisioning\Logon" /Disable
  2⤵
  PID:2560
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
  2⤵
  PID:692
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsToastTask" /Disable
  2⤵
  PID:3312
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Maps\MapsUpdateTask" /Disable
  2⤵
  PID:468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser" /Disable
  2⤵
  PID:3852
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\MUI\LPRemove" /Disable
  2⤵
  PID:3396
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NetTrace\GatherNetworkInfo" /Disable
  2⤵
  PID:2904
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /Disable
  2⤵
  PID:3584
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /Disable
  2⤵
  PID:6120
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\PushToInstall\Registration" /Disable
  2⤵
  PID:4916
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Ras\MobilityManager" /Disable
  2⤵
  PID:320
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RecoveryEnvironment\VerifyWinRE" /Disable
  2⤵
  PID:4172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /Disable
  2⤵
  PID:5180
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\RetailDemo\CleanupOfflineContent" /Disable
  2⤵
  PID:4176
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Servicing\StartComponentCleanup" /Disable
  2⤵
  PID:4424
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SettingSync\NetworkStateChangeTask" /Disable
  2⤵
  PID:3064
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:4512
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:1124
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceAgentTask" /Disable
  2⤵
  PID:5924
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\SpacePort\SpaceManagerTask" /Disable
  2⤵
  PID:3108
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Speech\SpeechModelDownloadTask" /Disable
  2⤵
  PID:3292
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Storage Tiers Management\Storage Tiers Management Initialization" /Disable
  2⤵
  PID:3092
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\ResPriStaticDbSync" /Disable
  2⤵
  PID:324
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Sysmain\WsSwapAssessmentTask" /Disable
  2⤵
  PID:3712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Task Manager\Interactive" /Disable
  2⤵
  PID:4312
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
  2⤵
  PID:1080
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
  2⤵
  PID:4420
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Time Zone\SynchronizeTimeZone" /Disable
  2⤵
  PID:992
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-HASCertRetr" /Disable
  2⤵
  PID:5840
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\TPM\Tpm-Maintenance" /Disable
  2⤵
  PID:944
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UPnP\UPnPHostConfig" /Disable
  2⤵
  PID:3488
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\User Profile Service\HiveUploadTask" /Disable
  2⤵
  PID:1452
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WDI\ResolutionHost" /Disable
  2⤵
  PID:5756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange" /Disable
  2⤵
  PID:772
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Management" /Disable
  2⤵
  PID:1984
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WOF\WIM-Hash-Validation" /Disable
  2⤵
  PID:2280
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Logon Synchronization" /Disable
  2⤵
  PID:3028
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Work Folders\Work Folders Maintenance Work" /Disable
  2⤵
  PID:2372
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Workplace Join\Automatic-Device-Join" /Disable
  2⤵
  PID:2332
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\NotificationTask" /Disable
  2⤵
  PID:4748
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WwanSvc\OobeDiscovery" /Disable
  2⤵
  PID:2312
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /Disable
  2⤵
  PID:3140
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5816
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:952
- C:\Windows\system32\sc.exe
  sc stop upfc
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc stop PushToInstall
  2⤵
  PID:4032
- C:\Windows\system32\sc.exe
  sc stop BITS
  2⤵
  PID:2272
- C:\Windows\system32\sc.exe
  sc stop InstallService
  2⤵
  - Launches sc.exe
  PID:5396
- C:\Windows\system32\sc.exe
  sc stop uhssvc
  2⤵
  PID:4680
- C:\Windows\system32\sc.exe
  sc stop UsoSvc
  2⤵
  PID:2392
- C:\Windows\system32\sc.exe
  sc stop wuauserv
  2⤵
  PID:5064
- C:\Windows\system32\sc.exe
  sc stop LanmanServer
  2⤵
  PID:5808
- C:\Windows\system32\sc.exe
  sc config BITS start= disabled
  2⤵
  PID:1856
- C:\Windows\system32\sc.exe
  sc config InstallService start= disabled
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc config uhssvc start= disabled
  2⤵
  - Launches sc.exe
  PID:5384
- C:\Windows\system32\sc.exe
  sc config UsoSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:832
- C:\Windows\system32\sc.exe
  sc config wuauserv start= disabled
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config LanmanServer start= disabled
  2⤵
  PID:3340
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5136
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\InstallService" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5148
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:3328
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t reg_dword /d 4 /f
  2⤵
  - Modifies security service
  PID:4736
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:2652
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:1232
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upfc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:6012
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uhssvc" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ossrs" /v Start /t reg_dword /d 4 /f
  2⤵
  PID:4896
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpdatePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:4188
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgrade" /t REG_DWORD /d "1" /f
  2⤵
  PID:2616
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DeferUpgradePeriod" /t REG_DWORD /d "1" /f
  2⤵
  PID:444
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DisableWindowsUpdateAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:1068
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdates" /Disable
  2⤵
  PID:4232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\ScanForUpdatesAsUser" /Disable
  2⤵
  PID:2120
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\SmartRetry" /Disable
  2⤵
  PID:5132
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndContinueUpdates" /Disable
  2⤵
  PID:1524
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\InstallService\WakeUpAndScanForUpdates" /Disable
  2⤵
  PID:1732
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Report policies" /Disable
  2⤵
  PID:4712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /Disable
  2⤵
  PID:688
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task" /Disable
  2⤵
  PID:2044
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\UpdateModelTask" /Disable
  2⤵
  PID:1756
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker" /Disable
  2⤵
  PID:560
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WaaSMedic\PerformRemediation" /Disable
  2⤵
  PID:3052
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /Disable
  2⤵
  PID:1044
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5568
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start= disabled
  2⤵
  PID:2076
- C:\Windows\system32\sc.exe
  sc config RemoteAccess start= disabled
  2⤵
  PID:856
- C:\Windows\system32\sc.exe
  sc config WinRM start= disabled
  2⤵
  PID:5736
- C:\Windows\system32\sc.exe
  sc config RmSvc start= disabled
  2⤵
  PID:5392
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2052
- C:\Windows\system32\sc.exe
  sc config PrintNotify start= disabled
  2⤵
  PID:5704
- C:\Windows\system32\sc.exe
  sc config Spooler start= disabled
  2⤵
  PID:5376
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\EduPrintProv" /Disable
  2⤵
  PID:4468
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrinterCleanupTask" /Disable
  2⤵
  PID:5408
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1352
- C:\Windows\system32\sc.exe
  sc config BTAGService start= disabled
  2⤵
  PID:1720
- C:\Windows\system32\sc.exe
  sc config bthserv start= disabled
  2⤵
  PID:5320
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2148
- C:\Windows\system32\sc.exe
  sc config NlaSvc start= disabled
