cdac10a5019b8510f0d24e6094d7ffb1696a54dc42091b5046dc829e1a3ab5f4

Analysis

max time kernel
120s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2024, 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BQC.v1.5.exe
Size

133KB
MD5

6ebe04643dab2c370aeaae66dc8f0bda
SHA1

9d4f1658934510bdc83469fbf16889855864eeef
SHA256

cdac10a5019b8510f0d24e6094d7ffb1696a54dc42091b5046dc829e1a3ab5f4
SHA512

e67ed9c21247fd564bea90e182e14c91adb9d0644528d918376b8a6bfbbde8c05e69cb7f9699e38f9a1166e8cb2172129aa3676e200c4c66a26b6f63ab75e51b
SSDEEP

3072:1MobR7ezAjLOZvmX19n5QrJk2PpjqNCzdA:ieR7eammXGrlr

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	reg.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	reg.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\lnkfile\NeverShowExt	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\NeverShowExt	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	BQC.v1.5.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1504	sc.exe
3888	sc.exe
4760	sc.exe
2876	sc.exe
3344	sc.exe
1596	sc.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b201ae15c8733f580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b201ae150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b201ae15000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db201ae15000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b201ae1500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2896	timeout.exe
3832	timeout.exe
5076	timeout.exe
4820	timeout.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\lnkfile\NeverShowExt	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\NeverShowExt	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.WEBSITE\NeverShowExt	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\NeverShowExt	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\lnkfile	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\IE.AssocFile.URL	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.WEBSITE	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SHCmdFile\NeverShowExt	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\IE.AssocFile.URL\NeverShowExt	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\NeverShowExt	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SHCmdFile	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\NeverShowExt	reg.exe

Runs regedit.exe 2 IoCs

pid	Process
2512	regedit.exe
3176	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3892	powershell.exe
3892	powershell.exe
1348	powershell.exe
1348	powershell.exe
1348	powershell.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1616	powershell.exe
1616	powershell.exe
2360	reg.exe
2360	reg.exe
3984	powershell.exe
3984	powershell.exe
3392	WerFault.exe
3392	WerFault.exe
4276	Process not Found
4276	Process not Found
4368	schtasks.exe
4368	schtasks.exe
1068	WerFault.exe
1068	WerFault.exe
1904	reg.exe
1904	reg.exe
4332	reg.exe
4332	reg.exe
4056	reg.exe
4056	reg.exe
3572	powershell.exe
3572	powershell.exe
2360	reg.exe
2360	reg.exe
3096	reg.exe
3096	reg.exe
4596	powershell.exe
4596	powershell.exe
1964	Process not Found
1964	Process not Found
4664	powershell.exe
4664	powershell.exe
952	reg.exe
952	reg.exe
2528	reg.exe
2528	reg.exe
4444	explorer.exe
4444	explorer.exe
4468	powershell.exe
4468	powershell.exe
452	powershell.exe
452	powershell.exe
3668	powershell.exe
3668	powershell.exe
4932	powershell.exe
4932	powershell.exe
4868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: 36	2640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: 36	2640	WMIC.exe
Token: SeBackupPrivilege	540	vssvc.exe
Token: SeRestorePrivilege	540	vssvc.exe
Token: SeAuditPrivilege	540	vssvc.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeBackupPrivilege	3288	srtasks.exe
Token: SeRestorePrivilege	3288	srtasks.exe
Token: SeSecurityPrivilege	3288	srtasks.exe
Token: SeTakeOwnershipPrivilege	3288	srtasks.exe
Token: SeBackupPrivilege	3288	srtasks.exe
Token: SeRestorePrivilege	3288	srtasks.exe
Token: SeSecurityPrivilege	3288	srtasks.exe
Token: SeTakeOwnershipPrivilege	3288	srtasks.exe
Token: SeDebugPrivilege	4612	powershell.exe
Token: SeIncreaseQuotaPrivilege	4032	WMIC.exe
Token: SeSecurityPrivilege	4032	WMIC.exe
Token: SeTakeOwnershipPrivilege	4032	WMIC.exe
Token: SeLoadDriverPrivilege	4032	WMIC.exe
Token: SeSystemProfilePrivilege	4032	WMIC.exe
Token: SeSystemtimePrivilege	4032	WMIC.exe
Token: SeProfSingleProcessPrivilege	4032	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 116	2180	BQC.v1.5.exe	85
PID 2180 wrote to memory of 116	2180	BQC.v1.5.exe	85
PID 116 wrote to memory of 2264	116	cmd.exe	87
PID 116 wrote to memory of 2264	116	cmd.exe	87
PID 116 wrote to memory of 5088	116	cmd.exe	88
PID 116 wrote to memory of 5088	116	cmd.exe	88
PID 116 wrote to memory of 4404	116	cmd.exe	89
PID 116 wrote to memory of 4404	116	cmd.exe	89
PID 116 wrote to memory of 1180	116	cmd.exe	94
PID 116 wrote to memory of 1180	116	cmd.exe	94
PID 116 wrote to memory of 2876	116	cmd.exe	95
PID 116 wrote to memory of 2876	116	cmd.exe	95
PID 116 wrote to memory of 1072	116	cmd.exe	100
PID 116 wrote to memory of 1072	116	cmd.exe	100
PID 116 wrote to memory of 2840	116	cmd.exe	101
PID 116 wrote to memory of 2840	116	cmd.exe	101
PID 116 wrote to memory of 4716	116	cmd.exe	102
PID 116 wrote to memory of 4716	116	cmd.exe	102
PID 116 wrote to memory of 3892	116	cmd.exe	103
PID 116 wrote to memory of 3892	116	cmd.exe	103
PID 116 wrote to memory of 2640	116	cmd.exe	106
PID 116 wrote to memory of 2640	116	cmd.exe	106
PID 116 wrote to memory of 1348	116	cmd.exe	112
PID 116 wrote to memory of 1348	116	cmd.exe	112
PID 116 wrote to memory of 1180	116	cmd.exe	114
PID 116 wrote to memory of 1180	116	cmd.exe	114
PID 116 wrote to memory of 376	116	cmd.exe	117
PID 116 wrote to memory of 376	116	cmd.exe	117
PID 116 wrote to memory of 2512	116	cmd.exe	118
PID 116 wrote to memory of 2512	116	cmd.exe	118
PID 116 wrote to memory of 2896	116	cmd.exe	120
PID 116 wrote to memory of 2896	116	cmd.exe	120
PID 116 wrote to memory of 2980	116	cmd.exe	121
PID 116 wrote to memory of 2980	116	cmd.exe	121
PID 116 wrote to memory of 1836	116	cmd.exe	122
PID 116 wrote to memory of 1836	116	cmd.exe	122
PID 116 wrote to memory of 1708	116	cmd.exe	123
PID 116 wrote to memory of 1708	116	cmd.exe	123
PID 116 wrote to memory of 3176	116	cmd.exe	124
PID 116 wrote to memory of 3176	116	cmd.exe	124
PID 116 wrote to memory of 3272	116	cmd.exe	125
PID 116 wrote to memory of 3272	116	cmd.exe	125
PID 116 wrote to memory of 4612	116	cmd.exe	126
PID 116 wrote to memory of 4612	116	cmd.exe	126
PID 116 wrote to memory of 4032	116	cmd.exe	128
PID 116 wrote to memory of 4032	116	cmd.exe	128
PID 116 wrote to memory of 4080	116	cmd.exe	129
PID 116 wrote to memory of 4080	116	cmd.exe	129
PID 116 wrote to memory of 1572	116	cmd.exe	130
PID 116 wrote to memory of 1572	116	cmd.exe	130
PID 116 wrote to memory of 4832	116	cmd.exe	134
PID 116 wrote to memory of 4832	116	cmd.exe	134
PID 116 wrote to memory of 3176	116	cmd.exe	133
PID 116 wrote to memory of 3176	116	cmd.exe	133
PID 116 wrote to memory of 3832	116	cmd.exe	135
PID 116 wrote to memory of 3832	116	cmd.exe	135
PID 116 wrote to memory of 652	116	cmd.exe	136
PID 116 wrote to memory of 652	116	cmd.exe	136
PID 116 wrote to memory of 1440	116	cmd.exe	137
PID 116 wrote to memory of 1440	116	cmd.exe	137
PID 116 wrote to memory of 5076	116	cmd.exe	138
PID 116 wrote to memory of 5076	116	cmd.exe	138
PID 116 wrote to memory of 5004	116	cmd.exe	139
PID 116 wrote to memory of 5004	116	cmd.exe	139

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\BQC.v1.5.exe
"C:\Users\Admin\AppData\Local\Temp\BQC.v1.5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "BQC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\fsutil.exe
    fsutil dirty query C:
    3⤵
    PID:2264
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:5088
- - C:\Windows\system32\cscript.exe
    CSCRIPT //nologo "C:\Users\Admin\AppData\Local\Temp\~tmpSendKeysTemp.vbs"
    3⤵
    PID:4404
- - C:\Windows\system32\mode.com
    mode 300
    3⤵
    PID:1180
- - C:\Windows\system32\msg.exe
    msg Thanks for using my software @BhaggoYT on YouTube
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
    3⤵
    PID:1072
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
    3⤵
    PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "Bhaggo Restore Point", 100, 7
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Bhaggo Restore Point'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\System32\SystemPropertiesProtection.exe
    C:\Windows\System32\SystemPropertiesProtection.exe
    3⤵
    PID:376
- - C:\WINDOWS\regedit.exe
    C:\WINDOWS\regedit.exe
    3⤵
    - Runs regedit.exe
    PID:2512
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:2896
- - C:\Windows\system32\mode.com
    mode 300
    3⤵
    PID:2980
- - C:\Windows\system32\msg.exe
    msg Thanks for using my software @BhaggoYT on YouTube
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
    3⤵
    PID:1708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
    3⤵
    PID:3176
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
    3⤵
    PID:3272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "Bhaggo Restore Point", 100, 7
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\', 'D:\', 'E:\', 'F:\', 'G:\'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Unrestricted -NoProfile Checkpoint-Computer -Description 'Bhaggo Restore Point'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1572
- - C:\WINDOWS\regedit.exe
    C:\WINDOWS\regedit.exe
    3⤵
    - Runs regedit.exe
    PID:3176
- - C:\Windows\System32\SystemPropertiesProtection.exe
    C:\Windows\System32\SystemPropertiesProtection.exe
    3⤵
    PID:4832
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:3832
- - C:\Windows\system32\mode.com
    mode 300
    3⤵
    PID:652
- - C:\Windows\system32\msg.exe
    msg Thanks for using my software @BhaggoYT on YouTube
    3⤵
    PID:1440
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:5076
- - C:\Windows\system32\mode.com
    mode 300
    3⤵
    PID:5004
- - C:\Windows\system32\msg.exe
    msg Thanks for using my software @BhaggoYT on YouTube
    3⤵
    PID:3572
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\NewsAndInterests\AllowNewsAndInterests" /v "value" /t REG_DWORD /d "0" /f
    3⤵
    PID:532
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Dsh" /v "AllowNewsAndInterests" /t REG_DWORD /d "0" /f
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1168
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\dmwappushservice" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\diagsvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DPS" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:636
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdiServiceHost" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2360
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\WdiSystemHost" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4032
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:2076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
    3⤵
    PID:2224
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4296
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
    3⤵
    PID:4800
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:1324
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
    3⤵
    PID:884
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
    3⤵
    PID:3924
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
    3⤵
    PID:4132
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
    3⤵
    PID:3496
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2444
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_DWORD /d "0" /f
    3⤵
    PID:4188
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v "AllowGameDVR" /t REG_DWORD /d "0" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
    3⤵
    PID:4920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:2032
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
    3⤵
    PID:1196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
    3⤵
    PID:2980
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2060
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:3092
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "Win32_AutoGameModeDefaultProfile" /t REG_BINARY /d "01000100000000000000000000000000000000000000000000000000000000000000000000000000" /f
    3⤵
    PID:1708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "Win32_GameModeRelatedProcesses" /t REG_BINARY /d "010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "0" /f
    3⤵
    PID:3392
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "0" /f
    3⤵
    PID:3368
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_EFSEFeatureFlags" /t REG_DWORD /d "0" /f
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
    3⤵
    PID:1800
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:1572
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "GameDVR_Enabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:3556
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:1340
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:4600
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "1" /f
    3⤵
    PID:2276
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:2016
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\008af23d-f4cc-4435-9422-b95fecf4b177" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\008af23d-f4cc-4435-9422-b95fecf4b177" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\008af23d-f4cc-4435-9422-b95fecf4b177" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:3008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\008af23d-f4cc-4435-9422-b95fecf4b177" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000002000a2aa3fc105db7031bdec104bf4abb2ac2ec9ba61470eaa47e35f70470739000000000e80000000020000200000004c4c9bb247edfba288821848b8a5ac4c179afe56042f12cbbd160f504413172d40000000a37e3ef9d3ecec8d6e0a7c3810ce8fec7dd8a95ff8e32733462e46c510bc9c0c679869e43b9b0a5c5847d7566a480d4c460ff7d091dc9e59cfabf33e18852ed3400000006268d09da61abb457e96064d252ad099ba4e7c6b718221ed28d82b2c4c88af2dada82ff5c82cf409174a6138b36d044dc9ed793a87e11cd91a0f691f2d25842d" /f
