Техническая информация
Вредоносные функции
Для затруднения выявления своего присутствия в системе
блокирует отображение:
- расширений файлов
блокирует запуск следующих системных утилит:
- Обновления системы (Windows Update)
Запускает на исполнение
- '<SYSTEM32>\taskkill.exe' /f /im OneDrive.exe
- '<SYSTEM32>\net.exe' stop wuauserv
- '<SYSTEM32>\net.exe' stop UsoSvc
- '<SYSTEM32>\net.exe' stop BITS
- '<SYSTEM32>\taskkill.exe' /IM Windows10UpgraderApp.exe /F
Изменения в файловой системе
Создает следующие файлы
- %TEMP%\ixp000.tmp\preparetmw10.bat
- nul
Удаляет следующие файлы
- <SYSTEM32>\tasks\microsoft\windows\application experience\programdataupdater
- <SYSTEM32>\tasks\microsoft\windows\registry\regidlebackup
- <SYSTEM32>\tasks\microsoft\windows\power efficiency diagnostics\analyzesystem
- <SYSTEM32>\tasks\microsoft\windows\offline files\logon synchronization
- <SYSTEM32>\tasks\microsoft\windows\offline files\background synchronization
- <SYSTEM32>\tasks\microsoft\windows\maintenance\winsat
- <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticresolver
- <SYSTEM32>\tasks\microsoft\windows\defrag\scheduleddefrag
- <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (manual)
- <SYSTEM32>\tasks\microsoft\windows\active directory rights management services client\ad rms rights policy template management (automated)
- <SYSTEM32>\tasks\microsoft\windows\windows error reporting\queuereporting
- <SYSTEM32>\tasks\microsoft\windows\mui\lpremove
- <SYSTEM32>\tasks\microsoft\windows\diskdiagnostic\microsoft-windows-diskdiagnosticdatacollector
- <SYSTEM32>\tasks\microsoft\windows\diagnosis\scheduled
- <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\usbceip
- <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\kernelceiptask
- <SYSTEM32>\tasks\microsoft\windows\customer experience improvement program\consolidator
- <SYSTEM32>\tasks\microsoft\windows\autochk\proxy
- <SYSTEM32>\tasks\microsoft\windows\windowsbackup\confignotification
- <SYSTEM32>\tasks\microsoft\windows\remoteassistance\remoteassistancetask
Изменяет файл HOSTS.
Другое
Ищет следующие окна
- ClassName: '' WindowName: ''
Запускает на исполнение
- '<SYSTEM32>\cmd.exe' /c "PrepareTMW10.bat"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Workplace Join\Automatic-Device-Join"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\WS\WSTask"
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\Defrag\ScheduledDefrag" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\WindowsBackup\ConfigNotification" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\OneDrive Standalone Update Task" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\WindowsUpdate\sih" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\Maintenance\WinSAT" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\RemoteAssistance\RemoteAssistanceTask" /F
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\GoogleUpdateTaskMachineCore"
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\WindowsUpdate\sihboot" /F
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\GoogleUpdateTaskMachineUA"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\OneDrive Standalone Update Task-S-1-5-21-322340779-1187256292-1816597496-1001"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\Schedule Retry Scan"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display"
- '<SYSTEM32>\net1.exe' stop wuauserv
- '<SYSTEM32>\net1.exe' stop UsoSvc
- '<SYSTEM32>\net1.exe' stop BITS
- '<SYSTEM32>\sc.exe' config "BITS" start= disabled
- '<SYSTEM32>\sc.exe' config "wuauserv" start= disabled
- '<SYSTEM32>\sc.exe' config "UsoSvc" start=disabled
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\WindowsUpdate\sih" /F
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification"
- '<SYSTEM32>\schtasks.exe' /Delete /TN "\Microsoft\Windows\Plug and Play\Device Install Reboot Required" /F
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Manual)"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\ApplicationData\CleanupTemporaryState"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\ApplicationData\DsSvcCleanup"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Chkdsk\ProactiveScan"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan for Crash Recovery"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Defrag\ScheduledDefrag"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\DiskCleanup\SilentCleanup"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\LanguageComponentsInstaller\Installation"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Maintenance\WinSAT"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\MemoryDiagnostic\ProcessMemoryDiagnosticEvents"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\MemoryDiagnostic\RunFullMemoryDiagnostic"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Offline Files\Background Synchronization"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Offline Files\Logon Synchronization"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Registry\RegIdleBackup"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Setup\SetupCleanupTask"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Shell\IndexerAutomaticMaintenance"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup"
- '<SYSTEM32>\sc.exe' config TrkWks start=disabled
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\Schedule Scan" /F
- '<SYSTEM32>\find.exe' /C /I "v4.windowsupdate.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "www.v4.######supdate.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "windowsupdate.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "www.wi####supdate.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "download.windowsupdate.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "v4.windowsupdate.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "www.v4.####owsupdate.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "windowsupdate.microsoft.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "v4windowsupdate.microsoft.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "wustat.windows.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "wns.windows.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /F
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Task Scheduler\Maintenance" /v "WakeUp" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowTaskViewButton" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "HideRecentlyAddedApps" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
- '<SYSTEM32>\find.exe' /C /I "www.wi#######date.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Active Directory Rights Management Services Client\AD RMS Rights Policy Template Management (Automated)"
- '<SYSTEM32>\find.exe' /C /I "windowsupdate.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\sc.exe' config SysMain start=disabled
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\USO_Broker_Display" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\Maintenance Install" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\Policy Install" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /F
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\UpdateOrchestrator\Resume On Boot" /F
- '<SYSTEM32>\sc.exe' config CoreMessagingRegistrar start=disabled
- '<SYSTEM32>\sc.exe' config DoSvc start=disabled
- '<SYSTEM32>\sc.exe' config DPS start=disabled
- '<SYSTEM32>\schtasks.exe' /Delete /TN "Microsoft\Windows\WindowsUpdate\Scheduled Start" /F