  2⤵
  PID:4696
- C:\Windows\system32\sc.exe
  sc config LanmanWorkstation start= disabled
  2⤵
  PID:2220
- C:\Windows\system32\sc.exe
  sc config BFE start= demand
  2⤵
  PID:6104
- C:\Windows\system32\sc.exe
  sc config Dnscache start= demand
  2⤵
  PID:2824
- C:\Windows\system32\sc.exe
  sc config WinHttpAutoProxySvc start= demand
  2⤵
  PID:1348
- C:\Windows\system32\sc.exe
  sc config Dhcp start= auto
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc config DPS start= auto
  2⤵
  PID:4528
- C:\Windows\system32\sc.exe
  sc config lmhosts start= disabled
  2⤵
  PID:5332
- C:\Windows\system32\sc.exe
  sc config nsi start= auto
  2⤵
  PID:5200
- C:\Windows\system32\sc.exe
  sc config Wcmsvc start= disabled
  2⤵
  PID:2420
- C:\Windows\system32\sc.exe
  sc config Winmgmt start= auto
  2⤵
  - Launches sc.exe
  PID:6132
- C:\Windows\system32\sc.exe
  sc config WlanSvc start= demand
  2⤵
  PID:2640
- C:\Windows\system32\reg.exe
  reg add "HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator" /v "NoActiveProbe" /t REG_DWORD /d "1" /f
  2⤵
  PID:2712
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Services\NlaSvc\Parameters\Internet" /v "EnableActiveProbing" /t REG_DWORD /d "0" /f
  2⤵
  PID:1304
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WlanSvc\CDSSync" /Disable
  2⤵
  PID:3992
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\WCM\WiFiTask" /Disable
  2⤵
  PID:3484
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\NlaSvc\WiFiTask" /Disable
  2⤵
  PID:2012
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\DUSM\dusmtask" /Disable
  2⤵
  PID:4480
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1476
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4348
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5096
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1516
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5292
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4280
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc config ALG start=disabled
  2⤵
  PID:3668
- C:\Windows\system32\sc.exe
  sc config AJRouter start=disabled
  2⤵
  PID:2656
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start=disabled
  2⤵
  PID:4744
- C:\Windows\system32\sc.exe
  sc config XblGameSave start=disabled
  2⤵
  PID:1932
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:4400
- C:\Windows\system32\sc.exe
  sc config WSearch start=disabled
  2⤵
  PID:1172
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:372
- C:\Windows\system32\sc.exe
  sc config RemoteRegistry start=disabled
  2⤵
  PID:1104
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:4432
- C:\Windows\system32\sc.exe
  sc config SEMgrSvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3876
- C:\Windows\system32\sc.exe
  sc config SCardSvr start=disabled
  2⤵
  PID:1432
- C:\Windows\system32\sc.exe
  sc config Netlogon start=disabled
  2⤵
  PID:2648
- C:\Windows\system32\sc.exe
  sc config CscService start=disabled
  2⤵
  PID:5280
- C:\Windows\system32\sc.exe
  sc config icssvc start=disabled
  2⤵
  PID:1508
- C:\Windows\system32\sc.exe
  sc config wisvc start=disabled
  2⤵
  PID:1716
- C:\Windows\system32\sc.exe
  sc config RetailDemo start=disabled
  2⤵
  PID:5188
- C:\Windows\system32\sc.exe
  sc config WalletService start=disabled
  2⤵
  PID:1192
- C:\Windows\system32\sc.exe
  sc config Fax start=disabled
  2⤵
  PID:3788
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:1344
- C:\Windows\system32\sc.exe
  sc config iphlpsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:2456
- C:\Windows\system32\sc.exe
  sc config wcncsvc start=disabled
  2⤵
  - Launches sc.exe
  PID:3684
- C:\Windows\system32\sc.exe
  sc config fhsvc start=disabled
  2⤵
  PID:3704
- C:\Windows\system32\sc.exe
  sc config PhoneSvc start=disabled
  2⤵
  PID:4152
- C:\Windows\system32\sc.exe
  sc config seclogon start=disabled
  2⤵
  PID:2360
- C:\Windows\system32\sc.exe
  sc config FrameServer start=disabled
  2⤵
  PID:5316
- C:\Windows\system32\sc.exe
  sc config WbioSrvc start=disabled
  2⤵
  PID:2460
- C:\Windows\system32\sc.exe
  sc config StiSvc start=disabled
  2⤵
  PID:1168
- C:\Windows\system32\sc.exe
  sc config PcaSvc start=disabled
  2⤵
  PID:5144
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:2720
- C:\Windows\system32\sc.exe
  sc config MapsBroker start=disabled
  2⤵
  PID:3636
- C:\Windows\system32\sc.exe
  sc config bthserv start=disabled
  2⤵
  PID:3428
- C:\Windows\system32\sc.exe
  sc config BDESVC start=disabled
  2⤵
  PID:4396
- C:\Windows\system32\sc.exe
  sc config BthAvctpSvc start=disabled
  2⤵
  PID:648
- C:\Windows\system32\sc.exe
  sc config WpcMonSvc start=disabled
  2⤵
  PID:1580
- C:\Windows\system32\sc.exe
  sc config DiagTrack start=disabled
  2⤵
  PID:1336
- C:\Windows\system32\sc.exe
  sc config CertPropSvc start=disabled
  2⤵
  PID:5624
- C:\Windows\system32\sc.exe
  sc config WdiServiceHost start=disabled
  2⤵
  PID:5956
- C:\Windows\system32\sc.exe
  sc config lmhosts start=disabled
  2⤵
  PID:6060
- C:\Windows\system32\sc.exe
  sc config WdiSystemHost start=disabled
  2⤵
  PID:4900
- C:\Windows\system32\sc.exe
  sc config TrkWks start=disabled
  2⤵
  PID:3304
- C:\Windows\system32\sc.exe
  sc config WerSvc start=disabled
  2⤵
  PID:3848
- C:\Windows\system32\sc.exe
  sc config TabletInputService start=disabled
  2⤵
  PID:3752
- C:\Windows\system32\sc.exe
  sc config EntAppSvc start=disabled
  2⤵
  PID:3964
- C:\Windows\system32\sc.exe
  sc config Spooler start=disabled
  2⤵
  PID:3288
- C:\Windows\system32\sc.exe
  sc config BcastDVRUserService start=disabled
  2⤵
  PID:5788
- C:\Windows\system32\sc.exe
  sc config WMPNetworkSvc start=disabled
  2⤵
  PID:5264
- C:\Windows\system32\sc.exe
  sc config diagnosticshub.standardcollector.service start=disabled
  2⤵
  PID:516
- C:\Windows\system32\sc.exe
  sc config DmEnrollmentSvc start=disabled
  2⤵
  PID:4648
- C:\Windows\system32\sc.exe
  sc config PNRPAutoReg start=disabled
  2⤵
  - Launches sc.exe
  PID:4556
- C:\Windows\system32\sc.exe
  sc config wlidsvc start=disabled
  2⤵
  PID:1788
- C:\Windows\system32\sc.exe
  sc config AXInstSV start=disabled
  2⤵
  PID:8
- C:\Windows\system32\sc.exe
  sc config lfsvc start=disabled
  2⤵
  PID:784
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  - Launches sc.exe
  PID:5960
- C:\Windows\system32\sc.exe
  sc config DeviceAssociationService start=disabled
  2⤵
  PID:636
- C:\Windows\system32\sc.exe
  sc config StorSvc start=disabled
  2⤵
  PID:4728
- C:\Windows\system32\sc.exe
  sc config TieringEngineService start=disabled
  2⤵
  PID:2748
- C:\Windows\system32\sc.exe
  sc config DPS start=disabled
  2⤵
  PID:556
- C:\Windows\system32\sc.exe
  sc config Themes start=disabled
  2⤵
  PID:3180
- C:\Windows\system32\sc.exe
  sc config AppReadiness start=disabled
  2⤵
  PID:4708
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4984
- C:\Windows\system32\sc.exe
  sc config HvHost start=disabled
  2⤵
  PID:2372
- C:\Windows\system32\sc.exe
  sc config vmickvpexchange start=disabled
  2⤵
  PID:4748
- C:\Windows\system32\sc.exe
  sc config vmicguestinterface start=disabled
  2⤵
  PID:2312
- C:\Windows\system32\sc.exe
  sc config vmicshutdown start=disabled
  2⤵
  PID:3140
- C:\Windows\system32\sc.exe
  sc config vmicheartbeat start=disabled
  2⤵
  PID:5816
- C:\Windows\system32\sc.exe
  sc config vmicvmsession start=disabled
  2⤵
  PID:952
- C:\Windows\system32\sc.exe
  sc config vmicrdv start=disabled
  2⤵
  PID:2196
- C:\Windows\system32\sc.exe
  sc config vmictimesync start=disabled
  2⤵
  PID:4032
- C:\Windows\system32\sc.exe
  sc config vmicvss start=disabled
  2⤵
  - Launches sc.exe
  PID:2272
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5396
- C:\Windows\system32\sc.exe
  sc config edgeupdate start=disabled
  2⤵
  - Launches sc.exe
  PID:1176
- C:\Windows\system32\sc.exe
  sc config edgeupdatem start=disabled
  2⤵
  PID:5004
- C:\Windows\system32\sc.exe
  sc config GoogleChromeElevationService start=disabled
  2⤵
  - Launches sc.exe
  PID:5368
- C:\Windows\system32\sc.exe
  sc config gupdate start=disabled
  2⤵
  - Launches sc.exe
  PID:4776
- C:\Windows\system32\sc.exe
  sc config gupdatem start=disabled
  2⤵
  - Launches sc.exe
  PID:3084
- C:\Windows\system32\sc.exe
  sc config BraveElevationService start=disabled
  2⤵
  PID:3036
- C:\Windows\system32\sc.exe
  sc config brave start=disabled
  2⤵
  - Launches sc.exe
  PID:5928
- C:\Windows\system32\sc.exe
  sc config bravem start=disabled
  2⤵
  PID:1872
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:664
- C:\Windows\system32\sc.exe
  sc config NcbService start=disabled
  2⤵
  PID:2000