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\008af23d-f4cc-4435-9422-b95fecf4b177" /v "GameDVR_GameGUID" /t REG_SZ /d "9f5addde-641b-47fd-83d4-96631cf0d47d" /f
    3⤵
    PID:3344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\008af23d-f4cc-4435-9422-b95fecf4b177" /v "TitleId" /t REG_SZ /d "2121740635" /f
    3⤵
    PID:1596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\00e51963-7a20-47e8-86dd-c5061773edad" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\00e51963-7a20-47e8-86dd-c5061773edad" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3888
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\00e51963-7a20-47e8-86dd-c5061773edad" /v "Flags" /t REG_DWORD /d "19" /f
    3⤵
    PID:816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\00e51963-7a20-47e8-86dd-c5061773edad" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000c2df71fcb3a8c4492d1bdc384d3713b1a06ddec2c98b19f2f557c6301bdf5114000000000e80000000020000200000006b9e52a75ba13e5894355aaa0db627d643467a639c1500ee302380c2a6ca92dc30000000609291d835a39f16c075eb96f99c5c5039e3d2cca33dc0f557542087aa34bd5ad717a4bf87304720e6553aef042ba32c4000000081262c093afc386b8449384dbdb76b8c53f76c8e8e61c2f9354cf43abe84ede38e6b39130f08935e58afb04dd6b7c266bb2f4d21ef6c5b99f707a920e0a95f6d" /f
    3⤵
    PID:1932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\00e51963-7a20-47e8-86dd-c5061773edad" /v "GameDVR_GameGUID" /t REG_SZ /d "8bba1d53-2f6d-4275-b42d-61db4def7d51" /f
    3⤵
    PID:3192
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\00e51963-7a20-47e8-86dd-c5061773edad" /v "TitleId" /t REG_SZ /d "1877036175" /f
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\00e51963-7a20-47e8-86dd-c5061773edad" /v "MatchedExeFullPath" /t REG_SZ /d "C:\Users\pc\AppData\Local\Roblox\Versions\version-5a2a97e1d9794df1\RobloxPlayerBeta.exe" /f
    3⤵
    PID:3800
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\04cc06c9-e532-4b12-a143-77fc1cb3283a" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\04cc06c9-e532-4b12-a143-77fc1cb3283a" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\04cc06c9-e532-4b12-a143-77fc1cb3283a" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\04cc06c9-e532-4b12-a143-77fc1cb3283a" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000031756bbb777d47648941c37eb5679eb5faea718ad1d33a8dffa7cbe1037a2602000000000e8000000002000020000000ce5a17520c298ceb4ad269c435d68303e05e8c732368f36058a8c8579d0f2cdc2000000022f2a35d2e25cef6c4cfab6d189642c1fa0bbb04a4f01b6f26613afc238ea395400000004a03fe735dd356be81dba2c8c6d14dc1f10ae9feb993f375c40ffa0564439546f83b723636dcedcc681bee3373f142bf14b892fc6b3bfba99764893af1a041f1" /f
    3⤵
    PID:4608
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\04cc06c9-e532-4b12-a143-77fc1cb3283a" /v "ExeParentDirectory" /t REG_SZ /d "Thunder" /f
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\04cc06c9-e532-4b12-a143-77fc1cb3283a" /v "GameDVR_GameGUID" /t REG_SZ /d "0a7b1129-06ec-49b3-b3cb-7bcab1043941" /f
    3⤵
    PID:3820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0731122e-f429-4e74-8501-842bc3d88850" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0731122e-f429-4e74-8501-842bc3d88850" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0731122e-f429-4e74-8501-842bc3d88850" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0731122e-f429-4e74-8501-842bc3d88850" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000002373d4cb829b8d309a4f1bf07c66364bfa41378d31f6f744cc9f7f23ef4e1031000000000e8000000002000020000000a24b64be0c9b8d0f16cbd994639c188f3444951eb6c9bfcb47d8b681fa47b07120000000e38d3fb7a2427b9ccf8037d5a2802d56bd7e898dffb34e4577195c1e3fcf86b4400000009eb26b0a765800ded0f098c87b606bbfc9b3528be71fbb8175b82eeb5cd67738abb1dcacd79a324933f20a7851732fa4c6f1a6d6b4961746f447b9e9fd473a55" /f
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0731122e-f429-4e74-8501-842bc3d88850" /v "GameDVR_GameGUID" /t REG_SZ /d "5b0cb2d0-553f-4a2e-bc7a-337f2b827646" /f
    3⤵
    PID:4392
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0731122e-f429-4e74-8501-842bc3d88850" /v "TitleId" /t REG_SZ /d "2040962988" /f
    3⤵
    PID:3328
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0a956050-9628-4220-b516-808e497417c6" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0a956050-9628-4220-b516-808e497417c6" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0a956050-9628-4220-b516-808e497417c6" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1336
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0a956050-9628-4220-b516-808e497417c6" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000015e602d1f42285538dacf649daaf7592dca0581750b9107296e7abc37242f06c000000000e8000000002000020000000bb381d1ca94e32652bb70cf995c4bbd2c19f3f49d26f13e9fc9337ebef477169400000001990f6e1858e542b422e89184e9f34f2312d28ed1d2e9723360359e8de3ac62865b00e1850b3c22c7bce0768d1e4a46bc2fe733bef6dec93f1411d9699ecef0c40000000423459ded360714b12ef18939ab130e05218cad9db83b975d48d43f02e50702d5e72a47c23cc1a6384247c7e13e81e48370524883224f3507b282547c5fdeb39" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0a956050-9628-4220-b516-808e497417c6" /v "GameDVR_GameGUID" /t REG_SZ /d "5415bfb2-a9e9-4a8c-bcbd-4d1d9a066d3b" /f
    3⤵
    PID:4004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0a956050-9628-4220-b516-808e497417c6" /v "TitleId" /t REG_SZ /d "1742142364" /f
    3⤵
    PID:4660
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0a956050-9628-4220-b516-808e497417c6" /v "ProcessDependencies" /t REG_MULTI_SZ /d "audiodg.exe|1" /f
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0f715c27-e790-401f-b0a4-58a636f50f48" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0f715c27-e790-401f-b0a4-58a636f50f48" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3492
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0f715c27-e790-401f-b0a4-58a636f50f48" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:2936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0f715c27-e790-401f-b0a4-58a636f50f48" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000a7e4efc94492c124758db5e8d7f5b3506a9cad55309cecd340d1809f28f66ce4000000000e8000000002000020000000fbe13cd1ba843a295fc8ce9f1f8d24c798ac4c064d59b161a12a98d133dc0a6b5000000077a46e8ac62ed853f6ab669b720e9db5247d6ffe4b7f4d7b1143aba453e87b72563b737d481adeb48a6b2cc7114e1b14c71775a55bbd5490a2b804715069895257e67c009df44896a0ac430054c2abc5400000001c39f03041e17283c4f3b4607d4e2e86f1697d4b45830c7413d084bfc81c6ca5470a72c84737c44b659028763d95b9e75cb89a78e7eaca94db9edaa358c31d28" /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0f715c27-e790-401f-b0a4-58a636f50f48" /v "GameDVR_GameGUID" /t REG_SZ /d "284ea1b3-f5e7-4133-b521-74a8d9ae997e" /f
    3⤵
    PID:932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0f715c27-e790-401f-b0a4-58a636f50f48" /v "TitleId" /t REG_SZ /d "1820250788" /f
    3⤵
    PID:1580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\0f715c27-e790-401f-b0a4-58a636f50f48" /v "MatchedExeFullPath" /t REG_SZ /d "E:\fORTNITE\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping.exe" /f
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\11163eb8-ff97-4fc8-a4d1-1d46c9565579" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4216
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\11163eb8-ff97-4fc8-a4d1-1d46c9565579" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2108
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\11163eb8-ff97-4fc8-a4d1-1d46c9565579" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:4056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\11163eb8-ff97-4fc8-a4d1-1d46c9565579" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000645d20b00299a5ec1ec1ea07a8c46ff1fced90efadac97b15f127f059499360c000000000e8000000002000020000000efa25878be8c0e928864cc2e6dea1d8ee7232416c6131c1e8f09b76c9a023cf7200000001bffe4cafc21b93e79b6d96b2c0b1c4c4c4707c7b5570eea449aba66a99951f44000000047b0cc43987ee5631ebd08041ecce1ae0671c247c6d9a0ef546d45a6f549027b7e9a580271278a5386db42c817c2adac9b9c5f744974a67b4f9752ecda3f9559" /f
    3⤵
    PID:4764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\11163eb8-ff97-4fc8-a4d1-1d46c9565579" /v "ExeParentDirectory" /t REG_SZ /d "assettocorsa" /f
    3⤵
    PID:3980
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\11163eb8-ff97-4fc8-a4d1-1d46c9565579" /v "GameDVR_GameGUID" /t REG_SZ /d "504b718c-a940-4c74-a033-a1a8ae2214b7" /f
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\11163eb8-ff97-4fc8-a4d1-1d46c9565579" /v "TitleId" /t REG_SZ /d "1732322725" /f
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\241e0838-282a-453c-bf0c-b453987e7fa3" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4016
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\241e0838-282a-453c-bf0c-b453987e7fa3" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\241e0838-282a-453c-bf0c-b453987e7fa3" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\241e0838-282a-453c-bf0c-b453987e7fa3" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000812f71d40c69942ad2801687683e9b9fea1a51b8c518e2fa9b2d028bb455a4d4000000000e8000000002000020000000cbfe4aae72d069e43f20f336242fa53a9dd7c50c137349bb22ef32764c61a46330000000ad8cbc9f66d19470cd21556902c384e16235b6afc00f8b77b94171d411962392e527219838c20f77fdf50d48134eb5b740000000a20940b64d97a2d58c8904f51e8695b6cabf86f9a98fc022999620e11264c52d272e845533f8b52ff0e52b5733185ec97ddcd8a163126075e7c2a5e290253aba" /f
    3⤵
    PID:3508
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\241e0838-282a-453c-bf0c-b453987e7fa3" /v "GameDVR_GameGUID" /t REG_SZ /d "2605801a-c442-492c-8f9e-b274878c9c77" /f
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\241e0838-282a-453c-bf0c-b453987e7fa3" /v "TitleId" /t REG_SZ /d "1918679142" /f
    3⤵
    PID:548
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\326c86ae-f3a9-4980-8b9e-1da326311c76" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\326c86ae-f3a9-4980-8b9e-1da326311c76" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\326c86ae-f3a9-4980-8b9e-1da326311c76" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:5080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\326c86ae-f3a9-4980-8b9e-1da326311c76" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000005adce9ed51586046e825f8bae3d84ada217bdfa03a02782544acb89b4f07cf14000000000e80000000020000200000000d0d1c54874fba900bf7e8c3d3c697caaf75a69f2afd41654d5792dbcf61ee0640000000abce9f2877fdf8007c1b848fe0f38f5bfb2c85bdc12c6ab0b9cce2027594795a8fcfb983868aa003b0c7b45c7b1a63e872e1336d8cd15f7ef6537e8bd864ee82400000001bfb009a1cfe6551434fa53717acb6ded8b80c45543cf7a42ab404acd1e147bd9ddf6c47deab6b0219331ff10c93c98ebd5ad3e89132b2db0095466ac797f383" /f
    3⤵
    PID:1180
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\326c86ae-f3a9-4980-8b9e-1da326311c76" /v "GameDVR_GameGUID" /t REG_SZ /d "af3f11bd-4a4a-4e7f-915b-42f92384577f" /f
    3⤵
    PID:1100
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\326c86ae-f3a9-4980-8b9e-1da326311c76" /v "TitleId" /t REG_SZ /d "1698925306" /f
    3⤵
    PID:4804
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3409f26f-7bae-42a6-9c74-99c544ce5476" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3409f26f-7bae-42a6-9c74-99c544ce5476" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3409f26f-7bae-42a6-9c74-99c544ce5476" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3409f26f-7bae-42a6-9c74-99c544ce5476" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000003ff4d03d1330e9cf0d9a7b9da7817b290e7fae6386966068ed5cc0f447b4cff4000000000e8000000002000020000000251e6b7fb961c8e8203beab95528f6b2c39ce0b0ea3b38d4549fa346fb82f8903000000023aba10017424bc05fac79b28829993e7c17b5a2f8c903fb43f4d9b7f39aa4dbc295331d4de9a46ad9da580d2af5bc5b4000000073cd8d5ab4f8cafa232a49c639814452a4e4e2893fb63acdbe965b97e8b2e87be7047a2d9860ff1cd5f4804fb67555ec9781bcfea656a5f54ae6ea4aca1ca6fb" /f
    3⤵
    PID:516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3409f26f-7bae-42a6-9c74-99c544ce5476" /v "GameDVR_GameGUID" /t REG_SZ /d "3d991043-7128-48fd-936e-618d3e900873" /f
    3⤵
    PID:3200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3409f26f-7bae-42a6-9c74-99c544ce5476" /v "TitleId" /t REG_SZ /d "1918679142" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37578440-a809-44bd-88fe-2f00932796b4" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37578440-a809-44bd-88fe-2f00932796b4" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37578440-a809-44bd-88fe-2f00932796b4" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3668
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37578440-a809-44bd-88fe-2f00932796b4" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000003e569115f1e219b6cb1ade76d055c775fc508ea69260a25ccc3520e8c5c0bc30000000000e8000000002000020000000c16745aa95af88753ac48c3f1f2c41fd9fee2af7d4cb17155b0b3f2b40e004e13000000043a04b70d8bc03af97ba932e2e05138851f168e4084222e1a4dabc5eb66b41425d852d358adb4ccc9b2d923b49f93f5b40000000a529c6e9e708662cc2fbea67085757904ae652ae102e184479f9654478fcec6e60eb64b73f16927ba35e41956c1e97e278bfcb26d69df0106490e246874f9022" /f
    3⤵
    PID:3984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37578440-a809-44bd-88fe-2f00932796b4" /v "GameDVR_GameGUID" /t REG_SZ /d "44948889-a2f7-4479-a57f-918e58b10519" /f
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37578440-a809-44bd-88fe-2f00932796b4" /v "TitleId" /t REG_SZ /d "1918679142" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37b0bb90-816e-4853-b8e4-b943541b2f03" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:388
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37b0bb90-816e-4853-b8e4-b943541b2f03" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37b0bb90-816e-4853-b8e4-b943541b2f03" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37b0bb90-816e-4853-b8e4-b943541b2f03" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000006727cd8340f88cc8db833d57d67542565dc14054fdede06121d88482246cfe56000000000e8000000002000020000000b598ddf3a6928927d0b24f37a6152b83648f341391f461c616e88ff21fb836e0200000001eb85bcb0689c029f5352964cbe327b0caaad7e185042229296dd7da3377ac934000000091bfffbe25441ef201a0061c2da071b4b0ae80bfd2ce193ee3b91eb88f0bff443a1aabf1b10bced5bc8ff7e063447685fb5e7a00977cceb51ad733db20c3575d" /f