- '<SYSTEM32>\sc.exe' config IpOverUsbSvc start=disabled
- '<SYSTEM32>\sc.exe' config WinDefend start=disabled
- '<SYSTEM32>\sc.exe' config wuauserv start=disabled
- '<SYSTEM32>\sc.exe' config BITS start=disabled
- '<SYSTEM32>\sc.exe' config cisvc start= disabled
- '<SYSTEM32>\sc.exe' config defragsvc start= disabled
- '<SYSTEM32>\sc.exe' config WCNCSVC start=disabled
- '<SYSTEM32>\sc.exe' config PcaSvc start=disabled
- '<SYSTEM32>\sc.exe' config AeLookupSvc start=disabled
- '<SYSTEM32>\sc.exe' config EvtEng start=disabled
- '<SYSTEM32>\sc.exe' config ZeroConfigService start=disabled
- '<SYSTEM32>\sc.exe' config SQLWriter start=disabled
- '<SYSTEM32>\sc.exe' config WinHttpAutoProxySvc start=disabled
- '<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\find.exe' /C /I "feedback.search.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "corpext.msitadfs.glbdns2.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 8
- '<SYSTEM32>\reg.exe' DELETE "HKEY_CLASSES_ROOT\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}" /f
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Office\Office 15 Subscription Heartbeat"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64 Critical"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 64"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319 Critical"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.30319"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\AppxDeploymentClient\Pre-staged app cleanup"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Servicing\StartComponentCleanup"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Autochk\Proxy"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Diagnosis\Scheduled"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\MUI\LPRemove"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Plug and Play\Plug and Play Cleanup"
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 5
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
- '<SYSTEM32>\reg.exe' ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f
- '<SYSTEM32>\schtasks.exe' /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /DISABLE
- '<SYSTEM32>\openfiles.exe'
- '<SYSTEM32>\takeown.exe' /F <SYSTEM32>\Tasks\Microsoft\Windows\ /A /R
- '<SYSTEM32>\takeown.exe' /F <SYSTEM32>\usoclient.exe /A /R
- '<SYSTEM32>\icacls.exe' <SYSTEM32>\Tasks\Microsoft\Windows\ /grant Administrators:F /T
- '<SYSTEM32>\sc.exe' config diagtrack start=disabled
- '<SYSTEM32>\sc.exe' config dmwappushservice start=disabled
- '<SYSTEM32>\sc.exe' config RetailDemo start=disabled
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
- '<SYSTEM32>\reg.exe' add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 0 /f
- '<SYSTEM32>\schtasks.exe' /change /TN "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /DISABLE
- '<SYSTEM32>\schtasks.exe' /change /TN "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /DISABLE
- '<SYSTEM32>\schtasks.exe' /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /DISABLE
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}" /f
- '<SYSTEM32>\schtasks.exe' /change /TN "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /DISABLE
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{088e3905-0323-4b02-9826-5d99428e115f}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{374DE290-123F-4565-9164-39C4925E467B}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A0953C92-50DC-43bf-BE83-3742FED03C9C}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}" /f
- '<SYSTEM32>\reg.exe' DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{d3162b92-9365-467a-956b-92703aca08af}" /f
- '<SYSTEM32>\reg.exe' ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "LaunchTo" /t REG_DWORD /d "1" /f
- '<SYSTEM32>\find.exe' /C /I "vortex-win.data.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "feedback.windows.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\Policy Install"
- '<SYSTEM32>\find.exe' /C /I "sqm.df.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "watson.ppe.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "telemetry.appex.bing.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "telemetry.urs.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "telemetry.appex.bing.net:443" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "settings-sandbox.data.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "vortex-sandbox.data.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "watson.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "survey.watson.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "watson.live.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "statsfe2.ws.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "compatexchange.cloudapp.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval"
- '<SYSTEM32>\find.exe' /C /I "cs1.wpc.v0cdn.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "a-0001.a-msedge.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "fe2.update.microsoft.com.akadns.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "statsfe2.update.microsoft.com.akadns.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "sls.update.microsoft.com.akadns.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "diagnostics.support.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "corp.sts.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "statsfe1.ws.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "pre.footprintpredict.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "i1.services.social.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "i1.services.social.microsoft.com.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "services.wes.df.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "feedback.microsoft-hohm.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "reports.wes.df.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "vortex.data.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\Reboot"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\Resume On Boot"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\Schedule Scan"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\WindowsUpdate\sih"
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\WindowsUpdate\sihboot"
- '<SYSTEM32>\find.exe' /C /I "telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\schtasks.exe' /delete /f /tn "\Microsoft\Windows\UpdateOrchestrator\Maintenance Install"
- '<SYSTEM32>\find.exe' /C /I "df.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "telecommand.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "telecommand.telemetry.microsoft.com.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "oca.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "oca.telemetry.microsoft.com.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "sqm.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "sqm.telemetry.microsoft.com.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "watson.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "watson.telemetry.microsoft.com.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "redir.metaservices.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "choice.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "choice.microsoft.com.nsatc.net" <DRIVERS>\etc\hosts
- '<SYSTEM32>\find.exe' /C /I "wes.df.telemetry.microsoft.com" <DRIVERS>\etc\hosts
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