- C:\Windows\system32\sc.exe
  sc config jhi_service start=disabled
  2⤵
  - Launches sc.exe
  PID:5384
- C:\Windows\system32\sc.exe
  sc config WMIRegistrationService start=disabled
  2⤵
  PID:832
- C:\Windows\system32\sc.exe
  sc config "Intel(R) TPM Provisioning Service" start=disabled
  2⤵
  PID:4796
- C:\Windows\system32\sc.exe
  sc config "Intel(R) Platform License Manager Service" start=disabled
  2⤵
  PID:3340
- C:\Windows\system32\sc.exe
  sc config ipfsvc start=disabled
  2⤵
  PID:5136
- C:\Windows\system32\sc.exe
  sc config igccservice start=disabled
  2⤵
  PID:5884
- C:\Windows\system32\sc.exe
  sc config cplspcon start=disabled
  2⤵
  PID:4656
- C:\Windows\system32\sc.exe
  sc config esifsvc start=disabled
  2⤵
  PID:5184
- C:\Windows\system32\sc.exe
  sc config LMS start=disabled
  2⤵
  PID:4372
- C:\Windows\system32\sc.exe
  sc config ibtsiva start=disabled
  2⤵
  - Launches sc.exe
  PID:4380
- C:\Windows\system32\sc.exe
  sc config IntelAudioService start=disabled
  2⤵
  - Launches sc.exe
  PID:4640
- C:\Windows\system32\sc.exe
  sc config "Intel(R) Capability Licensing Service TCP IP Interface" start=disabled
  2⤵
  PID:4604
- C:\Windows\system32\sc.exe
  sc config cphs start=disabled
  2⤵
  PID:5552
- C:\Windows\system32\sc.exe
  sc config DSAService start=disabled
  2⤵
  PID:3624
- C:\Windows\system32\sc.exe
  sc config DSAUpdateService start=disabled
  2⤵
  PID:2472
- C:\Windows\system32\sc.exe
  sc config igfxCUIService2.0.0.0 start=disabled
  2⤵
  PID:460
- C:\Windows\system32\sc.exe
  sc config RstMwService start=disabled
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc config "Intel(R) SUR QC SAM" start=disabled
  2⤵
  PID:3316
- C:\Windows\system32\sc.exe
  sc config SystemUsageReportSvc_QUEENCREEK start=disabled
  2⤵
  PID:3772
- C:\Windows\system32\sc.exe
  sc config iaStorAfsService start=disabled
  2⤵
  - Launches sc.exe
  PID:2240
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Amd\AMD.bat"
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1768
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Sound\Sound.bat"
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\system32\sc.exe
  sc config HPAppHelperCap start=disabled
  2⤵
  PID:3692
- C:\Windows\system32\sc.exe
  sc config HPDiagsCap start=disabled
  2⤵
  PID:5356
- C:\Windows\system32\sc.exe
  sc config HpTouchpointAnalyticsService start=disabled
  2⤵
  PID:2892
- C:\Windows\system32\sc.exe
  sc config HPNetworkCap start=disabled
  2⤵
  PID:4304
- C:\Windows\system32\sc.exe
  sc config HPOmenCap start=disabled
  2⤵
  PID:4732
- C:\Windows\system32\sc.exe
  sc config HPSysInfoCap start=disabled
  2⤵
  PID:1044
- C:\Windows\system32\taskkill.exe
  taskkill /f /im spd.exe
  2⤵
  - Kills process with taskkill
  PID:4964
- C:\Windows\system32\taskkill.exe
  taskkill /f /im EasyTuneEngineService.exe
  2⤵
  - Kills process with taskkill
  PID:564
- C:\Windows\system32\taskkill.exe
  taskkill /f /im GraphicsCardEngine.exe
  2⤵
  - Kills process with taskkill
  PID:5904
- C:\Windows\system32\net.exe
  net stop "cFosSpeedS"
  2⤵
  PID:856
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "cFosSpeedS"
    3⤵
    PID:5736
- C:\Windows\system32\net.exe
  net stop "GigabyteUpdateService"
  2⤵
  PID:5392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "GigabyteUpdateService"
    3⤵
    PID:6044
- C:\Windows\system32\sc.exe
  sc config cFosSpeedS start=disabled
  2⤵
  PID:5880
- C:\Windows\system32\sc.exe
  sc config GigabyteUpdateService start=disabled
  2⤵
  PID:4128
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CCleaner64.exe
  2⤵
  - Kills process with taskkill
  PID:3164
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CCleanerPerformanceOptimizerService.exe
  2⤵
  - Kills process with taskkill
  PID:2868
- C:\Windows\system32\taskkill.exe
  taskkill /f /im CCleanerBrowser.exe
  2⤵
  - Kills process with taskkill
  PID:5488
- C:\Windows\system32\net.exe
  net stop "ccleaner"
  2⤵
  PID:2628
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ccleaner"
    3⤵
    PID:2556
- C:\Windows\system32\net.exe
  net stop "ccleanerm"
  2⤵
  PID:5988
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ccleanerm"
    3⤵
    PID:4768
- C:\Windows\system32\net.exe
  net stop "CCleanerPerformanceOptimizerService"
  2⤵
  PID:5304
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "CCleanerPerformanceOptimizerService"
    3⤵
    PID:5648
- C:\Windows\system32\sc.exe
  sc config ccleaner start=disabled
  2⤵
  PID:4908
- C:\Windows\system32\sc.exe
  sc config ccleanerm start=disabled
  2⤵
  PID:5468
- C:\Windows\system32\sc.exe
  sc config CCleanerPerformanceOptimizerService start=disabled
  2⤵
  PID:4532
- C:\Windows\system32\sc.exe
  sc config logi_lamparray_service start=disabled
  2⤵
  PID:4572
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:2248
- C:\Oneclick Tools\NSudo\NSudoLG.exe
  "C:\Oneclick Tools\NSudo\NSudoLG.exe" -ShowWindowMode:hide -U:T -P:E "C:\Oneclick Tools\Orca\Orca.bat"
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /Disable
  2⤵
  PID:2640
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /Disable
  2⤵
  PID:2712
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Opera GX scheduled Autoupdate 1711926802" /Disable
  2⤵
  PID:1304
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /Disable
  2⤵
  PID:3992
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /Disable
  2⤵
  PID:3484
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleaner Update" /Disable
  2⤵
  PID:4812
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerCrashReporting" /Disable
  2⤵
  PID:2232
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineCore" /Disable
  2⤵
  PID:4444
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "CCleanerUpdateTaskMachineUA" /Disable
  2⤵
  PID:5588
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\capabilityaccessmanager" /Disable
  2⤵
  PID:5096
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SetupCleanupTask" /Disable
  2⤵
  PID:1516
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Setup\SnapshotCleanupTask" /Disable
  2⤵
  PID:5292
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /Disable
  2⤵
  PID:4280
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefreshTask" /Disable
  2⤵
  PID:5060
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\ThemesSyncedImageDownload" /Disable
  2⤵
  PID:3668
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Shell\UpdateUserPictureTask" /Disable
  2⤵
  PID:2656
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319" /Disable
  2⤵
  PID:4744
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64" /Disable
  2⤵
  PID:1932
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical" /Disable
  2⤵
  PID:4400
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical" /Disable
  2⤵
  PID:1172
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Application Experience\SdbinstMergeDbTask" /Disable
  2⤵
  PID:372
- C:\Windows\system32\schtasks.exe
  schtasks /Change /TN "Microsoft\Windows\Printing\PrintJobCleanupTask" /Disable
  2⤵
  PID:1104
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineCore{9C99738B-B026-4A33-A16D-7CCD7650D527}" /F
  2⤵
  PID:4432
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "GoogleUpdateTaskMachineUA{2E0C9FAD-7C87-42A8-8EFF-986A5662B894}" /F
  2⤵
  PID:3876
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "Opera GX scheduled Autoupdate 1711926802" /F
  2⤵
  PID:1432
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineCore{A8A54493-B843-4D11-BA1F-30C26E9F10BE}" /F
  2⤵
  PID:2648
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "BraveSoftwareUpdateTaskMachineUA{FF1E0511-D7AF-4DB6-8A41-DC39EA60EC93}" /F
  2⤵
  PID:5280
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleaner Update" /F
  2⤵
  PID:1508
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerCrashReporting" /F
  2⤵
  PID:1716
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineCore" /F
  2⤵
  PID:5188
- C:\Windows\system32\schtasks.exe
  schtasks /Delete /TN "CCleanerUpdateTaskMachineUA" /F
  2⤵
  PID:1192
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "get-appxpackage Microsoft.GamingServices | remove-AppxPackage -allusers"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1344
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5308
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\GameBarPresenceWriter.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3168
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\GameBarPresenceWriter.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2752
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:3768