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37b0bb90-816e-4853-b8e4-b943541b2f03" /v "ExeParentDirectory" /t REG_SZ /d "Grand Theft Auto V" /f
    3⤵
    PID:208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37b0bb90-816e-4853-b8e4-b943541b2f03" /v "GameDVR_GameGUID" /t REG_SZ /d "07637478-a718-4c3b-85f1-4208550bf9ed" /f
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\37b0bb90-816e-4853-b8e4-b943541b2f03" /v "TitleId" /t REG_SZ /d "1862446374" /f
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3f43ed16-df66-4422-abd8-925b1350bb64" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3f43ed16-df66-4422-abd8-925b1350bb64" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2120
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3f43ed16-df66-4422-abd8-925b1350bb64" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3f43ed16-df66-4422-abd8-925b1350bb64" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000150f1ad2ab133c5e6acafd8c2531de42a18e75c280fa12a39a8f7c3d09488493000000000e8000000002000020000000da79e02a246b1cccc6449260fa0716b3730865a5c8ddd9cf1bbdaf16754130e73000000060c98c0fc321e4f820338acd13ddfb6326c5646ff36a41aaae010cf0af548833b31aa59e078a4b322dccb1cd1e00720240000000606ea71737e8d97c431b0e9bf480bfbb34e0827d4d3d8643a47c8afaa15d666b872075d36c503ffba9298dbc25b388cc66fcc3fbe1621463593164aa7865d97c" /f
    3⤵
    PID:4196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3f43ed16-df66-4422-abd8-925b1350bb64" /v "GameDVR_GameGUID" /t REG_SZ /d "beadb662-4a97-4790-bc99-33f001c314ec" /f
    3⤵
    PID:2640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\3f43ed16-df66-4422-abd8-925b1350bb64" /v "TitleId" /t REG_SZ /d "2119592325" /f
    3⤵
    PID:3936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40406386-7428-4521-a6f9-2f0581086ddf" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3556
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40406386-7428-4521-a6f9-2f0581086ddf" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1040
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40406386-7428-4521-a6f9-2f0581086ddf" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40406386-7428-4521-a6f9-2f0581086ddf" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000cd7cd59665dfeea16874a88d5ad65fcc2954689392e02bd2ea0d92b5b51f0335000000000e8000000002000020000000722920510f52b5bc5eaf06280539bf46c0f7f341e32287446e8aa043c2044a6d20000000dd0c5bf79ec58f80e853f5f9e73792b9d48896ef4138a2345f3315e62fe3d7b64000000073e6da8dd74e263b9b266303bf1825154e20f3d5d2731e599ca8112e7d63f6057a54a415890ca31e9f64a707282a48f3cb5a7a05ba3052d18f65d9f454367476" /f
    3⤵
    PID:3164
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40406386-7428-4521-a6f9-2f0581086ddf" /v "GameDVR_GameGUID" /t REG_SZ /d "7cf934d6-536b-413b-84bf-519f36dc9a65" /f
    3⤵
    PID:4820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40406386-7428-4521-a6f9-2f0581086ddf" /v "TitleId" /t REG_SZ /d "2119592325" /f
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\405c1cab-14ed-4e85-97a8-ec71126aa2e7" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:220
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\405c1cab-14ed-4e85-97a8-ec71126aa2e7" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\405c1cab-14ed-4e85-97a8-ec71126aa2e7" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4328
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\405c1cab-14ed-4e85-97a8-ec71126aa2e7" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000006b3691f3166eb2992449c41c62750677a0ce745f9ea4b57c3887fed0a1eb1554000000000e8000000002000020000000d6fb787a1bb3f89017425fbcdeab5608aed2c477df8b20600b896ff42f9322ad2000000043f666e5377918e15335c0b163ebb2f4d30827eddf0011b6e6f4fbe6454df92940000000a9636dc842c836906fd6af8ddbf211c1e413c57f24f2d2b7f8004b0b806593721845b36c8e025d8ee9a4336fe5f0d7e31dd6ac4bb3f19272e9a95999d8d2170d" /f
    3⤵
    PID:1076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\405c1cab-14ed-4e85-97a8-ec71126aa2e7" /v "GameDVR_GameGUID" /t REG_SZ /d "5f16f138-9b89-48cd-a1b4-935f9e07e014" /f
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\405c1cab-14ed-4e85-97a8-ec71126aa2e7" /v "TitleId" /t REG_SZ /d "2089711717" /f
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40aa1199-5ca0-4ee6-be13-eb5009af6889" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:748
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40aa1199-5ca0-4ee6-be13-eb5009af6889" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40aa1199-5ca0-4ee6-be13-eb5009af6889" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:744
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40aa1199-5ca0-4ee6-be13-eb5009af6889" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000e24669136e4ec3ce30126669669af8bb664d0044c03befb093853fda1926c385000000000e8000000002000020000000b786383eb05f671e603d94b4be38efd132099514f7ad5601eb63202d3958f44120000000b47a626f2f564dde2eab7810240840a24d4ba54e5b991f251740951d1b6c2c674000000051b7875f0bd1004e8cd9d87aed5cdd09828357745d0a1d35f781a17d2e176782f648ed0240e3ee473b39af2e9f7e6fb025e7920725cacbae8f1c93527b982668" /f
    3⤵
    PID:2852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40aa1199-5ca0-4ee6-be13-eb5009af6889" /v "GameDVR_GameGUID" /t REG_SZ /d "278317db-52b0-4257-9ddd-17e942d6f851" /f
    3⤵
    PID:1808
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40aa1199-5ca0-4ee6-be13-eb5009af6889" /v "TitleId" /t REG_SZ /d "2040962988" /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40e28932-7ee7-404d-b262-77693fb6f631" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40e28932-7ee7-404d-b262-77693fb6f631" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3192
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40e28932-7ee7-404d-b262-77693fb6f631" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:4552
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40e28932-7ee7-404d-b262-77693fb6f631" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000009503cfca9d3af229c7db1abb2aef9697f915c80726cf5d6da014b2cfd72a2759000000000e800000000200002000000016e8d2065a5cf84c209b058efb16c592e653f5560dcad87bf2110d672b00348c300000001960cf2d94a6afd3a8fa17e8ed77eb4a3b573fed6aa49bb80d851298330eeccd98c7e0c6f292934d599e0dcd74742779400000008d5b77e4475e9374702db263201d602e2be31be23e58a8c8ab3b1c4aaf05729b09c90b732bc0f99595a60513f0c86db94a38cc8465d5312990eb79b9375927a2" /f
    3⤵
    PID:3800
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40e28932-7ee7-404d-b262-77693fb6f631" /v "GameDVR_GameGUID" /t REG_SZ /d "13a903e3-8525-4b48-b0c2-ad91ed8432be" /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40e28932-7ee7-404d-b262-77693fb6f631" /v "TitleId" /t REG_SZ /d "1877036175" /f
    3⤵
    PID:3420
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\40e28932-7ee7-404d-b262-77693fb6f631" /v "MatchedExeFullPath" /t REG_SZ /d "C:\Users\pc\AppData\Local\Roblox\Versions\version-096c60fcfa5e4ca2\RobloxStudioBeta.exe" /f
    3⤵
    PID:4496
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\43c24735-989f-477c-8ced-dc705c0a60aa" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3288
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\43c24735-989f-477c-8ced-dc705c0a60aa" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\43c24735-989f-477c-8ced-dc705c0a60aa" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\43c24735-989f-477c-8ced-dc705c0a60aa" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000003c78cef4c4a58d9b9c4a5c23b3a78269ed35a9dd1b40cb0854d9efc13cc4eb6c000000000e80000000020000200000000feb290bf86ac9839eb4fc8fdea072bf929b2ec94ed4250d9537313d20e81b0630000000973bd0f32e1568427af962be0e0357458ad35123e43aa7a5c9c46490ccddb495af57e67008a6f35666f2e322e28cff834000000049b6aa6d8fa70625eb9e85b544b7bd1524d0cf56f84d0e04d8faa5de1b5b061f83b0aae007a800d794aacdfc41c61c88e2a7962b1b77864a4c29c283c9517790" /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\43c24735-989f-477c-8ced-dc705c0a60aa" /v "GameDVR_GameGUID" /t REG_SZ /d "d462329a-a831-42b3-809b-6ce39187b369" /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\456db1d1-339b-4a77-8b0b-6795a1699345" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\456db1d1-339b-4a77-8b0b-6795a1699345" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\456db1d1-339b-4a77-8b0b-6795a1699345" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:4392
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\456db1d1-339b-4a77-8b0b-6795a1699345" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000000d1875b75d6b6703956c461615dd90c7a7321e3ebf8d4111f2cd7f7482f84cc0000000000e8000000002000020000000029c841959994881220817cd114fe56b6c8673bf75fe022a868d4ef9dd11f5b51000000037d4e2a071532725b35f235b765a37d44000000008ac48aa6f2ddc3115963eb1e3409a1f29eae74bd1b28615100b5ca43a5e3c7aaea8452a2a2321c08e5bfc03124f45b701b0c6af5f1c03e708250289293f8c32" /f
    3⤵
    PID:2700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\456db1d1-339b-4a77-8b0b-6795a1699345" /v "ExeParentDirectory" /t REG_SZ /d "Assetto Corsa" /f
    3⤵
    PID:4776
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\456db1d1-339b-4a77-8b0b-6795a1699345" /v "GameDVR_GameGUID" /t REG_SZ /d "ad9f3b82-3ec2-4d93-93d5-23bdbc2374ab" /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\456db1d1-339b-4a77-8b0b-6795a1699345" /v "TitleId" /t REG_SZ /d "1732322725" /f
    3⤵
    PID:1768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\46fc0979-b6fb-4de8-b90d-253cc753d244" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\46fc0979-b6fb-4de8-b90d-253cc753d244" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\46fc0979-b6fb-4de8-b90d-253cc753d244" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:4660
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\46fc0979-b6fb-4de8-b90d-253cc753d244" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000d52a46f383dc691a1a0d8a21a16a059337cab58f9e4fe3b82fcdb890b674d330000000000e8000000002000020000000b9793a1f3a581404cc58a2ab8a1fbf4b5471ce05d3555350a3374bb9023c508f200000009b9e9b012e9d73ea05dac532154b718c50a6fafc1d2b3fd3d99f82dab97a184a40000000652433422f755eb1ac79d8fbd4e4bb112a305f39bf5cc29e1e96eddde222968668885a8c457197db56f999599d98f85b34d341c7d8d8db8c507626c2dc86f8c3" /f
    3⤵
    PID:2920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\46fc0979-b6fb-4de8-b90d-253cc753d244" /v "GameDVR_GameGUID" /t REG_SZ /d "15c6ac82-6f25-4f79-8ff1-a7c777f1a7db" /f
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\46fc0979-b6fb-4de8-b90d-253cc753d244" /v "TitleId" /t REG_SZ /d "1714452188" /f
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\46fc0979-b6fb-4de8-b90d-253cc753d244" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Spellbreak\Spellbreak\g3\Binaries\Win64\Spellbreak.exe" /f
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000e0cc8dca8535c1fa2aef2cc8173953f514cbeb4f0e359ef43088c4530d1af248000000000e8000000002000020000000f2e4a07a4e10f902c4530b7a9a7d12e59f7bd5adfaf5428172a9601bbea826f0200000004518395700d59104c92cde981530e1c133600197f4cc6e439bc2bfaad88efe3b400000004583aadf35fe87d01d143e4130c0a4eb889ee849e25cda7ea0076bc3eeaee9d55e86420b48e752eb35b8bc72ef936120fe758c774f05671c81d2c21232a97dc9" /f
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /v "GameDVR_GameGUID" /t REG_SZ /d "224d89df-2628-4203-bf5c-11c62dcbe9f2" /f
    3⤵
    PID:4544
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /v "TitleId" /t REG_SZ /d "1667877464" /f
    3⤵
    PID:2528
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /v "ProcessDependencies" /t REG_MULTI_SZ /d "audiodg.exe|1" /f
    3⤵
    PID:4056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4f561632-47cd-4c2b-93a9-e1da865f03ba" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:868
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4f561632-47cd-4c2b-93a9-e1da865f03ba" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2908
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4f561632-47cd-4c2b-93a9-e1da865f03ba" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4f561632-47cd-4c2b-93a9-e1da865f03ba" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000b6991435445b505867cdd106bb476b742f92bc755eeb634d6f2885e2b5e7efbd000000000e8000000002000020000000a46e751b690f47645666afd17e84a88f7ab4c0765929c510ac6f7f5017fcf95e30000000dd7b2cc92e57419c4e2dae72e68ecbc7982b85a9142baaa4608fe17c6b07c175d638e6bd72f20f7d7832c3c2990b2322400000004244d78b9ad62b3624678a3d999101467c25ab3d1b6d91e8e2236ca30d9b08cc928f5079c875b8c5d90bd4ea2f1321bff897c72c044b8c213e8e5f92992c254f" /f
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4f561632-47cd-4c2b-93a9-e1da865f03ba" /v "GameDVR_GameGUID" /t REG_SZ /d "88c24bf8-d1db-48be-b6f7-684ab89c9194" /f
    3⤵
    PID:3880
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\4f561632-47cd-4c2b-93a9-e1da865f03ba" /v "TitleId" /t REG_SZ /d "1698925306" /f
    3⤵
    PID:532
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\50ef2ba5-7013-4e09-917e-2e77e806b4d4" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\50ef2ba5-7013-4e09-917e-2e77e806b4d4" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3508
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\50ef2ba5-7013-4e09-917e-2e77e806b4d4" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\50ef2ba5-7013-4e09-917e-2e77e806b4d4" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000f713a26d358d220a63f472dc57e490304b0097aa9f1befb7c8d1c1f7ebf95cbf000000000e8000000002000020000000336049e4b7a194d18a9a4ba3a574cb4c4bd6f7c442f51e625b62cfdea584b49c30000000ca811d733df673963f08026251ccd8d0ba534d29378995cc2bbe9210809b85748cdfafe5968ba31b9da6802ef63908a040000000f7448769e6a4c6326a175fb12ad8bd9da728d52c2b366552f67c9fd5f375d24e90abd47a2ae510cc4c8374af9d33ff5efdb2b85bff28098f95180cd1c125e118" /f
    3⤵
    PID:548
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\50ef2ba5-7013-4e09-917e-2e77e806b4d4" /v "GameDVR_GameGUID" /t REG_SZ /d "1b71cdd5-d687-414b-b729-64a8e30f9cab" /f
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\50ef2ba5-7013-4e09-917e-2e77e806b4d4" /v "TitleId" /t REG_SZ /d "1801033410" /f