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  PID:2008
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:5180
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe /fi "IMAGENAME eq msedge.exe"
  2⤵
  - Kills process with taskkill
  PID:1212
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:6060
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "OneDrive.exe"
  2⤵
  - Kills process with taskkill
  PID:4900
- C:\Windows\system32\taskkill.exe
  taskkill.exe /F /IM "explorer.exe"
  2⤵
  - Kills process with taskkill
  PID:5784
- C:\Windows\system32\reg.exe
  reg add "HKCR\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:1672
- C:\Windows\system32\reg.exe
  reg add "HKCR\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /v "System.IsPinnedToNameSpaceTree" /t REG_DWORD /d 0 /f
  2⤵
  PID:3712
- C:\Windows\system32\reg.exe
  reg load "hku\Default" "C:\Users\Default\NTUSER.DAT"
  2⤵
  PID:452
- C:\Windows\system32\reg.exe
  reg delete "HKEY_USERS\Default\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "OneDriveSetup" /f
  2⤵
  PID:1080
- C:\Windows\system32\reg.exe
  reg unload "hku\Default"
  2⤵
  PID:5640
- C:\Windows\system32\schtasks.exe
  schtasks /delete /tn "OneDrive*" /f
  2⤵
  PID:992
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  PID:5840
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:5716
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\UsoClient.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3180
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\UsoClient.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4708
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4644
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM WidgetService.exe
  2⤵
  - Kills process with taskkill
  PID:5664
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM Widgets.exe
  2⤵
  - Kills process with taskkill
  PID:4604
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:2224
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d 0 /f
  2⤵
  PID:3652
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4232
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\System32\smartscreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3668
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\smartscreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2656
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4744
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:4400
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1172
- C:\Windows\system32\takeown.exe
  takeown /F "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:5512
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe" /grant administrators:F
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:3876
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:1432
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host '(Not recommended) Can only get search back by system restoring.' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2404
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic startup get caption /format:list
  2⤵
  PID:1112
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic startup get caption /format:list
    3⤵
    PID:3908
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B"
  2⤵
  PID:1704
- C:\Windows\system32\reg.exe
  reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B"
  2⤵
  PID:2652
- C:\Windows\system32\reg.exe
  reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "lco6hk"
  2⤵
  PID:4144
- C:\Windows\system32\reg.exe
  reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "lco6hk"
  2⤵
  PID:4656
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  - Delays execution with timeout.exe
  PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Local\Roblox\Versions\RobloxPlayerBeta.exe" 2>nul
  2⤵
  PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b /s "C:\Users\Admin\AppData\Local\Discord\Discord.exe" 2>nul
  2⤵
  PID:4736
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Program Files\VideoLAN\VLC\vlc.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:3792
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vlc.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4104
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Program Files\Google\Chrome\Application\chrome.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:3988
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1868
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Windows\System32\dwm.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:6028
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2724
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectX\UserGpuPreferences" /v "C:\Windows\explorer.exe" /t REG_SZ /d "GpuPreference=1" /f
  2⤵
  PID:3092
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4060
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:1936
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ApplicationFrameHost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4076
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "4" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1156
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  PID:652
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2000
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwm.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "3" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1120
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fontdrvhost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5020
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5024
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5224
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe\PerfOptions" /v "PagePriority" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3916
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5576
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SearchIndexer.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\services.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5104
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sihost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5216
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2832
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\StartMenu.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4696
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe" /v "MinimumStackCommitInBytes" /t REG_DWORD /d "32768" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1216
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1888
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5132
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2076
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustedInstaller.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  PID:2052
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininit.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:2292
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogon.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:1536
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMIADAP.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:5304
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WmiPrvSE.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:400
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "CpuPriorityClass" /t REG_DWORD /d "1" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:4536
- C:\Windows\system32\reg.exe
  reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\PerfOptions" /v "IoPriority" /t REG_DWORD /d "0" /f
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  PID:3588
- C:\Windows\system32\timeout.exe
  timeout 1
  2⤵
  PID:5276
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Write-Host 'Reminder, will take a while' -ForegroundColor White -BackgroundColor Red"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"
  2⤵
  PID:5456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Cortana* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *bing* | Remove-AppxPackage"
  2⤵
  PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"
  2⤵
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *photos* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *SkypeApp* | Remove-AppxPackage"
  2⤵
  PID:5860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *solit* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"
  2⤵
  PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *zune* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -ExecutionPolicy Unrestricted -Command "Get-AppxPackage *WindowsCalculator* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
PID:4176

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6104

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6088

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5800

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Oneclick Tools.zip

Filesize
1.7MB

MD5
517b76cba1c1b12ec146a60a2745b28e

SHA1
0a867eac3a9fe1cba33542fd1184fc08ac8ca609

SHA256
c0f0d33d18d79c58d0956a5057ec26407d50bebb8960514ceb88d7fb7fb2502b

SHA512
be3215579c6330225640bbae1fa1569f836ba04aad9f4e85b7449de01b076940a9a45abd14b2783a143b51d393f52784894a7fae4a9d527431f804e15635bcb6

Download Submit
C:\Oneclick Tools\NSudo\NSudoLG.exe

Filesize
174KB

MD5
423129ddb24fb923f35b2dd5787b13dd

SHA1
575e57080f33fa87a8d37953e973d20f5ad80cfd

SHA256
5094ad359d8cf6dc5324598605c35f68519cc5af9c7ed5427e02a6b28121e4c7

SHA512
d3f904c944281e9be9788acea9cd31f563c5a764e927bcda7bae6bedcc6ae550c0809e49fd2cf00d9e143281d08522a4f484acc8d90b37111e2c737e91ae21ce

Download Submit
C:\Oneclick Tools\OOshutup10\OOSU10.exe

Filesize
1.9MB

MD5
4803e06db91fdb8b6d1b65c0010d2f87

SHA1
f6d68a7dcc9c46e663f586341e8ba8d1be6b0f9c

SHA256
beb7becc38ccc7ed37c47fe607b25a966a5f71aabd36ab945c3cba15451dfa7b

SHA512
f34195e4dd2b9a0dc4847e94547b3b4f0ee13009878f0e88954e6a070234b902814a7bdc018782cbaddb52e31e19f30bc2273d1b2ed1071f0695563e070c58c6

Download Submit
C:\Oneclick Tools\OOshutup10\QuakedOOshutup10.cfg

Filesize
2KB

MD5
109f47ced5da3f92362c49069fc4624e

SHA1
79b611073aa0006f1bb4058a6ecb6f3cc97391d6

SHA256
2508b43de805b672ee3ceac260731733bf22648325e10be7ffd47223e429a29b

SHA512
55a11e520f9e9a4d9aa39e87b6a7675bf5e431d986579ce48fd2aaf0c0b9c5b855fda8c8d048b492f96a38f21dd223b05896bfa6537a4716f33f7fdb3af5a774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ed30ca9187bf5593affb3dc9276309a6

SHA1
c63757897a6c43a44102b221fe8dc36355e99359

SHA256
81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

SHA512
1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

Filesize
414KB

MD5
ab79489e9704fc9cc9d8bee4f8e17ec5

SHA1
b2e19a89b43d537bb5b02ee9ca2418f027259c1e

SHA256
4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

SHA512
60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b393e1aae554dd45961c38666996e0dd

SHA1
ecdbf730b4bdbb19b63824f20726ed621c224fb8

SHA256
3bf951123b475242f39407221b43207386af7a5fef5dc70f3eb262ce9ee7cdc4

SHA512
283c040139a98d82dedbbebd5bf9875bcb668c17eaf7b1ebe3c76ca17f3d5b06f7d9820ea17878c96560c305a4c006c076da4b76106aa72120f3d41cafd56380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4215344d7ee23b64d490858bd9bfec0b

SHA1
da01fcfb9a83a2c7e84fea20cc4be70a7ad3dc08

SHA256
52d1cc34f1c4eebe25d8dad44a5d42d4d9d677fe4b00203552e77eb1bbfd7a69

SHA512
b520c90c4709c3dac589f13f25801040458f88c4e96859654052e8e5a723083bfc4b52d297c1a1c42906eb7cf6a46b41b11bc8a6a22939661613275d3a272ee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26555f460505eff10343a8b781830edf

SHA1
a2ff1cb63557e775cf253dd0cc81716c55143f14

SHA256
2e45be2670671338c14bfbdb831b5c84eda9bbea604cd36202afc4f74e12c26a

SHA512
a4b7a2973ca7377f5a62f0d4e527f78316c00890c7f0313f75c273b3d72cdf7c31b7e684bddab4c8abfc45fdddd8197434505d57801b1c5fd8121c00d8cf9ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5f6573f67ff9bdf38068fd63d0b84567

SHA1
45a6a2e8c693b274cebb2128f334c5e704d47913

SHA256
1131ec6d36744f77fac3dbbe000deba9048c71d6c6819c60e21a9845dd99a930

SHA512
66b8039a1a8a930402328fa63b8ef5ca66fbe9e8f3036ae358087e7f46f3ae5cebf289bb429ad9ab8932f8e38c9e6c3c2f2e23542d5a9fc9ec94f56dc879ff6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ee0b8820c7d05b6373323fb9fe86b03

SHA1
903a38b30017911439016430da005d50a0be6f1d

SHA256
6139a2bc3de6b9e99ada678d6b875e63b02aa64b9667d1281a021bdf7d923f25

SHA512
79c94bcad00ccbcf0961a86bff7a06d6bc75fd83f50836747be6ba9ca74efc1290da84d91646dade522755047d3ba7783738fcbc770480310e541989419d0e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6376da913ad5b712c80167b2b8c458f8

SHA1
f50b96c9784e0056895a1e66a41da92717cfd795

SHA256
602cb9a8b7442279e661078928daf9aff30332915af37ae956a79abe88656461

SHA512
720a8580f28d13e68f5441ef21253782a16c5a5c7cd5501c802ec4156561b6c7cb0a02cb683dab5d36c6ca36bee8e34efcf2b649c34a10a02d6085725bf8f689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
806b9471e5389ac2d835856f54aad2cc

SHA1
d5da8befbeb41164f9a96b874232bc03a27b05a7

SHA256
a15f73ea621a40742ac68fe775599252af13edfd6b3bac04b401aca4333c832e

SHA512
e46ad271df5ef4456b949c701f76215337e1db43379acc6e499a032a780ed218fd564444a7eeec1e0b70d9434b1de02e965ac4dcd5f31fdd8ff8672c9a3d680e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff14504757cbde29afd07695ad26106d

SHA1
129c7e3f519d6c42eada4840881aa0f2c59582ea

SHA256
a03cd94f0b8e5f849f6cbeac700697c1a79d4fafc96c74c81cc61cd9eaafd991

SHA512
d5d995f8adefba28ea6b45b6b411081ee77775b96f3d5f85bd7593e23d97399035d460557c205b2c7bdc790a2b53cffabbb445a51a97c5753ae35db15bb12d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24d33cadec56395ac17355a7c620d1b1

SHA1
8ac77c7069d1cf7a6a708b05c6d38e12a3a7728f

SHA256
16cc68e48fb375356e2c2dc47aae97651c1af45743d878beaa1e7bfd6351c479

SHA512
543ebb2bae8ca008f80ef807f97b33bb06f6e09b1d7a60f64957fd0fabe8eb22cf14959e602a25c3ebac538fc6659a1c54439553b09509bfed7dfae3545661fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ebd89bd13a9fb712b979f76d898b8593

SHA1
da925f33cf19e78e42801a1fe0019c11fba38cd6

SHA256
d38758c902aa5751a1fa327f6ebf48c3654e3a4988cf6c2312a88c6576768852

SHA512
1a259314634d9496d2d276f03d6af253cef3e27618f1dc79c2a65061cf0da5bfd3d849173f20c66d648bc34c99d9ecb6e97e9747fb135ebe145959582e6ed8e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2451ac0fad744ee7d3fcb4fce2660fa

SHA1
27b92bf7f94d83f88f8a8a9764bc34bb5e0006d3

SHA256
ff30632cfb38dcc1dcbe78d56d88eae1767b92d765b8d87e912e282e9b80409c

SHA512
1fcef218c41e5475e6e8c74a9f33856d183e5892c20c45133f0e41214df4d5d9f14657e7338e544600f8846b1a15a7e8511157671df083e434a3bbd8ff98ef21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64f2c690d4f1db4da8949302163c36b7

SHA1
dde218386a580cd19de2075ad4a9fd0f8d0eb097

SHA256
c5105b7eeb36ae4b7138a112c5e33cee6ab150a99f8753fcc63d1e727919625a

SHA512
6cdb4c19e6f5a1eefb20a3558d14fc9f9de4f06e062909192548bf0ec2e72a428f6e776e593c85722f0a618a1b1be5465df484017fa757db20789eac1fde490a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
35eb70a060e986c68bb7369a87fc830c

SHA1
760f9e9d808d4789fd3ba322dc82b5feb78edf78

SHA256
58d5b25cb9c4825502729ef45ee88c2423ff22c7443e3ae0d8ad71a60f56d966

SHA512
1ea117d68814a2c2bfc76ad9f6c5b8814b11e6a4cacce657ba2f821cb1295c9b6033fa99eed5c786c34df5bf3f7c8358ce385595683dba2e58c95aa359d6e2a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b7d5ef7edfd9175371e51ac6f9dcb955