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5bb62464-0905-4a39-b7e4-317edb6f0b33" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:5080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5bb62464-0905-4a39-b7e4-317edb6f0b33" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1180
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5bb62464-0905-4a39-b7e4-317edb6f0b33" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1100
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5bb62464-0905-4a39-b7e4-317edb6f0b33" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000b2b46af91c169e0a7897663ecda48baea3eaf1862f0579134fbee50afc2aa149000000000e800000000200002000000062de0b130e701430941da28f61e66de44d07485ffcad4a70fd9e2d79c27c4c2940000000bfe53e0e667c6b69aec5e454a4417648d1ba9c9da5d9653c0c2000a0b8275c21d0bd938bcc3202d929190c43a00312151d794a6f498d6dda6b359abbfa071d3740000000c2672ee3a991cfd9bfa2c069b50ec10d02ad25d66f7ff31dc841854a69b82a31e0455213ad8aa7f147c364c4c8e80404c5ca0bc9184fb88db240bc57008db46c" /f
    3⤵
    PID:4804
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5bb62464-0905-4a39-b7e4-317edb6f0b33" /v "GameDVR_GameGUID" /t REG_SZ /d "7eb831fc-81c0-411b-bff0-176f7cda799d" /f
    3⤵
    PID:3468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5bb62464-0905-4a39-b7e4-317edb6f0b33" /v "TitleId" /t REG_SZ /d "2066051089" /f
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5cdff6ad-e34e-4062-877b-3fe82e7c8949" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5cdff6ad-e34e-4062-877b-3fe82e7c8949" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5cdff6ad-e34e-4062-877b-3fe82e7c8949" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5cdff6ad-e34e-4062-877b-3fe82e7c8949" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000ee6e08927d02adccf7e231fc8d8ec9e052dae83d6e1592104b69c6fe1a40d7c4000000000e80000000020000200000008626aa0a4e3ff37e8052722568ad0364c545f54a13bc9258ed4c81059a41003a20000000b33ec80113dc881d4fce217376401d9983bad5f8a0a1865b7f818f13d9d5a0ec40000000e57cf4f483c062de537d8c48b3a43aa180c446fa55b639b2e371bda512b6928a14f605dba58f395b51df5506253c626824870df390e8ca736bb793d4e4caa116" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5cdff6ad-e34e-4062-877b-3fe82e7c8949" /v "GameDVR_GameGUID" /t REG_SZ /d "9df8835d-3764-44af-ab79-eb100bd97425" /f
    3⤵
    PID:4504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5cdff6ad-e34e-4062-877b-3fe82e7c8949" /v "TitleId" /t REG_SZ /d "1621796646" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5d93a35e-310b-4e76-8967-b97ae66016a2" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3668
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5d93a35e-310b-4e76-8967-b97ae66016a2" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5d93a35e-310b-4e76-8967-b97ae66016a2" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5d93a35e-310b-4e76-8967-b97ae66016a2" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000828969ffbe7bfd5f26069e50671e8bb95b551c387fcad084aa15f1169f382b8f000000000e8000000002000020000000635a028ff148698750e16bd3a1496278aec9d157830fb33c67e047e0a35d48af2000000021b6e1217091b23bf6f32762d2ca16475b7180aa163dd318593dad7ded9a56324000000097d0411706c209f9e9fb7d1b995640042f86e79fb0ffcc6ae661e2a713b61078a3c49e302f6754aec5c53aec9526fabb53ddc228495821c65a36bf864264b871" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5d93a35e-310b-4e76-8967-b97ae66016a2" /v "ExeParentDirectory" /t REG_SZ /d "Assetto Corsa" /f
    3⤵
    PID:388
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5d93a35e-310b-4e76-8967-b97ae66016a2" /v "GameDVR_GameGUID" /t REG_SZ /d "6cfa5815-25cf-4dee-b61c-ac4c88b53778" /f
    3⤵
    PID:4836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\5d93a35e-310b-4e76-8967-b97ae66016a2" /v "TitleId" /t REG_SZ /d "1732322725" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\6053cdf7-6d52-42c8-9967-a29a542b7ae1" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\6053cdf7-6d52-42c8-9967-a29a542b7ae1" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\6053cdf7-6d52-42c8-9967-a29a542b7ae1" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\6053cdf7-6d52-42c8-9967-a29a542b7ae1" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000e2726d36d4db62316e89dbe86d0713afa3786f7481cb30074fa4a5fedce70db8000000000e80000000020000200000007410aa4e3b3943aada0f15ae6c18cce178c0f4b905c7d6ee777862bb77939e4d20000000265f6b0bf596dbb210c33de536bc88960c1cbb7cd5a6bfbd8693dd003f1279d54000000090c43e7cdeff564ea053c0a90455b62d5fd956bd105b1e40b7d7bf0e029c0e2c502cbb5045f2afea909d2dd6708137497d0e9439423ebca735f77327dd5106e8" /f
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\6053cdf7-6d52-42c8-9967-a29a542b7ae1" /v "GameDVR_GameGUID" /t REG_SZ /d "a78ce068-6b2c-4b51-9305-229303a1512a" /f
    3⤵
    PID:2232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\6053cdf7-6d52-42c8-9967-a29a542b7ae1" /v "TitleId" /t REG_SZ /d "1644611974" /f
    3⤵
    PID:2120
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70c3139d-9c99-4038-ad15-1d6bf312fb15" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70c3139d-9c99-4038-ad15-1d6bf312fb15" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70c3139d-9c99-4038-ad15-1d6bf312fb15" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:2640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70c3139d-9c99-4038-ad15-1d6bf312fb15" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000009adcd8abd6338e2412ed2f5dc0b1842da1972b40ea9b4a512e31815085161068000000000e8000000002000020000000aaff27b059cf8a88ba4b0fa5a41c2095712151da880d633aac62e64f99ce5575300000004617b59d8bd8bcba1c6692500f6747547d5898702df8c9ffe31031b58b36161948484ea47bd82b793bd4f9f512036fc3400000003a13b89f787d72a9237c6e6f2097b9450a2e64a05a95e17e760b422ab542e9fd0a5be313634d5d0289b3e4c751cb859c1ae6f274c7dd66743f7de9a552eba890" /f
    3⤵
    PID:3936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70c3139d-9c99-4038-ad15-1d6bf312fb15" /v "GameDVR_GameGUID" /t REG_SZ /d "6b15dfa7-66e4-4a62-a748-05cb4dadf867" /f
    3⤵
    PID:3556
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70c3139d-9c99-4038-ad15-1d6bf312fb15" /v "TitleId" /t REG_SZ /d "1787008472" /f
    3⤵
    PID:1040
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70c3139d-9c99-4038-ad15-1d6bf312fb15" /v "MatchedExeFullPath" /t REG_SZ /d "E:\COD WarZone\Call of Duty Modern Warfare\ModernWarfare.exe" /f
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70df813c-6159-4d82-b679-3b79c7aa6cb1" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3164
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70df813c-6159-4d82-b679-3b79c7aa6cb1" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70df813c-6159-4d82-b679-3b79c7aa6cb1" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000cca38c1d965f79d722805958e9d94a1f2c0b08db017c48281a12d2ec3de4499b000000000e800000000200002000000001e7427de70ec70c3544165a4a42a9adb6e8faa81d703df1ef680b9f99f4b1c110000000fea1a4d63f604f88f18c201082f75cdd40000000fa49fd7ec1eed8294f5696f3769851210c965cb01b149a31a537954ca8a233b97c139955ab66bc39f75a6809bea68da89b686479be9c812d3f13896eaed19ea7" /f
    3⤵
    PID:220
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70df813c-6159-4d82-b679-3b79c7aa6cb1" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70df813c-6159-4d82-b679-3b79c7aa6cb1" /v "ExeParentDirectory" /t REG_SZ /d "Red Faction Guerrilla" /f
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70df813c-6159-4d82-b679-3b79c7aa6cb1" /v "GameDVR_GameGUID" /t REG_SZ /d "3e70fc1f-7916-4016-ac8e-b59dddbff6e9" /f
    3⤵
    PID:4328
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\70df813c-6159-4d82-b679-3b79c7aa6cb1" /v "TitleId" /t REG_SZ /d "1995066354" /f
    3⤵
    PID:1076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\73400fc2-5ae9-4532-86dd-29d81bae1132" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\73400fc2-5ae9-4532-86dd-29d81bae1132" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\73400fc2-5ae9-4532-86dd-29d81bae1132" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:748
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\73400fc2-5ae9-4532-86dd-29d81bae1132" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000d4b1cfac322a9636b898bc9e9398d9270a706113a520ff21ec3092ce51b94887000000000e80000000020000200000000ba3723336a0a15c0891602834cccfd9910edb9f23a5b2ff1d2a37daad82346830000000a9f46ad7e999c29ce0faf59d1d1e093e0aae5500a71d56afa61d246d994d1a8f79fb94d7d8bc734bfe13f69805bb96d4400000008fe6d531cce3a3fde7b96b330b7fa7b83a53250a667eff07c596f10822b0d9c04cb192d6fe1c9aae1f88a5e9352c8b76277e1225c94d7d5fa23a21883a064408" /f
    3⤵
    PID:3264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\73400fc2-5ae9-4532-86dd-29d81bae1132" /v "GameDVR_GameGUID" /t REG_SZ /d "ba8cb5ec-5912-4170-87bb-ba98605e8318" /f
    3⤵
    PID:744
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\73400fc2-5ae9-4532-86dd-29d81bae1132" /v "TitleId" /t REG_SZ /d "1956642556" /f
    3⤵
    PID:2852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\73400fc2-5ae9-4532-86dd-29d81bae1132" /v "ProcessDependencies" /t REG_MULTI_SZ /d "audiodg.exe|1\0battle.net.exe|8\0battle.net helper.exe|8" /f
    3⤵
    PID:1808
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\77b4d6e3-85d7-4ae9-ad9b-52b42f98077f" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\77b4d6e3-85d7-4ae9-ad9b-52b42f98077f" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\77b4d6e3-85d7-4ae9-ad9b-52b42f98077f" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3192
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\77b4d6e3-85d7-4ae9-ad9b-52b42f98077f" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000e365c2dedb7aa80048139c2753ce5d733891e7f8889929eb77405da34b074648000000000e80000000020000200000003d5423fc55c3891e0af498bd039d6375ac49c426c3efae537ef3563ad095593c300000002092d1969ed4ccc6e608e28cf1035996ca841bed9f88d7850223f8b236f33384735db185fa7d9d868739c17b8e53b9c840000000cac55fa6eecbc31b2d0ac5772ee8782050f6027a080415825084c0cc0724db1f5513b81ed0f22cd0104f8890556bb6422ca9795601609aae5dc7beaa5aa6a735" /f
    3⤵
    PID:4552
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\77b4d6e3-85d7-4ae9-ad9b-52b42f98077f" /v "GameDVR_GameGUID" /t REG_SZ /d "53080e08-49fb-4312-9e1f-8fc378ea09a1" /f
    3⤵
    PID:3800
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\77b4d6e3-85d7-4ae9-ad9b-52b42f98077f" /v "TitleId" /t REG_SZ /d "2089711717" /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\7c6c29ed-6638-4b39-87c9-90749f34fd0f" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3420
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\7c6c29ed-6638-4b39-87c9-90749f34fd0f" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4496
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\7c6c29ed-6638-4b39-87c9-90749f34fd0f" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3288
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\7c6c29ed-6638-4b39-87c9-90749f34fd0f" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000b084d437973df586eefe73f040fa43348ec64eb5942639faeb12943ea9c8ce1f000000000e80000000020000200000006ad79d8212289819d5094a3426dc46b71f34cd4d6f262ec924af385b20b9dd6f2000000028fa4cb3ea12414e2b8b842a287b8f1f0d1ae23fc0b0caa0f9d2c248ad60facf4000000058c2cce7d4c0b4a28746e13fd765598b0cddae1b8b869a2170c744210a65016e5292920088979defdb6de4b2d2ebeace65750139b89e9f66fba8b743b46cc5d2" /f
    3⤵
    PID:3028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\7c6c29ed-6638-4b39-87c9-90749f34fd0f" /v "GameDVR_GameGUID" /t REG_SZ /d "c9a828a1-eacc-46a4-9372-6a5c7dd052ae" /f
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\7c6c29ed-6638-4b39-87c9-90749f34fd0f" /v "TitleId" /t REG_SZ /d "1862446374" /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\7c6c29ed-6638-4b39-87c9-90749f34fd0f" /v "MatchedExeFullPath" /t REG_SZ /d "C:\Users\pc\AppData\Local\FiveM\FiveM.exe" /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\88bba3e3-6149-435f-8f03-2e763a6b28e5" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\88bba3e3-6149-435f-8f03-2e763a6b28e5" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\88bba3e3-6149-435f-8f03-2e763a6b28e5" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:2912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\88bba3e3-6149-435f-8f03-2e763a6b28e5" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000bbf0b749457861b6011e095a8abd591acc8169e950dbefda3f14b3a4a2d8fbc9000000000e8000000002000020000000ba63f57d769a7e565aea5c810b851c1bcb4b339eaf33eba8dc112744e2caf6cb10000000e5b4febbae83767b9197f4000cd4ceb740000000fc6bcc008bb511c3b79d17b7d0c5d17f546e7e1ca7e686897fd26c198fefd590b807d62da43436ad1b1bd1fbed980259c43c33d677df1153c87decc292062371" /f
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\88bba3e3-6149-435f-8f03-2e763a6b28e5" /v "ExeParentDirectory" /t REG_SZ /d "Football Manager 2018" /f
    3⤵
    PID:2700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\88bba3e3-6149-435f-8f03-2e763a6b28e5" /v "GameDVR_GameGUID" /t REG_SZ /d "df224822-4e38-4db8-b348-1a74168570ea" /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\88bba3e3-6149-435f-8f03-2e763a6b28e5" /v "TitleId" /t REG_SZ /d "1621910926" /f
    3⤵
    PID:1768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\89012e6d-35ec-4578-bdbd-1e9c2f91d561" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\89012e6d-35ec-4578-bdbd-1e9c2f91d561" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\89012e6d-35ec-4578-bdbd-1e9c2f91d561" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4660
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\89012e6d-35ec-4578-bdbd-1e9c2f91d561" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000008dcf91b9fed0dfb94f7625e598fb50dfc4711ff0a3f88afeba93d7d3a39af24f000000000e8000000002000020000000eb7c77b4f86942115f5557af80713f1d14e264e8ed648198bb9c3d99e78f07fa2000000062ec9094d0f54153a685bd257bdbbc84cc3f680712c1c26af7f776609ec25c634000000044f25d942d424f375984751d2e7ab9972c94ae3495c91ac0c6273223fee0e990538c1737ffe74496b291262aac9998dbfa6c7b163cba43005424e6766cc86181" /f
    3⤵
    PID:2920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\89012e6d-35ec-4578-bdbd-1e9c2f91d561" /v "GameDVR_GameGUID" /t REG_SZ /d "2642baeb-a830-4329-b111-6be504a93e9a" /f
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\89012e6d-35ec-4578-bdbd-1e9c2f91d561" /v "TitleId" /t REG_SZ /d "1698925306" /f