SHA1
e9b44184860495453dedbd3ebec1f44f09b932a9

SHA256
2b44bba8102d3d16e2a4af7f052f6f7474d6fe8a38ac996e5865afb902bff64a

SHA512
2e0dc5bc1b1cc8ec171059d569d8e79919b681e9a6edfa9de09d03a9daf8b8f7aada7a2e23d5fae58e14f52c861d244cfd0efb016cada01e99e2937fd8aa233f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ed1587626b8aa67b8e7ca5eab13e83a

SHA1
414eabcdee9ef68b12844eb119000c64598632f9

SHA256
328c033acac8dfcd97028fcc0a35d0fd8cbf5987052db0322443298414aa5f3c

SHA512
913afc61485799d58cc6acfe628863c5601ae647ba94e19dff5b8130c8e416eb941d760169e81407226e3aabf320fbe2a4fced5b92b3be0316246625a7546e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a4b94c7665bb831f6facf5ea2425f855

SHA1
2f94bfcc0868e8e0df37b37733812f4d8cbf0caf

SHA256
1f079ab34a44f73b1ede084ec34fcbf8ea5b7b5558812d0e77e7b9534b53f928

SHA512
39a23870a345d88f2dcb3c50cd571d726a40e3062fbf1affd6d2a5e2edd5a1700b1a036b3aef3184f143d34670d58907e4f92c5a678c91802e1b000266d8801e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52810a935dbb2681803c2f3d921b1c5b

SHA1
96a7bc59f5fc127f5dcab7b2b75d7143be103b15

SHA256
b980f162bfd47f65aa2d9aa4547bb63167d9c607f38c15e934cba7a952d95015

SHA512
3f24a7512eb6674ba04f27cedb49141f63b6c2eb82c4e06d0d86658abb556d02e77e1b4eadc1eb30de642c248359d7656e9275ce48499ca73634497f49183e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6313c9b54959d8bab2dc1e97b7f58d2

SHA1
2896b998c7d036393c36d905206dc84147e9fd78

SHA256
78a5997c5797e6bc9a53cacc899c493aca5b5e13e6ca64e2d0b735729cdf7c83

SHA512
2fca110e700d9e8e3a146cc2c47a13dd50b806496ce9b7d8c97ebdfe1da1d664992f7ba019ae1b75a1bc13f243a18ea6308200e22e611cfad3ef6f13004324c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
265dfaea3cebf134b2080f813c17b2c9

SHA1
7a56042c3a151815bc923dac2146b48e08eb6b45

SHA256
18eef7681b252b93e666e6857af0f2868781127d6fc783806b9ff806e1398cb4

SHA512
d6c91856ae43248e75ddc468d45f0059c0172dfe8dad61a59b96f2a4ec658a3555edb0797dbe9da58408e7b382e0290b9f3ef1b99db0d298a56d02f830534738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e57094ec391ca1cd5706d6631a9fdbdb

SHA1
d3ed78ec0380031184a26860d7a9afbf5b5896bd

SHA256
8d45965daa84d77bae1e833bded8c8717ee19b1950c2d95fe8b3eabbe8b84830

SHA512
8ecd830c99acdb3e42204f80f6564e53c4b62f8439850fdf8f1e54f9b58c0601651f5112349799f56be14b7fe24023511909834aee7511d4e5eb29da248e8cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af2ec86340ebbdfd3d752f67a3158e2a

SHA1
b4cc27f1b9a8a82d099a02cc81811763a1c7467c

SHA256
2c191414408073946ede60a93ec4b24b2c7134c18ff30ef5e6df61119c5d3c6c

SHA512
c9e99af2764e411a1f151ab8abe49762c8a3d3a000c869bd7934b2fe53b23163cb6557b58ac0fbf63e32f64c534d9d6c6a2de5dfa8fb95639607bd4c9bba7a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3fcfeeb2ac097bfab76d2d55ca433d6c

SHA1
fb2ddd3f61f84a6ec170141761459e66db856111

SHA256
d12d2443bfc2f725ea269cbb2c7ef0c7d8c08637314ac3e57cbad58478a37427

SHA512
a6c6cbca1f2c708e9aa6312a36b007b8873669c9c40dd217e295f9cffde3bc89c7553729d3df8496bf7dc52c36912559de7fc1f5a149a2bc213e0db07629047f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54dce1126b9a841046dd35e5aa280db1

SHA1
582de3da4a48e688d4da7d2a03fd95a715a2fe35

SHA256
259bb3209e5259541f2a87db51e1443bc2276090799b2c42bac3c06851730e65

SHA512
231a35eed3331777dafb4cde356d783f70a0af1971ebd12824c5ac9a3bcd585ae4cdce8faea15793ad9855035466b30f45077bf784be550cf6ffc9baeda5e36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9cb67497f34f881edf6f3d9f43778ecc

SHA1
0d823bd690cb87af94521fe8e5060578f5266fad

SHA256
09a3198a068155474600e79c04cde4ff3be5e1ac9a23d7efb2fc3d794154d795

SHA512
be1e256537e279d0eedf0b84b2ed8dc54764c6ce6d0346b3efd5132555d31604f991ffe69a6f6e22cfc9f7b7c036309e5954f2c28f0aadf517b46c716d043b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1131cd513767d0fcb4b35666d8d9ae9

SHA1
c1ba430218d3cd81a5baf043b1caf9ef282e4e0e

SHA256
d830812571bab857bb62d69140f64c14accc0251a1230184fbb455018c0a1ee6

SHA512
29f1b6da3500c991eeff46b827dfc5a7ba85849ef5c0562ebe40f3f99ec6b4e5eb74e12a6b16b883601f7372ca9756923fa0dd3c0362ae3321a7a2d092008484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be0fdf0ab1467648f332520a0109aee8

SHA1
3e787f28b145e32952d516a8071d89733c2aade5

SHA256
bf3ab605df441e4a0dd43b0c16557e66b78aa0bcefd295373064d9cd75a79c55

SHA512
9fcd773dfc9f957422d5b85d2bc70770cc02f132a8cf0c4080bcf5e2954aa6a5998294fc3e3cafab0f4b4878b5833c75918140eda5fcdbf31f20e4aa5d6e2395

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f7c09c72ba5740197b14d6b3e536a5d

SHA1
10e0cb277ab2d946e58fdecc831adb5dcbc144dc

SHA256
ea593d0711e98aade96282090be0c35adf5eb8ce7df3a024437b267754e5cce2

SHA512
1160f3c8aaf774b4902888c30f55079a4aac0b64e59243456ccd53459019bc5047cdac3750bbf90651da42efa4e061e74e8ab6b168f3af9304cd0169905172d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a68b9e4f7df2d35b5c289becf3940c05

SHA1
afbbbb4d641c10664235237ec0a31dbb1d35c31a

SHA256
d6a54a441714f30936f8a07a28aa4d367114f36b81b83de099e2f7b1e2943c71

SHA512
3f91b2653c61dc07a220ae3acd2f96824a637de7edb4076fd25276dbd51aef3ddf1d0632dffd62b956ca7ae14851e4bd2086d45842f25a9e31f6e9b880ec8190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7ee5a0a194a245150ecdfc6b95e8f80c

SHA1
92a9a84f79144352e4e4eda3981ce3ba05e6b10d

SHA256
f9a29e7cdf9b62727a17bffb3f0b74e16d245904438cd89884d1949da0ad7776

SHA512
87ff18e63e1438bee8a180009fbb273d7520df49ab7c171b75890ba7ae7167cab163eafb313c046eed2ec99c7b492cb0cfc3c898ee4755ca51b8684daae68971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6bfbb479ac98bb846a78d2e6a363863b

SHA1
0f643c37abb002b925777cd91862ac54bdda7105

SHA256
c61781a558905efd182564c510518fdec307a7e6f800f1b77cbbc1f42dba6cf5

SHA512
99d82fd99ed06cdb74e8f6cc4ac19072b14a52d0ca70418b66a27ba5a16fd56a31aae4969446ac56f166b78712e2e953829448806112cbcedce9263fbd045836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de7372c648ce1f968aedfc7d029d7463

SHA1
ed8e8be83201c6982d8559f24f9ef331e8dda05c

SHA256
7d5fee243647138329ef0a0c484cf7bdc4f50d22078bc79c0c9d9028855a4678

SHA512
3866e4b38981d12def0ace76e1b05dfb828180ec1a93e49c32431fa5940ed6ef2c9f711ad83f254988b73a78bf445a7c8272343c6e65f7a1967c79b9076a2e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
34c2d5a7985b7111b33c354489791420

SHA1
72b1a17123779df6f6cf701ee3497a4a19ad1907

SHA256
64b0a1116dadc93bbb67856465de393adfdf8651b9e5588d8731bba473996177

SHA512
f3754dcc90465bd35ff93b0a26e00899bb10c582f4d3c817f9de540c9ebb1342d4336598affa8c412e4cecd414994fbd659079c8eb4d80d19d039793e948b614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3199796aede20c6dc2599308aa1d87b

SHA1
5c28b9707f0984af51e53c26dd1be82012799fbd

SHA256
40ece7e2dab14c941474b7a343f1cf068ccfab359afceba923cd6261c4e3469d

SHA512
f45560689334e341bdc31505895596691d707387f5814e35667c37aee419cd223c5cf1341f110133bb57bfb5e1e15ac903e0bffa0279ab0095ee6b4f4b8846cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d540a3e817110f4568dbec2419265a2

SHA1
d508d11c46072e34ce6c4310bcf2bfa55b46459f

SHA256
f05e746775a89ee0c0c91eaca3a9c5ada1ce612a7363db91b0e030c8b9dc8ed4

SHA512
52150a3ba2810562cf0baf09868f456f4a9ebea2364af1ff778ee0d0a392cde1df294f5e90a28c67d1a94506d0622c701120fce5d1c9646e64a466acb09eaa29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ca3b5fcad0fc701039f928ab6e02423

SHA1
be6eb769d64b4b361be4a02071fd215cb764f86d

SHA256
727b3b0cd9dc26d25c652d5458f0b1eabbc34499716f8a5586b32580618096ff

SHA512
aacb5dd4e58050f8f8b6ee18984fac2e776e55beb8f97549ae84e98cc45123a1369096eee5a10a666ccd9a89635fe3850854928c13e4fa88449ca873979f33a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e8cbca79376cb4cd574beae8910d1022

SHA1
055a1489944aee83befb6e759d1e0ee91a5a8328

SHA256
c94efa6e725e511fe3be0c7fad11b673bb78c5e25a25e6a77115a2915b39e637

SHA512
f6301dd291514dbf396237d951ce768e94b00c953058d9fcd901d3ec7381db7be98ab2a77826ec229cff14e563daa0529768e1d49228048e7239cf88b8e66d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b7496e4c3877e49f08770d947b08e62

SHA1
1141e013d763705f3dd9a6ad1a4e48a130b4bc0f

SHA256
1658dfccb8cf20e6e4cf10d28cc79ef6d20b954d0aafeaa1dd0d06f2a5e2ef4f

SHA512
bae4a97654de3b537f469969570f41a7f2586cd7a2b360390d03874bb5bf6b32f168d10e7e00479af1213bb1c131bb6b2728334820a114a8eec49d63a60047dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07c1bce2ffeb22aebfefee8b56d1e56c

SHA1
c33717181f9c413c382a4720b406378ad7b925c2

SHA256
9086b525d37aa1047bd7ce9bf2d864cacda967f9fdc4094618727790639875c1

SHA512
bc9f2a737d06429c3771bc51489b00f5b1027f4a2d61eadd999546751c9f4bd40c3354eba95de2c79c91c3f7071daa891a5978d52fa493ed45e5e3267ef7cb0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e5d2032f886417080675d80b62232cd

SHA1
5d05ac5e58314c89edc89fd172b02e03a5145840

SHA256
940e3e8ff1859876915e9d8aa409964b043c13cc1d885e444eef9bda15338237

SHA512
29a526095d674baf7d3da81a60ebc81bcef0b65ee35812ad815ec0752320cb0c2cbdc6d511c8eff08d9465fd6ccd233e2424251a3bafc63879c77803de217b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db5616408f44c9e876be42a0be36897e

SHA1
54e7366cdf6d1c3e50d170c144b97ca9661cab6c

SHA256
78f18d6b128931f3ff6a7385b94e57d72e8c5537b0c83f4bd6ee8ea44177b44d

SHA512
bd0d16c946207b0a2a49fee98a0f28c4565b8fef80aabe976c30918fd3ad39016c70929e25f14f156b72ea57365a30acb927277105f357b098677cc7d91d84fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b6b85138ed1f7688b2c02d36ad0c003

SHA1
4513bee1da0b1613ef5c800fbcff157a8ad90753

SHA256
cd464d32fd1dd30bb0c52b598200e97ae893bbfd5d04951a4fe0540bc6ef6cbe

SHA512
f2501f4d2565e1aa40198950a1f5e4d0ce9c10c9df36b7c2f5c825a84ab3a1551c3351310e4478fd329ebd0c2acfc2ad03871f3393e9a443a20c1ae55b6b022c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b97a7f07ebb9bf40de30eca6998855c0

SHA1
d7544538b9157f0f8e171d1c0e4c09c5578b0594

SHA256
52410f01a35324219078cc326a004f7ca7aee89dbc0e91e841f24cc5aaabe1f0

SHA512
564e299d417918f809544975d2d8c00d6d674f297673c695bf9d7606453cd224643e31e411f9662c47f4274a2ee6b868fd43ceaede2bb7e1eb5aa33bb65e5f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3d993c574ed40fcc8961aa9b489f8ef

SHA1
0638f3002bd5c96dd71dd201ce442970d44a6e4d

SHA256
1b08bb918cb9edc7c027c8dccac83826999fccf3c7217058d0588aacc597bbac

SHA512
ac89fffbf31a2831ab97e49dd6479c17f6382a05737a3a6a22f47ee044cab786c787bcf367a2b1973d56e73ce3b8857fbe82a483823ccbffb40909023cf14a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d32f982c6d03141bda419e658ab1fe3

SHA1
3742cab7fcdcbf177f0fa055e52fccaf970198c0

SHA256
f63e3a84860b6a384608a37148d2bb693247c30c5ef7f5d73ea6234ddad6bc64

SHA512
69d5d9d7db10371e45678933d9a1dcd300ac6ccf9173213d517490f71d48eea059515f3608ca6a04d355af5fc91573e448d3418e848ebc8b300ab78e81cd9938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7eb64c5485544cdda7652b2700a68f4b

SHA1
166f9820d11db6a3bf23a747dd98714af79f558a

SHA256
db0bbffbd22a326edc5d1e40cc924e5e86067f390273e2d91151561237284c9d

SHA512
f7c88e2c6df3aaaa0f77e68c6ff781a43a05aa4de50c1475302fd9b264c343398662996840c1a062812cc3f35a81d7c36f2a2a64859ea1c5dedcc71b1d787c28

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
68042dedb88636cc7cbe0e302d2e703c

SHA1
af42e7261bd93bbf6c18a7b0470957bd7a787fb2

SHA256
7dee7f45b89aad54625716672751c9839c73dd2ee6344bd3ff2050567c508469

SHA512
7cacc44b173c1d1e4d3eb4fddc6ec0f86202bc946f2e72cbc56e68522eb6e19302ad41581bfa79807a7203f19c25f6aca87f376637085a1b67eb09c5f73e4edc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\T68J5XC3\microsoft.windows[1].xml