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000066701ad24efda278c278975fc2b7c1a609acdf0703b6bd9b71ebeca63e733d6b000000000e80000000020000200000007039383d4a30349739c461740ab70c4482417b3d6e78999456a4d62ecd3387633000000067b1630b78ea9fe47b87c4a411023ef3da2300ce49044d7c777ca9f74c8ac788a7719582706c766b64b169b8a7c5e890400000007511e6fc8bdc3d13a7651b07f557df16b6e9ea86cae38325b17b4b89b0de0a025e11cc81d834e9b8d3917b2b554561311f4bd4651ef5a080bf440d7b0046822c" /f
    3⤵
    PID:1896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /v "GameDVR_GameGUID" /t REG_SZ /d "6834708e-ff37-4f47-8d9e-e009475696ea" /f
    3⤵
    PID:4216
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /v "TitleId" /t REG_SZ /d "2140933132" /f
    3⤵
    PID:3688
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Rocket League\rocketleague\Binaries\Win64\RocketLeague.exe" /f
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9253f3de-1abd-412c-8fca-25196b323e44" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9253f3de-1abd-412c-8fca-25196b323e44" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:868
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9253f3de-1abd-412c-8fca-25196b323e44" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:2908
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9253f3de-1abd-412c-8fca-25196b323e44" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000007731527d66e83e8ce4772a45b0f80db134f628fbf59f3e92f6728d2ffeaad311000000000e80000000020000200000001a88e6857edeadcc9ac396dc47b4010d64b1a19b8003b744409c2ab631ecace520000000662454a6d9bcd23b3131345a02b23b84719200419b89f85e44b71c513909557d40000000e1a2e6ceba037348ac0a8fbe848721125cc4a7350467c907e834b6d0592fe71495f789e2de3886dbc5a964ee5fc6e15fe41258bdb691642f3ca898a06979a012" /f
    3⤵
    PID:1036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9253f3de-1abd-412c-8fca-25196b323e44" /v "GameDVR_GameGUID" /t REG_SZ /d "36807058-7c11-4844-84fc-55062cd44bce" /f
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9253f3de-1abd-412c-8fca-25196b323e44" /v "TitleId" /t REG_SZ /d "2013577527" /f
    3⤵
    PID:3880
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9b9b54e1-b0b2-42f8-b46a-63386dd30005" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:532
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9b9b54e1-b0b2-42f8-b46a-63386dd30005" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9b9b54e1-b0b2-42f8-b46a-63386dd30005" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:3508
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9b9b54e1-b0b2-42f8-b46a-63386dd30005" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000001f57452de10d59a26408febc40944ac03248e2031d169efcbf5dce9697886d20000000000e800000000200002000000053bf69c14de9e1e9daf7cacacf428ba3de3c3355c0fff92571c57bc17cf45ef41000000063573dd0d4eda7a4ae2c81b8089dcd22400000002dbf6ddd729210604faa0c366a760644be4a2a608d59a1b76b68fabdede6f9440d2c27c7eaeb3b79cdcd5f8693c101cd56de767b0320a3b341ee3e4519fc5b47" /f
    3⤵
    PID:4580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9b9b54e1-b0b2-42f8-b46a-63386dd30005" /v "ExeParentDirectory" /t REG_SZ /d "Trails of Cold Steel" /f
    3⤵
    PID:548
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9b9b54e1-b0b2-42f8-b46a-63386dd30005" /v "GameDVR_GameGUID" /t REG_SZ /d "4b2e0e33-943e-4010-86ff-35270e2b0d83" /f
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9d41f6f1-5618-4606-a8ec-1100921065fc" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9d41f6f1-5618-4606-a8ec-1100921065fc" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:5080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9d41f6f1-5618-4606-a8ec-1100921065fc" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1180
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9d41f6f1-5618-4606-a8ec-1100921065fc" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000d646212c2fb6aee789f011b02cea457aecc48847cf2149d45285f412948b865f000000000e80000000020000200000008e76e6790a5171e8c0158b3b5110c564f2cdcff8faba3e9953aab1b32771c4ab20000000345216961b7d9833cfe72134363133365b9ab299c46fae335e980d687542e4694000000026f93730969dd9f952e4ed68853bcdfdc665e1366fffd4fa6cd1f70e85b7d1faf4fb900755c2647b4ff5940856f2ee9697fb81d730b69075c8dbf67d0c46e6b1" /f
    3⤵
    PID:1100
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9d41f6f1-5618-4606-a8ec-1100921065fc" /v "GameDVR_GameGUID" /t REG_SZ /d "d74e41c9-9b22-41e5-a4b8-4e303df73d38" /f
    3⤵
    PID:4804
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9d41f6f1-5618-4606-a8ec-1100921065fc" /v "TitleId" /t REG_SZ /d "2014204696" /f
    3⤵
    PID:3468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9d41f6f1-5618-4606-a8ec-1100921065fc" /v "ProcessDependencies" /t REG_MULTI_SZ /d "audiodg.exe|1" /f
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9fc09f67-272f-43f3-8c0b-2557f99f08fd" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9fc09f67-272f-43f3-8c0b-2557f99f08fd" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:516
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9fc09f67-272f-43f3-8c0b-2557f99f08fd" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9fc09f67-272f-43f3-8c0b-2557f99f08fd" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000e33b7d4c792b9a6a8091a87df1d3b9e143d2fb2fdff06e631f8df6c6b5bed888000000000e800000000200002000000061671ae83bf38feaa888ae7bd30743189d64779f3996bcdb7f0f507d3e74c07d20000000aedf7ca4d131254dc118928153fadb9bcf0866fb49c440ba768f4380f24f359a4000000082e884d4315fedf90bbcb8a3c5b12a56b51b56b8eb7d90f2014d099fe1d9118bb12b310f1759449f2a49173f12d7788ccac2e6ddaa7dbf32d1d32de8e6195132" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9fc09f67-272f-43f3-8c0b-2557f99f08fd" /v "GameDVR_GameGUID" /t REG_SZ /d "5005d987-b8aa-4be5-bafe-e4db5fba423c" /f
    3⤵
    PID:4504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\9fc09f67-272f-43f3-8c0b-2557f99f08fd" /v "TitleId" /t REG_SZ /d "2067772105" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a15993e5-3e93-4968-a526-b96ec64f3995" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3668
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a15993e5-3e93-4968-a526-b96ec64f3995" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a15993e5-3e93-4968-a526-b96ec64f3995" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a15993e5-3e93-4968-a526-b96ec64f3995" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000007c56f4d4bafe584788715db4bf16c8e21a635bbffc0ca9234952588ea0765f3e000000000e8000000002000020000000fd744903837f6fc468aa95914ce702e99e049a087a02dc9787a372c5c734b42310000000a4962be99c640172c3a45e114b804bb7400000009f2dc32db90e785aa81b9ed230c431b8fd6f120fc737a2d5b7db7aec5e95cb67fc6876c0b0673358983caa3739470f0442765adb79990c08c41cea70a4b41850" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a15993e5-3e93-4968-a526-b96ec64f3995" /v "ExeParentDirectory" /t REG_SZ /d "Battlefield" /f
    3⤵
    PID:1196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a15993e5-3e93-4968-a526-b96ec64f3995" /v "GameDVR_GameGUID" /t REG_SZ /d "f6c9159e-723f-42e0-bbcd-e00f7c4ea056" /f
    3⤵
    PID:388
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a15993e5-3e93-4968-a526-b96ec64f3995" /v "TitleId" /t REG_SZ /d "2040962988" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a987fbc1-fde0-406f-a039-922a6104ad2f" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a987fbc1-fde0-406f-a039-922a6104ad2f" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a987fbc1-fde0-406f-a039-922a6104ad2f" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a987fbc1-fde0-406f-a039-922a6104ad2f" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000000ff626215e0be642554329f5ac104cbc1a68be2af9569c581a04f2d91ba8e70000000000e8000000002000020000000c168a6e465c299ea886c43f1a5c1355e0f29baa560ce8973a7f05283a2836493100000001f69ef04cd805342f6afa4018f0270f240000000f04369d1b25402d7cc1d1cda98768ac6bcef4d371aaa1ea119b372510ed3272fedf2fa8ec33a66d122cb700bb1626b0756996354fa85b224631b838f7f97269f" /f
    3⤵
    PID:3392
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a987fbc1-fde0-406f-a039-922a6104ad2f" /v "ExeParentDirectory" /t REG_SZ /d "assettocorsa" /f
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a987fbc1-fde0-406f-a039-922a6104ad2f" /v "GameDVR_GameGUID" /t REG_SZ /d "b2683437-ff17-488a-ade2-5a8d743633a0" /f
    3⤵
    PID:2120
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\a987fbc1-fde0-406f-a039-922a6104ad2f" /v "TitleId" /t REG_SZ /d "1732322725" /f
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\ae876636-f272-4eb2-aaa6-a110af0bd907" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\ae876636-f272-4eb2-aaa6-a110af0bd907" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2860
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\ae876636-f272-4eb2-aaa6-a110af0bd907" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4448
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\ae876636-f272-4eb2-aaa6-a110af0bd907" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000a5374cc32aad79527df1bdd6a6ed5a2b7818a394234daa9acc54e9c82b17b7a1000000000e8000000002000020000000f0c5dc3ebc33a37c33897bc28ac8f9224edecfef93091307cd3e1e9942ac640530000000272dc3dec90ef356793a14dd5525c0e71f9d165709d7ba9c690ced1b034da1b5b885ab519e3c5cd1ad06ae6cee2ff90640000000ddb4d48d1cbc562378b478595c431989e61ec83e85b421bb23355accf761d4f6d0384260c0dc9ca9307833b8aec83c2c4f7e8b4d5b30ba685d094cfcd9daf5f6" /f
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\ae876636-f272-4eb2-aaa6-a110af0bd907" /v "GameDVR_GameGUID" /t REG_SZ /d "bfb4b9a9-febb-4fb7-9f83-2e4fed403916" /f
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\ae876636-f272-4eb2-aaa6-a110af0bd907" /v "TitleId" /t REG_SZ /d "2036175044" /f
    3⤵
    PID:4740
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b184ff46-9cdc-4e94-b598-5e5db72274a2" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b184ff46-9cdc-4e94-b598-5e5db72274a2" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2276
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b184ff46-9cdc-4e94-b598-5e5db72274a2" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b184ff46-9cdc-4e94-b598-5e5db72274a2" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000161cbdadf5d39450a0bee3befc2ed95e044e5061bf848526f1914309c778864a000000000e80000000020000200000005ebb58bf54fb4ada2c3aa46c46b978f4541630b51534d47dc5056ca0ce632ad12000000030e09ada059a21b2b662ed7b2f5ff2a112efdba2bcad99f5ab874a3b72281702400000000a46f4881f10972bbaec181f40769a35caa0690525eb6a3fdd3392a267975c27c134e653cd162e4352d71081f2e975a4d191dbbbefe88b62b1d6446f7cbf0398" /f
    3⤵
    PID:2016
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b184ff46-9cdc-4e94-b598-5e5db72274a2" /v "GameDVR_GameGUID" /t REG_SZ /d "362c3b38-93be-4fb5-a043-2d32d134d003" /f
    3⤵
    PID:2756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b184ff46-9cdc-4e94-b598-5e5db72274a2" /v "TitleId" /t REG_SZ /d "1904011994" /f
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b184ff46-9cdc-4e94-b598-5e5db72274a2" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Prototype-2-Radnet-Edition-Repack-Games.com\Prototype 2 - Radnet Edition\prototype2.exe" /f
    3⤵
    PID:3008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b1e0341d-a9d2-402c-a242-90ae9b02723c" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b1e0341d-a9d2-402c-a242-90ae9b02723c" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b1e0341d-a9d2-402c-a242-90ae9b02723c" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:1596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b1e0341d-a9d2-402c-a242-90ae9b02723c" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000852a4c80b5c2d4cdd14afa9c70884a1e966cc3bdc0eb507cb554423a135f9011000000000e8000000002000020000000b6625f0d49036c8449e70cbfd86e2442a45a88796b7acecc0fbc6b26069fb76540000000ab2666f1466dd49612a345fe39551b912c93aab16dbd30a5c9731cb026b29625f235039625f940c5ee9ff76f35ff60aa41853b90cf45de98d8b56780b8ed2e36400000005afcb0a69f82cf57da5268a5b93c8d2cf51e1d9142f8c568f86c418cf70508378a7bbd48138521c87e57b0288207f92f9385418e24325185d132c7ba6dcb7e40" /f
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b1e0341d-a9d2-402c-a242-90ae9b02723c" /v "GameDVR_GameGUID" /t REG_SZ /d "4380af58-6d39-48e0-845c-c246ca123fb7" /f
    3⤵
    PID:3888
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b1e0341d-a9d2-402c-a242-90ae9b02723c" /v "TitleId" /t REG_SZ /d "1901314766" /f
    3⤵
    PID:816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b1e0341d-a9d2-402c-a242-90ae9b02723c" /v "MatchedExeFullPath" /t REG_SZ /d "G:\GAMES NEW\PUBG LITE\PUBGLite\Client\ShadowTrackerExtra\Binaries\Win64\PUBGLite-Win64-Shipping.exe" /f
    3⤵
    PID:4948
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4868
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000003f67a43c44df0dd2c5dc1f315c022f11dc4cde1bcc0e181bb46e06338ca8c4b7000000000e800000000200002000000057f327fbf7631f54c150df0f21751affa55f6df02586642b1668a9665939f2a92000000062d10f66f450ebbe4602f83d1af4d23c27cc19791a6e6b7cbbf5ff523f84d7e4400000007401baf762fe4e0a8bb70b0027434fc71620b423afc7b40fb1ae7641cd15339f367c13e0f7f7d64654355801d426278a530903ea53c7a17bf1e961d3d85bfce3" /f
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /v "GameDVR_GameGUID" /t REG_SZ /d "ad4e885f-9469-42d5-9c0b-73bbb96fd569" /f
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /v "TitleId" /t REG_SZ /d "1628516715" /f
    3⤵
    PID:3664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Origin APEX Legends\Apex\r5apex.exe" /f
    3⤵
    PID:4608
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bba1d6d2-9a61-42e8-8600-e0dafb8fa1d6" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bba1d6d2-9a61-42e8-8600-e0dafb8fa1d6" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bba1d6d2-9a61-42e8-8600-e0dafb8fa1d6" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bba1d6d2-9a61-42e8-8600-e0dafb8fa1d6" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000005b12daaaa2927b59072c41aa26bb3fdcecc37a96d74dc3abcb59eadc18df23fe000000000e80000000020000200000005b5b458112a4dfba3047d3639aee304889cff8bdeace5bd8163fd1cfde36db9e200000003230850dccdcef31a43b46affc78fc03e2f158bc28d49c7c076ad28e3f1d3ee64000000099a958174535f85e80417aedf6a0069d87ba0b11bf1248846370eb08b031d7f6eb6a34e2d7e8a48c158df69d5e1855844bd5af653814638fd05341dd9d5513ad" /f
    3⤵
    PID:3280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bba1d6d2-9a61-42e8-8600-e0dafb8fa1d6" /v "GameDVR_GameGUID" /t REG_SZ /d "d82d19c7-cf98-4dd1-92ee-b51acefac3ec" /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bba1d6d2-9a61-42e8-8600-e0dafb8fa1d6" /v "TitleId" /t REG_SZ /d "2089711717" /f
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bdf4f2dc-25d6-4cb4-8f2c-c268c4b0e339" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:992
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bdf4f2dc-25d6-4cb4-8f2c-c268c4b0e339" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3328
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bdf4f2dc-25d6-4cb4-8f2c-c268c4b0e339" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:4776
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bdf4f2dc-25d6-4cb4-8f2c-c268c4b0e339" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000001544559b2b0790dec67dbafe7f8bc33ece740bff7532d08bfd28422b80ae46b5000000000e8000000002000020000000fa8f7175796b2759bb9959108667bf72debd152eee259b5ab31b4590bd81c5104000000059d37d5e763633816ffdd3c68b3149f1339b15bbd308542875539f7c7d85dad9a4453c5019d239b3a12cd34c48ae4ce6e18df0d6bf8a6afb1af7697e2c56897540000000e89640ea0cdc32173f52b4cccab71050bd0ae2240fc0596727a19aacefc30171aa90324923f0b86ebd6aa1c7a4a1cf7bea5f74df5309d7d58adb9ad7d6b1a102" /f
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\bdf4f2dc-25d6-4cb4-8f2c-c268c4b0e339" /v "GameDVR_GameGUID" /t REG_SZ /d "c30126d9-4cac-461a-b331-faa613447906" /f
    3⤵
    PID:1524
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c197c13c-6b0c-4810-81d1-548ed723a399" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c197c13c-6b0c-4810-81d1-548ed723a399" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c197c13c-6b0c-4810-81d1-548ed723a399" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1556
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c197c13c-6b0c-4810-81d1-548ed723a399" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000bb3393250d77ed2dbc8fb15e0df335cadb67e0386cfb1aecc96f2b7b7a32edd3000000000e8000000002000020000000fb56066f64fa5ddbcaa150ddd4e59c1693c65382c71f518cdcd7e7f9fa0a42754000000090a2ea7402811b74f2ae8139e5454adeeb8f3aa54d40d04815315c41182b7e09fd089de96102fda7b7b44e7c341053ae0d1f6385776af46a303d76c7322b5fb0400000004b7a8c02bb0539598ab7d444a570620cf673601f7fa7d0f7c9a8299d345b3dd6e866104b52477bea7a9041549ed729ce1b936793d4ddafb00debf8b0cb6b62ca" /f
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c197c13c-6b0c-4810-81d1-548ed723a399" /v "GameDVR_GameGUID" /t REG_SZ /d "a08ed448-4755-4afd-88ea-60480149ef7a" /f
    3⤵
    PID:3596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c197c13c-6b0c-4810-81d1-548ed723a399" /v "TitleId" /t REG_SZ /d "1742142364" /f
    3⤵
    PID:3492
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c197c13c-6b0c-4810-81d1-548ed723a399" /v "ProcessDependencies" /t REG_MULTI_SZ /d "audiodg.exe|1" /f
    3⤵
    PID:2936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c1e4be0f-1b0f-4324-a064-adccbdb98dae" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c1e4be0f-1b0f-4324-a064-adccbdb98dae" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c1e4be0f-1b0f-4324-a064-adccbdb98dae" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:2380
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c1e4be0f-1b0f-4324-a064-adccbdb98dae" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000003dce0db3bbd7e2590e052ed52b818fc6b45b6ca6e4f4561b753f18afaca134f8000000000e8000000002000020000000c31d6e904e70f596541f40c1a7497394a91d265a6059b3e73f141cf523ec59a63000000092c4dda0c06b61400e11de48084aaf714804ae90712deef1a04b6afade3da94cf7780aed971510a65c35c7ff979438f0400000008ec91f3bf88c2ced36111f6b3fa4a666f23477699b9c8849a1b598980c08cb39efc320445bebdce2a78851a078cb8df088cc1354c1ba6b58b9fa317a08aa47d6" /f
    3⤵
    PID:932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c1e4be0f-1b0f-4324-a064-adccbdb98dae" /v "GameDVR_GameGUID" /t REG_SZ /d "9cd0abff-d7f4-488e-ab4d-031067591dea" /f
    3⤵
    PID:2044
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c1e4be0f-1b0f-4324-a064-adccbdb98dae" /v "TitleId" /t REG_SZ /d "2121740635" /f
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c83d8550-bfd3-4fe6-a5ed-256363e86756" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1616
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c83d8550-bfd3-4fe6-a5ed-256363e86756" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c83d8550-bfd3-4fe6-a5ed-256363e86756" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3980
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c83d8550-bfd3-4fe6-a5ed-256363e86756" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000dd054ac6c5d95b4f5babacc68c331c79b307fd03216ef76e2593863f77e86f46000000000e800000000200002000000035b190e15876bb3e37c8bcd09ee0ed557aa16f0fbeaf2fd76cdf8c3fdc1d5421200000004b277c821ac909330334de76101987258149faf9606c47567de7914c11733e7140000000570a184c0de68c0779cf372cd45a9907b0a79ba6c04863cb691be0da6c1dc88f06d206fe75b066e7a73c4da8c193ac955650dd70c6916c6e7137c531d9a83d9b" /f
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c83d8550-bfd3-4fe6-a5ed-256363e86756" /v "GameDVR_GameGUID" /t REG_SZ /d "0e943a5f-4a49-4030-8ba2-1d51e7b60a08" /f
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c83d8550-bfd3-4fe6-a5ed-256363e86756" /v "TitleId" /t REG_SZ /d "1956642556" /f
    3⤵
    PID:4016
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c83d8550-bfd3-4fe6-a5ed-256363e86756" /v "ProcessDependencies" /t REG_MULTI_SZ /d "audiodg.exe|1\0battle.net.exe|8\0battle.net helper.exe|8" /f
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c9519863-23c7-4c40-9bc4-ce362db7e451" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1288
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c9519863-23c7-4c40-9bc4-ce362db7e451" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4356
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c9519863-23c7-4c40-9bc4-ce362db7e451" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:3204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c9519863-23c7-4c40-9bc4-ce362db7e451" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000008cecf44dd00e8884f0c705961bee22cf9dda5bf3f0a20b6f7311f7c71c74e44b000000000e800000000200002000000030df540181aa25b4c8c78729868f73863fb8336bc1e3117c1005dd3fd7eb7be020000000bbdcaf3d34ab1064594c568986ffc7cfce58abd764be903c9b8768c8ed08a48d400000007429fd427f2ff32065239c22d9960b3d3713bd6a9e9792a3f8825fa6253b5b1bfeb7b1999e5cebffe05f3ca9c81aab6c4b3a921280364643f0566f285ebf2bde" /f
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c9519863-23c7-4c40-9bc4-ce362db7e451" /v "GameDVR_GameGUID" /t REG_SZ /d "b57c1fde-bc6f-4847-b086-205590b186fe" /f
    3⤵
    PID:1380
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c9519863-23c7-4c40-9bc4-ce362db7e451" /v "TitleId" /t REG_SZ /d "1639119975" /f
    3⤵
    PID:3956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\c9519863-23c7-4c40-9bc4-ce362db7e451" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Among.Us.v2020.9.9s\Among Us.exe" /f
    3⤵
    PID:4032
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\cc7a8a23-73ee-4311-b901-ac0934555ff8" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\cc7a8a23-73ee-4311-b901-ac0934555ff8" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1420
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\cc7a8a23-73ee-4311-b901-ac0934555ff8" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:2280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\cc7a8a23-73ee-4311-b901-ac0934555ff8" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000766d2cbd73f32df88bee28812f29a1db2344f4dea59b11c08e3d94cfe4aea4e4000000000e80000000020000200000004b83993140f7cdf953427e54364f4432dff389e133ff5826f61f367d1a4300a0200000004352a14616ade9b91cc8e1acacbc01183245d97446df3d4d214dc272caed941b40000000968ac6f1883e33f400573aa22ad0c2a04d33f812edc5ec5100fa6ad5931cb45a43a28fd1e614519d3d8e447b05ec5010d62714717ed0af73c77ac8d7a47df1ba" /f
    3⤵
    PID:4800
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\cc7a8a23-73ee-4311-b901-ac0934555ff8" /v "GameDVR_GameGUID" /t REG_SZ /d "c30f5807-f5c7-485b-b620-fbec6448c354" /f
    3⤵
    PID:1324
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\cc7a8a23-73ee-4311-b901-ac0934555ff8" /v "TitleId" /t REG_SZ /d "1635723607" /f
    3⤵
    PID:3576
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\cc7a8a23-73ee-4311-b901-ac0934555ff8" /v "ProcessDependencies" /t REG_MULTI_SZ /d "audiodg.exe|1\0battle.net.exe|8\0battle.net helper.exe|8" /f
    3⤵
    PID:2708
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\d34d89a7-68fc-4d19-90e7-3a6f206b7ca0" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4132
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\d34d89a7-68fc-4d19-90e7-3a6f206b7ca0" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:856
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\d34d89a7-68fc-4d19-90e7-3a6f206b7ca0" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\d34d89a7-68fc-4d19-90e7-3a6f206b7ca0" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000f7243cefb9b937ba367886ce3e2892fe28cf0c2aaef121728860cd2fd4357f6d000000000e8000000002000020000000457802b510bdad9175054f199208395fb18fb2b7112d1293a7ad5f0f0388b33230000000b0d108725e8a576b6a66bb88f6d2e8472758058f21b4c8ed75f5cb09b126a802efc0d483894476543de283a382129b9a40000000d9c31d066ffd44b9068a7a197d758c8371a8c4886751410aba6667f878a7ad74e55a7cde12b24bbd57dec28c86db8ad5a24a59ca2b4b39a81e0c889c269e275d" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\d34d89a7-68fc-4d19-90e7-3a6f206b7ca0" /v "GameDVR_GameGUID" /t REG_SZ /d "17ce277e-8b63-4b81-b9c8-0856374906d3" /f
    3⤵
    PID:4504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\d34d89a7-68fc-4d19-90e7-3a6f206b7ca0" /v "TitleId" /t REG_SZ /d "1967200449" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\daff267a-d1b8-46cd-a81a-6d62df3e01bd" /v "Type" /t REG_DWORD /d "2" /f
    3⤵
    PID:4960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\daff267a-d1b8-46cd-a81a-6d62df3e01bd" /v "Revision" /t REG_DWORD /d "2" /f
    3⤵
    PID:3668
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\daff267a-d1b8-46cd-a81a-6d62df3e01bd" /v "Flags" /t REG_DWORD /d "21" /f
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\daff267a-d1b8-46cd-a81a-6d62df3e01bd" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb0100000047e5addb542ede4580e9545ed0ca78500400000002000000000010660000000100002000000038027a84f65779c781b8f6d2b51bbafb5693a0c323e1438a8c633c174e7cd14b000000000e8000000002000020000000cf2742785f603eaebdf4f12741669af4ecce029326347279995745404cdeda6e700000003cc3b8f6cc83156000e3ca1f24520074d1b624683e304ca2da0e1b9d96665c606e87d1fc5cf07c75319d9df1045a712ff5059e3910ca244e14faef5a4b1ea9f96faada0f4482de78c85eb1865d0daf200a5f607034d740733c996443667676148905551903331800b8e3d1f80a680cf4400000006bb174fde7ab158ca2aa5aa0422ac8f4336db173bea3f0cf4baf874457e1c49a23f0cb49d5cff7b72248d27f9c997c460a39c523256c1ad2e17a3927a163d205" /f
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\df67af05-43cc-40b4-9665-a53aaf762185" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\df67af05-43cc-40b4-9665-a53aaf762185" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:388
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\df67af05-43cc-40b4-9665-a53aaf762185" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\df67af05-43cc-40b4-9665-a53aaf762185" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000002c90190a342d9bf938e388c11819906ff2a9c52ff42e4fe073a2dd69d3bc256b000000000e800000000200002000000072428f64acf4546d59ca9f94541357ed54760cb8dfe19a8092661ae29c5a019d40000000a8fc92784b2dfa3d23e6f82dd2d4cdccf446df9a9a73ef8e4f6ed0f8f5afc461845ec36576ae6bf4c6660b7ac5f16b51b6532be2a396d3f260d72c92dcce2c1f4000000053271e618d82c901064ebb7ee8b57e9ce2cbf7d88296aff8ad5c1573e9b1795f205bff08799eeab1500915188d8ec8e90576d8b3d0c42eb4c5039056a259795f" /f
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\df67af05-43cc-40b4-9665-a53aaf762185" /v "GameDVR_GameGUID" /t REG_SZ /d "298d8e69-36b0-4fe9-86dd-90d75d8daad4" /f
    3⤵
    PID:208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\df67af05-43cc-40b4-9665-a53aaf762185" /v "TitleId" /t REG_SZ /d "1856764962" /f
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\df67af05-43cc-40b4-9665-a53aaf762185" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Valorant\Riot Games\VALORANT\live\ShooterGame\Binaries\Win64\VALORANT-Win64-Shipping.exe" /f
    3⤵
    PID:3392
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2120
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000accfc29dc43025bf914cb5fdb7241834960a0297473fbb02002e9edd670bf82c000000000e8000000002000020000000a5a493782a40a1ee24bfe0b08bf763f2e64dd668307b2a2ee8929c9ac659d42c300000002696fa26aa65c34ec87017931c3665eba15acba0eb87efd6c77f013b8f5b132e6b14fd5c5be1315f46e69ed0a50e18f6400000003a95149f54eed0e3e571ceebacbba99ff26a51f3e2f2c3261c64d4e719cef60e5443d99adc96e8d6f1a54f94e707645a675c4d11e807319b9d4cb8c8418809a5" /f
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "WorkingDirectory" /t REG_SZ /d "Genshin Impact Game" /f
    3⤵
    PID:2860
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "GameDVR_GameGUID" /t REG_SZ /d "a45347a2-1f0d-4c04-be2d-8f4af1cc5396" /f
    3⤵
    PID:4448
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "TitleId" /t REG_SZ /d "1962957406" /f
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Genshinimpact\Genshin Impact Game\GenshinImpact.exe" /f
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e4d45d34-f695-4946-b390-aafd888b99ba" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3972
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e4d45d34-f695-4946-b390-aafd888b99ba" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4740
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e4d45d34-f695-4946-b390-aafd888b99ba" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:2276