Filesize
97B

MD5
4de1d8362fe9bbeb267e5b3f08dffdfb

SHA1
11334d3d31a77fa238dfa8bffb5e73ad84ab0d1f

SHA256
6f988fa517fd4a8441b88b9f70e87fd42701b1439e492c4ee495815d03f36120

SHA512
f0299558ddf4dffedb0fc474502877361905cbdaf2f0bbc3992757088cf383881bd82d54947dd829091ff550790e6115bb71b03e1dbd2480ecf87cd0cd7aeddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xviqnd2m.11a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/640-23-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/640-29-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/640-30-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/640-32-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/664-1865-0x00000178C29B0000-0x00000178C29D0000-memory.dmp

Filesize
128KB

Download
memory/664-1863-0x00000178C2990000-0x00000178C29B0000-memory.dmp

Filesize
128KB

Download
memory/664-1833-0x00000170C0D00000-0x00000170C0E00000-memory.dmp

Filesize
1024KB

Download
memory/664-1832-0x00000170C0D00000-0x00000170C0E00000-memory.dmp

Filesize
1024KB

Download
memory/664-1879-0x00000178D66B0000-0x00000178D67B0000-memory.dmp

Filesize
1024KB

Download
memory/664-1864-0x00000178C29D0000-0x00000178C29F0000-memory.dmp

Filesize
128KB

Download
memory/1100-197-0x00000285C5560000-0x00000285C5606000-memory.dmp

Filesize
664KB

Download
memory/1100-196-0x00000285AB3E0000-0x00000285AB40C000-memory.dmp

Filesize
176KB

Download
memory/1100-195-0x00000285AAE70000-0x00000285AB060000-memory.dmp

Filesize
1.9MB

Download
memory/1100-198-0x00000285AB420000-0x00000285AB43A000-memory.dmp

Filesize
104KB

Download
memory/1100-199-0x00000285C66D0000-0x00000285C678A000-memory.dmp

Filesize
744KB

Download
memory/1344-221-0x0000021C7FE50000-0x0000021C7FE76000-memory.dmp

Filesize
152KB

Download
memory/1344-219-0x0000021C7FC70000-0x0000021C7FC86000-memory.dmp

Filesize
88KB

Download
memory/1344-220-0x0000021C7FC50000-0x0000021C7FC5A000-memory.dmp

Filesize
40KB

Download
memory/2036-1952-0x000002AA3E500000-0x000002AA3E600000-memory.dmp

Filesize
1024KB

Download
memory/2036-1965-0x000002AA3FA70000-0x000002AA3FA90000-memory.dmp

Filesize
128KB

Download
memory/2036-1985-0x000002AA3FA90000-0x000002AA3FAB0000-memory.dmp

Filesize
128KB

Download
memory/2036-1984-0x000002AA3FAB0000-0x000002AA3FAD0000-memory.dmp

Filesize
128KB

Download
memory/2036-1999-0x000002AA53000000-0x000002AA53100000-memory.dmp

Filesize
1024KB

Download
memory/2360-487-0x0000025BEEF60000-0x0000025BEEF80000-memory.dmp

Filesize
128KB

Download
memory/2360-453-0x00000253EC500000-0x00000253EC600000-memory.dmp

Filesize
1024KB

Download
memory/2360-501-0x0000025C02340000-0x0000025C02440000-memory.dmp

Filesize
1024KB

Download
memory/2360-486-0x0000025BEEF80000-0x0000025BEEFA0000-memory.dmp

Filesize
128KB

Download
memory/2360-470-0x0000025BEEF40000-0x0000025BEEF60000-memory.dmp

Filesize
128KB

Download
memory/2480-366-0x000002479B9A0000-0x000002479B9C0000-memory.dmp

Filesize
128KB

Download
memory/2480-398-0x00000247AF8B0000-0x00000247AF9B0000-memory.dmp

Filesize
1024KB

Download
memory/2480-384-0x000002479B9C0000-0x000002479B9E0000-memory.dmp

Filesize
128KB

Download
memory/2480-381-0x000002479B9E0000-0x000002479BA00000-memory.dmp

Filesize
128KB

Download
memory/2480-350-0x000002479B000000-0x000002479B100000-memory.dmp

Filesize
1024KB

Download
memory/2540-10-0x00000210B6CE0000-0x00000210B6D02000-memory.dmp

Filesize
136KB

Download
memory/2540-0-0x00007FFE24F53000-0x00007FFE24F55000-memory.dmp

Filesize
8KB

Download
memory/2540-16-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/2540-15-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/2540-12-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/2540-11-0x00007FFE24F50000-0x00007FFE25A12000-memory.dmp

Filesize
10.8MB

Download
memory/2604-272-0x000001975B800000-0x000001975B900000-memory.dmp

Filesize
1024KB

Download
memory/2604-226-0x0000019746E20000-0x0000019746F20000-memory.dmp

Filesize
1024KB

Download
memory/2604-225-0x0000019746E20000-0x0000019746F20000-memory.dmp

Filesize
1024KB

Download
memory/2604-233-0x00000197480F0000-0x0000019748110000-memory.dmp

Filesize
128KB

Download
memory/2604-249-0x0000019748110000-0x0000019748130000-memory.dmp

Filesize
128KB

Download
memory/2604-245-0x00000197487C0000-0x00000197487E0000-memory.dmp

Filesize
128KB

Download
memory/3628-45-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-41-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-39-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-40-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-35-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-34-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-33-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-42-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-44-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3628-43-0x0000022EA9D40000-0x0000022EA9D41000-memory.dmp

Filesize
4KB

Download
memory/3748-940-0x000001BABA340000-0x000001BABA440000-memory.dmp

Filesize
1024KB

Download
memory/3748-1120-0x000001BACDB00000-0x000001BACDC00000-memory.dmp

Filesize
1024KB

Download
memory/3748-987-0x000001BACDE50000-0x000001BACDF50000-memory.dmp

Filesize
1024KB

Download
memory/3748-972-0x000001BABBF20000-0x000001BABBF40000-memory.dmp

Filesize
128KB

Download
memory/3748-973-0x000001BABBC70000-0x000001BABBC90000-memory.dmp

Filesize
128KB

Download
memory/3748-952-0x000001BABBC50000-0x000001BABBC70000-memory.dmp

Filesize
128KB

Download
memory/3748-939-0x000001BABA340000-0x000001BABA440000-memory.dmp

Filesize
1024KB

Download
memory/3776-2096-0x000001CF82DF0000-0x000001CF82DF1000-memory.dmp

Filesize
4KB

Download
memory/3776-2092-0x000001CF82DF0000-0x000001CF82DF1000-memory.dmp

Filesize
4KB

Download
memory/3776-2093-0x000001CF82DF0000-0x000001CF82DF1000-memory.dmp

Filesize
4KB

Download
memory/3776-2094-0x000001CF82DF0000-0x000001CF82DF1000-memory.dmp

Filesize
4KB

Download
memory/3992-178-0x0000028FF00A0000-0x0000028FF00CA000-memory.dmp

Filesize
168KB

Download
memory/3992-179-0x0000028FF00A0000-0x0000028FF00C4000-memory.dmp

Filesize
144KB

Download
memory/4928-1763-0x0000021F86F20000-0x0000021F86F40000-memory.dmp

Filesize
128KB

Download
memory/4928-1730-0x0000021F84820000-0x0000021F84920000-memory.dmp

Filesize
1024KB

Download
memory/4928-1745-0x0000021F86F00000-0x0000021F86F20000-memory.dmp

Filesize
128KB

Download
memory/4928-1777-0x0000021F9A320000-0x0000021F9A420000-memory.dmp

Filesize
1024KB

Download
memory/4928-1762-0x0000021F86F40000-0x0000021F86F60000-memory.dmp

Filesize
128KB

Download