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e4d45d34-f695-4946-b390-aafd888b99ba" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000051e2519ac3805838c1cfcbf2c84cf2f695e527f1f42758fc148d4d5c7d5cfd1b000000000e8000000002000020000000e2e77998d9094df1a3c7c8e4d53b65699dbcf128203e9b3c8eb4cc916506235e20000000b87972e674d792f30f06799eb30cf6b958453b92b7cd17f42e864dd5a7ac598540000000f96f569b51488b9d3239aafec3b1306462ad5848692beb81159942fbb8d93123dc32510c9fcb7e3e0e04ab06df6c347fb6b453d4cc7f490b17d9f41147c909ee" /f
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e4d45d34-f695-4946-b390-aafd888b99ba" /v "GameDVR_GameGUID" /t REG_SZ /d "c3f4f46d-343f-4ea8-86dc-d098f7d37e8e" /f
    3⤵
    PID:3940
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e4d45d34-f695-4946-b390-aafd888b99ba" /v "TitleId" /t REG_SZ /d "1885819086" /f
    3⤵
    PID:2016
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "Flags" /t REG_DWORD /d "17" /f
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000090ad5422929108c621147b2aaf7db30d9ff7181128be6de41e15ccfc33534857000000000e8000000002000020000000df7d0d0482fd0952e964a28b94e1a2741707d5426dc895912d116ab0966732182000000015db14819a71c9fcb074c5b5f130555e79e99e9a3cea4450e734d753830e228540000000b2187a6a40374c577e909d8b7ba47aad7354ee5a05de15a8a4e3713af6ad3fda2d11e01616fa4cbe27735a1df6171a363b9915cb817355a97351a3501951be3b" /f
    3⤵
    PID:3344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "ExeParentDirectory" /t REG_SZ /d "GTAV" /f
    3⤵
    PID:1596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "GameDVR_GameGUID" /t REG_SZ /d "60d5e8cc-84c4-48a1-b0f9-97ad3aaef80a" /f
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "TitleId" /t REG_SZ /d "1862446374" /f
    3⤵
    PID:3888
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\e7644f6a-21c2-441c-97a8-13ed3ba581b3" /v "MatchedExeFullPath" /t REG_SZ /d "E:\Grand Theft Auto 5\GTAV\GTA5.exe" /f
    3⤵
    PID:816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\eaf3cd49-369a-40e7-9294-ca808398be54" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4948
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\eaf3cd49-369a-40e7-9294-ca808398be54" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4868
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\eaf3cd49-369a-40e7-9294-ca808398be54" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\eaf3cd49-369a-40e7-9294-ca808398be54" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000bb2ca4aa6db33ca596daa91e07368e9e212864a42175b1106648181e9c6a1aea000000000e800000000200002000000035c70844a5ac3b1fc2aa037a8edfb622607ce0a4f88d49dbe176b98b8deeafb2200000001fb03eda6fcc9e9aa372d546346b71c185f2a20279bbf84700b23f4b3d4a9cc040000000d5a83c90eae4820b1f9df490e0161f1658462b8bba4fd26559e56cf3cdc2b6e03bd74a542279cdda8112f3836e2eb236bfe9236725b95ea24c29ddea6518e19b" /f
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\eaf3cd49-369a-40e7-9294-ca808398be54" /v "ExeParentDirectory" /t REG_SZ /d "GRID" /f
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\eaf3cd49-369a-40e7-9294-ca808398be54" /v "GameDVR_GameGUID" /t REG_SZ /d "cc5724d4-30f5-462b-8072-c92d17b68c7c" /f
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\eaf3cd49-369a-40e7-9294-ca808398be54" /v "TitleId" /t REG_SZ /d "1788842502" /f
    3⤵
    PID:3664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4608
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000eaa9e5371468084e15832d97bba09c1a1635fde8e7dcc8932027da763679fe0b000000000e8000000002000020000000ac28d58d6b24bcc2af2ca77b73b4130fa17d8c1f91683bcd484e5056a1a0c7a730000000302e70e86e39f6f0dfa5a5757362a3b10311bf2b7acd615238c372ec466db6d6091938398d3cd92016c75f3b954c3ddc40000000396c5a939e89e17f1f9e2f0d188fe8b5dcf49840d90f0f67543bbafad6cdc9b1413a8111dc1ed0dc38819683193e9d015e0ec153d3fd4eb7809574299250240e" /f
    3⤵
    PID:4028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "GameDVR_GameGUID" /t REG_SZ /d "c0898033-346c-4910-bbaa-302b00271b09" /f
    3⤵
    PID:3280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "TitleId" /t REG_SZ /d "1847408598" /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "ProcessDependencies" /t REG_MULTI_SZ /d "dwm.exe|8\0audiodg.exe|1\0battle.net.exe|8\0battle.net helper.exe|8" /f
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "AGGProfile" /t REG_DWORD /d "0" /f
    3⤵
    PID:372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /v "AGCpuAlloc" /t REG_DWORD /d "6" /f
    3⤵
    PID:992
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efcf187d-4945-4351-a98a-75e2174c9622" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:4776
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efcf187d-4945-4351-a98a-75e2174c9622" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efcf187d-4945-4351-a98a-75e2174c9622" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:1524
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efcf187d-4945-4351-a98a-75e2174c9622" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000007827db9cf74f3ee354a9562d8ddda269dbcb312278db8dbc30472e1f748c87b2000000000e8000000002000020000000ff009feb08f6d7fd59b5c987055b3840ce59fb50d7e5f263cbb6a4f3bf43a9e3300000005f3412b92a322c2f1144ce5da419f661cd0334f8ddab0b7982030550c786039d9190e3d07e875140c086d9bbd9a88e7840000000e692f89f8ed74b5eb2e0b7ec8dddcd2d524693ca62c22f037de354bcb4ec66ed204c940098e180c58e8c65c92ec863d31fe5ab16c568a3822bf2e5fee8083ca0" /f
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efcf187d-4945-4351-a98a-75e2174c9622" /v "GameDVR_GameGUID" /t REG_SZ /d "a659d45b-c8a5-4387-9dea-7c1df35ac01c" /f
    3⤵
    PID:952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\efcf187d-4945-4351-a98a-75e2174c9622" /v "TitleId" /t REG_SZ /d "2066051089" /f
    3⤵
    PID:1556
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f09e4f3d-0532-4849-be15-84f788238f94" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f09e4f3d-0532-4849-be15-84f788238f94" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:3116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f09e4f3d-0532-4849-be15-84f788238f94" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:3596
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f09e4f3d-0532-4849-be15-84f788238f94" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000037b835da036dc33207405b52ff9331fa8839879acb4c9e65f7b2affdc92b014b000000000e800000000200002000000031f76d7cb95987ce8f5d0fdbe3aa1ebdbf9caf57b8f00c35acac377cd5eb70bb20000000e6228ab74c81d5e99faeb0c6700a0ce3fc2ce33a541f0b8898fcf7af479fb40a40000000c89a9ece63276ae4a82bb033ccaf29bfc1ea109e8995af8a578806b67787410fcdcb5344af0bddb29b5364db7671e9a62399853c95f9684106b0ba89c0ffe852" /f
    3⤵
    PID:2936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f09e4f3d-0532-4849-be15-84f788238f94" /v "GameDVR_GameGUID" /t REG_SZ /d "554b6181-aab1-4c3e-b094-e6d3dbb5b1c7" /f
    3⤵
    PID:4332
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f09e4f3d-0532-4849-be15-84f788238f94" /v "TitleId" /t REG_SZ /d "1625658903" /f
    3⤵
    PID:3568
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f11b2656-13c5-4853-b40c-b19b585b1848" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:2288
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f11b2656-13c5-4853-b40c-b19b585b1848" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f11b2656-13c5-4853-b40c-b19b585b1848" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:2044
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f11b2656-13c5-4853-b40c-b19b585b1848" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000001e73e4c82ba1aef5e7c3c72b7b9c86d7e0cbd6bef6ae6f565e4108890507cab1000000000e8000000002000020000000e9abd925ebcdcaef695775ac41b5479d1abe5df956c47d1e679cf47deea921d11000000020b7e15df0f72ea44831af179a18298c400000001438002231724b7b64b8d2474aa3d395bac952e15afefdb2dfc11d137a19f66cc5bc6b8d102e2baa2c63ad3d785a715d99d7e5cc9d4cac80c8c2dac106282fb5" /f
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f11b2656-13c5-4853-b40c-b19b585b1848" /v "ExeParentDirectory" /t REG_SZ /d "Football Manager 2016" /f
    3⤵
    PID:2108
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f11b2656-13c5-4853-b40c-b19b585b1848" /v "GameDVR_GameGUID" /t REG_SZ /d "a8f7ac30-5e5a-4576-9270-9128281651d0" /f
    3⤵
    PID:4764
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f11b2656-13c5-4853-b40c-b19b585b1848" /v "TitleId" /t REG_SZ /d "1840192853" /f
    3⤵
    PID:5004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f32dcc88-b7b8-44f9-aa75-65c56b892571" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3572
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f32dcc88-b7b8-44f9-aa75-65c56b892571" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f32dcc88-b7b8-44f9-aa75-65c56b892571" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f32dcc88-b7b8-44f9-aa75-65c56b892571" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa10400000002000000000010660000000100002000000068dc6c87eab147d1eb0baed563170a1898c1c397bec1215048e4637cc45d80d6000000000e80000000020000200000007c8a89f77ac452cabeea16be65958a11f0495227a9f742219509c673e77aa97c3000000004be50d61c291c9ef72d6ca3e83db399ec0c22c394be0e7511fe8a598fcc8886da4218bf504cf9ed37296456e518abed40000000ac2d643f068dca838284b6b1e05043acb6d5f7025fdf7f0fe5d9f4a658feb275d830eb2de3b3416f9fb3f6cf3b0845b4c6c809f5739a9df5544563b4449258af" /f
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f32dcc88-b7b8-44f9-aa75-65c56b892571" /v "GameDVR_GameGUID" /t REG_SZ /d "6b4a265d-d929-4b46-afd7-0da75f0dddcd" /f
    3⤵
    PID:2368
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f32dcc88-b7b8-44f9-aa75-65c56b892571" /v "TitleId" /t REG_SZ /d "1698925306" /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:3204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /v "Flags" /t REG_DWORD /d "561" /f
    3⤵
    PID:636
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000008a43c2d67c7f48bcdfc64b822d2619be6b1e66065252b5a536c1acc4bd592926000000000e8000000002000020000000370b1153d3d5662262e58a22b9ee2d8e937b7e8701101012fedab16af61c636c100000003cf701741a7f7412ff1ab492dd89cb4f40000000a71e9021ab2e709c6fc293c863f3d3e7d44f53fa54dbde12de4cf9764861d80593532b81aeba4357390ae51814dcf68da6ae28e75a402cd8ea542e67a8c6f3a1" /f
    3⤵
    PID:3308
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /v "ExeParentDirectory" /t REG_SZ /d "Final Fantasy FFX" /f
    3⤵
    PID:2360
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /v "GameDVR_GameGUID" /t REG_SZ /d "3e51bbe8-2433-4cb0-8c81-5c49d022afad" /f
    3⤵
    PID:2724
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /v "TitleId" /t REG_SZ /d "1781682593" /f
    3⤵
    PID:2224
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f817cc32-56a9-40bd-b0d9-23eea5180be7" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f817cc32-56a9-40bd-b0d9-23eea5180be7" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:4296
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f817cc32-56a9-40bd-b0d9-23eea5180be7" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:4060
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f817cc32-56a9-40bd-b0d9-23eea5180be7" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa1040000000200000000001066000000010000200000003cb3df52064dbaf89bfb2d2899f81938d8200bc9d6ab97e5c97fe44d6242baf4000000000e8000000002000020000000108ca93f649200e49f2ee95c6b8190172f97d06925878661b427b6688dce90ba1000000070675e25b1eb9d924dd3196646873c42400000004f4216b189c94ab36cc23716a6ec8f5c7628bcf124c47095f82696b9ea0dd5c2af4201df518ecebbee3471d19c226dfbaf2a4759d91f0b5c711d676067e82a88" /f
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f817cc32-56a9-40bd-b0d9-23eea5180be7" /v "ExeParentDirectory" /t REG_SZ /d "Football Manager 2017" /f
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f817cc32-56a9-40bd-b0d9-23eea5180be7" /v "GameDVR_GameGUID" /t REG_SZ /d "59c1ed54-b5ed-462e-bfc0-533364b6eb1b" /f
    3⤵
    PID:452
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\f817cc32-56a9-40bd-b0d9-23eea5180be7" /v "TitleId" /t REG_SZ /d "2068593342" /f
    3⤵
    PID:3592
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "Type" /t REG_DWORD /d "1" /f
    3⤵
    PID:900
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "Revision" /t REG_DWORD /d "1995" /f
    3⤵
    PID:2420
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "Flags" /t REG_DWORD /d "51" /f
    3⤵
    PID:376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "Parent" /t REG_BINARY /d "01000000d08c9ddf0115d1118c7a00c04fc297eb010000005646f052f98c0242b48576641e122aa104000000020000000000106600000001000020000000fc81d8225783ddecd2ddbbffa724b4f0389c240ae9956eb78b233abf372145c0000000000e8000000002000020000000d0a997de3b9de7d40d9943a5da76fc160bf306fdf5ffadcdfb1be4d454e75d3c4000000033d3320ef5f834ce0405ff9ac5d61504c9fae3e2232a81abee576fa4353b61a8045e9f29d85c95f0f68db141b7be5fbcacebf93bd7488a04307fd5c8d2f3a2574000000024b91cd156274eb63164985bc3e453b03837563a28b02ecf1eef92aec856916e3c94cd2670ee0e74e8852cf2739852eb771ad7df12b56a06e0c97b94fb8c8a71" /f
    3⤵
    PID:5036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "GameDVR_GameGUID" /t REG_SZ /d "0dbef0c8-0e99-4215-a848-e66dcc1e552e" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "TitleId" /t REG_SZ /d "1847408598" /f
    3⤵
    PID:3892
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "ProcessDependencies" /t REG_MULTI_SZ /d "dwm.exe|8\0audiodg.exe|1\0battle.net.exe|8\0battle.net helper.exe|8" /f
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "AGGProfile" /t REG_DWORD /d "0" /f
    3⤵
    PID:4836
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Children\fd061fe8-4abb-49a5-87dc-04b417fc9d58" /v "AGCpuAlloc" /t REG_DWORD /d "6" /f
    3⤵
    PID:2844
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v "HiberbootEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:388
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Gaming.GameBar.PresenceServer.Internal.PresenceWriter" /v "ActivationType" /t REG_DWORD /d "0" /f
    3⤵
    PID:412
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f
    3⤵
    PID:2232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "DisallowShaking" /t REG_DWORD /d "1" /f
    3⤵
    PID:4756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "EnableBalloonTips" /t REG_DWORD /d "0" /f
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
    3⤵
    PID:4196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\userNotificationListener" /v "Value" /t REG_SZ /d "Deny" /f
    3⤵
    PID:5020
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo" /v "DisabledByGroupPolicy" /t REG_DWORD /d "1" /
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System" /v "AllowExperimentation" /t REG_DWORD /d "0" /f
    3⤵
    PID:2860
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\System\AllowExperimentation" /v "value" /t REG_DWORD /d "0" /f
    3⤵
    PID:1040
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\0bc97dda792354c9738b56ce8b6486c71f23735b" /v "Children" /t REG_MULTI_SZ /d "70c3139d-9c99-4038-ad15-1d6bf312fb15" /f
    3⤵
    PID:4600
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\13db9297cda46cb056db3bc2ca1b76cb297c4bc9" /v "Children" /t REG_MULTI_SZ /d "11163eb8-ff97-4fc8-a4d1-1d46c9565579\05d93a35e-310b-4e76-8967-b97ae66016a2" /f
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\15e1a4ba98e6b8d7ab5ed6b778e0c1319b265846" /v "Children" /t REG_MULTI_SZ /d "40aa1199-5ca0-4ee6-be13-eb5009af6889" /f
    3⤵
    PID:5056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\164de021641dc218ccc9560b9223323ab5028c2b" /v "Children" /t REG_MULTI_SZ /d "e45e5935-d67d-4f1c-bccf-bacf6c43fd3c" /f
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\17d98bb2acb993926de96803a5c39132efc65ae6" /v "Children" /t REG_MULTI_SZ /d "efb98d70-9539-42ef-aa1d-9dc1a4c393d4" /f
    3⤵
    PID:3504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\18645e43f893a0388102a69294599ef555693e6a" /v "Children" /t REG_MULTI_SZ /d "9d41f6f1-5618-4606-a8ec-1100921065fc" /f
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\19ca7875365b44cc1c8d081d2f9f7baa7225c118" /v "Children" /t REG_MULTI_SZ /d "405c1cab-14ed-4e85-97a8-ec71126aa2e7" /f
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\1dac836e9d3d73374af08b598159d227ae66c385" /v "Children" /t REG_MULTI_SZ /d "b1e0341d-a9d2-402c-a242-90ae9b02723c" /f
    3⤵
    PID:2016
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\21d43df2829a486c9db797b7a369973eadf496a5" /v "Children" /t REG_MULTI_SZ /d "73400fc2-5ae9-4532-86dd-29d81bae1132" /f
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\2bca56e235e511f19c933498c6dca99dc768874f" /v "Children" /t REG_MULTI_SZ /d "46fc0979-b6fb-4de8-b90d-253cc753d244" /f
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\2ccad2ffd4b63b943db57c84977eb9eafc39407f" /v "Children" /t REG_MULTI_SZ /d "cc7a8a23-73ee-4311-b901-ac0934555ff8" /f
    3⤵
    PID:1292
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\3baec0d39784813923364ce0be05a0a5cadea9a6" /v "Children" /t REG_MULTI_SZ /d "40e28932-7ee7-404d-b262-77693fb6f631" /f
    3⤵
    PID:3264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\3f73174dd51c9ac4b7c2d21e36cdf4f619b3dc0a" /v "Children" /t REG_MULTI_SZ /d "f09e4f3d-0532-4849-be15-84f788238f94" /f
    3⤵
    PID:744
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\461a1d0e3274a67f935b9aa1a6542c2303de5b5d" /v "Children" /t REG_MULTI_SZ /d "bba1d6d2-9a61-42e8-8600-e0dafb8fa1d6" /f
    3⤵
    PID:2852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\4e5a7f5000fd4c998166c2662d4b4194217171f6" /v "Children" /t REG_MULTI_SZ /d "c1e4be0f-1b0f-4324-a064-adccbdb98dae" /f
    3⤵
    PID:1808
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\54a192d374e9e0f0134509646ebf8797e6a9e951" /v "Children" /t REG_MULTI_SZ /d "37578440-a809-44bd-88fe-2f00932796b4" /f
    3⤵
    PID:1932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\556f7542d20ee2ee986355b044240b4d83998589" /v "Children" /t REG_MULTI_SZ /d "008af23d-f4cc-4435-9422-b95fecf4b177" /f
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\5751eb83e35f2c2a1cff00d464a314d51d61bc8d" /v "Children" /t REG_MULTI_SZ /d "456db1d1-339b-4a77-8b0b-6795a1699345\0a987fbc1-fde0-406f-a039-922a6104ad2f" /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\6b7bb0624f10321f62d3e1907984037b693ec034" /v "Children" /t REG_MULTI_SZ /d "d34d89a7-68fc-4d19-90e7-3a6f206b7ca0" /f
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\6ff4490185970e12c42bf9ff6edb6211715ae6f0" /v "Children" /t REG_MULTI_SZ /d "a15993e5-3e93-4968-a526-b96ec64f3995" /f
    3⤵
    PID:4052
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\7410f82bb530dfbe6916585ad3dec34738eee856" /v "Children" /t REG_MULTI_SZ /d "326c86ae-f3a9-4980-8b9e-1da326311c76" /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\747b52f67b4650136507fee1134415172c89cb72" /v "Children" /t REG_MULTI_SZ /d "241e0838-282a-453c-bf0c-b453987e7fa3" /f
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\760cbffe1bb3645cf041d74c5fd01959666e4b71" /v "Children" /t REG_MULTI_SZ /d "5bb62464-0905-4a39-b7e4-317edb6f0b33" /f
    3⤵
    PID:4496
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\78362f170001b9043c42ad7a29b7093e69a12e36" /v "Children" /t REG_MULTI_SZ /d "c197c13c-6b0c-4810-81d1-548ed723a399" /f
    3⤵
    PID:3288
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\784cd9ae7b605f77cbab744e674eaed0fadf9da4" /v "Children" /t REG_MULTI_SZ /d "50ef2ba5-7013-4e09-917e-2e77e806b4d4" /f
    3⤵
    PID:3028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\7cc4477119972383c7fc71b5f96e02b364bba0a8" /v "Children" /t REG_MULTI_SZ /d "ae876636-f272-4eb2-aaa6-a110af0bd907" /f
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\7ff175d986357b05f6f779b329e471b9bd3e1397" /v "Children" /t REG_MULTI_SZ /d "eaf3cd49-369a-40e7-9294-ca808398be54" /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\818bbb92210157befde3d513732a0f68fcb21f22" /v "Children" /t REG_MULTI_SZ /d "b184ff46-9cdc-4e94-b598-5e5db72274a2" /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\83d1c9503115e7a5bd770352f612762236d960a0" /v "Children" /t REG_MULTI_SZ /d "40406386-7428-4521-a6f9-2f0581086ddf" /f
    3⤵
    PID:2468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\86ac5f666fad6fe265cd9f69fa56309e34359f05" /v "Children" /t REG_MULTI_SZ /d "9fc09f67-272f-43f3-8c0b-2557f99f08fd" /f
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\9d706dfab071ca7347ab3a1414917e3b7e921565" /v "Children" /t REG_MULTI_SZ /d "7c6c29ed-6638-4b39-87c9-90749f34fd0f" /f
    3⤵
    PID:1772
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\9dd084799375aa6369c95c0e6dce89f6faa084ba" /v "Children" /t REG_MULTI_SZ /d "0731122e-f429-4e74-8501-842bc3d88850" /f
    3⤵
    PID:2912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\9e5c30e60b97bc1279cd05f0922c71e64dc1855b" /v "Children" /t REG_MULTI_SZ /d "00e51963-7a20-47e8-86dd-c5061773edad" /f
    3⤵
    PID:2700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\a50cecbc1813396c210d4878031f61788e7fa199" /v "Children" /t REG_MULTI_SZ /d "43c24735-989f-477c-8ced-dc705c0a60aa" /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\a6ec42280ea39e6cfb7748477a1f50b3bd4168f6" /v "Children" /t REG_MULTI_SZ /d "c9519863-23c7-4c40-9bc4-ce362db7e451" /f
    3⤵
    PID:1768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\a86e29e1b9b350d33c81de049a2f90d7d01300b6" /v "Children" /t REG_MULTI_SZ /d "8d4cda1b-ff25-4b90-b9eb-212e1939db2c" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\aeea45e8f7554649a505fbab6d8dc9ecf551216d" /v "Children" /t REG_MULTI_SZ /d "fd061fe8-4abb-49a5-87dc-04b417fc9d58" /f
    3⤵
    PID:2920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\a9ddf809324ceacc524160285cfa19772e1bd810" /v "Children" /t REG_MULTI_SZ /d "77b4d6e3-85d7-4ae9-ad9b-52b42f98077f" /f
    3⤵
    PID:952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\a921abdb05dbf53aab652322f6593dee42c2b1ed" /v "Children" /t REG_MULTI_SZ /d "4f561632-47cd-4c2b-93a9-e1da865f03ba" /f
    3⤵
    PID:3408
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\b22d1f8f1f566b00e9043a2cade7c2134f29bb4e" /v "Children" /t REG_MULTI_SZ /d "df67af05-43cc-40b4-9665-a53aaf762185" /f
    3⤵
    PID:1688
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\b41b8262de472dbbdc8020df06aa2c0b7e3ea813" /v "Children" /t REG_MULTI_SZ /d "f32dcc88-b7b8-44f9-aa75-65c56b892571" /f
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\b4806c5e824b322a99b84056515450922fe5640a" /v "Children" /t REG_MULTI_SZ /d "e4d45d34-f695-4946-b390-aafd888b99ba" /f
    3⤵
    PID:2936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\ba53742a9490396f8c5033fde191afc9be8dee59" /v "Children" /t REG_MULTI_SZ /d "5cdff6ad-e34e-4062-877b-3fe82e7c8949" /f
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\ba6a31c3a81dac0acfb3b70d1c3f2730049c020d" /v "Children" /t REG_MULTI_SZ /d "04cc06c9-e532-4b12-a143-77fc1cb3283a" /f
    3⤵
    PID:1580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\bb86857323422599613eeec70a2c8fb69a1b5048" /v "Children" /t REG_MULTI_SZ /d "f5c0fdf2-5311-4291-a813-3fc6fd0670b5" /f
    3⤵
    PID:4264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\beeaf57760b6078f2048d7ac5a1569c40a224ddb" /v "Children" /t REG_MULTI_SZ /d "b8b48b38-1c19-4dd7-ae69-3ba5cbab0db0" /f
    3⤵
    PID:4912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\bf76d7aa2319c58db1fcc054a1d6ebc68d7ec02d" /v "Children" /t REG_MULTI_SZ /d "daff267a-d1b8-46cd-a81a-6d62df3e01bd" /f
    3⤵
    PID:3688
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\c864119dc43a344a0cea2e48e3152ff47bc2aea4" /v "Children" /t REG_MULTI_SZ /d "0a956050-9628-4220-b516-808e497417c6" /f
    3⤵
    PID:3852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\c8f36f5d2b339324d4e0350447a928b0a59dedb8" /v "Children" /t REG_MULTI_SZ /d "6053cdf7-6d52-42c8-9967-a29a542b7ae1" /f
    3⤵
    PID:4056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\c8f57eb7877c46cdc947e3858c73ae5a90b800a2" /v "Children" /t REG_MULTI_SZ /d "9b9b54e1-b0b2-42f8-b46a-63386dd30005" /f
    3⤵
    PID:1616
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\cd628eff300490dd25e28b5bd6867dd5b3a119af" /v "Children" /t REG_MULTI_SZ /d "e7644f6a-21c2-441c-97a8-13ed3ba581b3\037b0bb90-816e-4853-b8e4-b943541b2f03" /f
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\d2dd1c0d911ca04f99087a96acbc876968e287bb" /v "Children" /t REG_MULTI_SZ /d "efcf187d-4945-4351-a98a-75e2174c9622" /f
    3⤵
    PID:1036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\d30a8f0e5e4a0e9287cac0649e8567053f6228c4" /v "Children" /t REG_MULTI_SZ /d "c83d8550-bfd3-4fe6-a5ed-256363e86756" /f
    3⤵
    PID:3076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\db731c30be44928da277be5eb0d3ed1b191da99c" /v "Children" /t REG_MULTI_SZ /d "70df813c-6159-4d82-b679-3b79c7aa6cb1" /f
    3⤵
    PID:628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\dccff1b68e615cd9388a94b302b7211469ed58dd" /v "Children" /t REG_MULTI_SZ /d "4787b2ac-d4ec-45b8-818a-bfaa6ff7daa3" /f
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\e248deb5fd1953c61c576f79afec8755e3ce6b2b" /v "Children" /t REG_MULTI_SZ /d "3409f26f-7bae-42a6-9c74-99c544ce5476" /f
    3⤵
    PID:1740
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\e37cabb84155061d2de72ac9e8b633373e5f4e03" /v "Children" /t REG_MULTI_SZ /d "bdf4f2dc-25d6-4cb4-8f2c-c268c4b0e339" /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\e65172718d545564b6d96726e22492027026b92a" /v "Children" /t REG_MULTI_SZ /d "3f43ed16-df66-4422-abd8-925b1350bb64" /f
    3⤵
    PID:3204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\e8e54db2f478e83bccbe834d2ee69fc21c7b9991" /v "Children" /t REG_MULTI_SZ /d "9253f3de-1abd-412c-8fca-25196b323e44" /f
    3⤵
    PID:1908
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\ea33dbb01c010936a19f91c660f93b49001a49b9" /v "Children" /t REG_MULTI_SZ /d "89012e6d-35ec-4578-bdbd-1e9c2f91d561" /f
    3⤵
    PID:636
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\ed8fd9401e0c084095e97928a94b5ced4a9f0dc0" /v "Children" /t REG_MULTI_SZ /d "f11b2656-13c5-4853-b40c-b19b585b1848\0f817cc32-56a9-40bd-b0d9-23eea5180be7\088bba3e3-6149-435f-8f03-2e763a6b28e5" /f
    3⤵
    PID:3308
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore\Parents\fd13f746e7d2d69760b017363f621255c9b49ac8" /v "Children" /t REG_MULTI_SZ /d "0f715c27-e790-401f-b0a4-58a636f50f48" /f
    3⤵
    PID:2140
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3724
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "0" /f
    3⤵
    PID:5040
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications" /v "GlobalUserDisabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:2792
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t REG_DWORD /d "0" /f
    3⤵
    PID:452
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f
    3⤵
    PID:3592
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\OneDrive" /v "DisableFileSyncNGSC" /t REG_DWORD /d "1" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
    3⤵
    PID:4504
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d "0" /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d "0" /f
    3⤵
    PID:4960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
    3⤵
    PID:3668
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:4272
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d "1" /f
    3⤵
    PID:3184
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
    3⤵
    PID:2036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:1196
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
    3⤵
    PID:2232
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "AllowAutoGameMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:652
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "AutoGameModeEnabled" /t REG_DWORD /d "1" /f
    3⤵
    PID:3960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "300" /f
    3⤵
    PID:3164
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "100" /f
    3⤵
    PID:1348
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "0" /f
    3⤵
    PID:220
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "300" /f
    3⤵
    PID:4048
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
    3⤵
    PID:2756
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AAF_NA" /t REG_DWORD /d "0" /f
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "AntiAlias_NA" /t REG_SZ /d "0" /f
    3⤵
    PID:4724
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000" /v "ASTT_NA" /t REG_SZ /d "0" /f
    3⤵
    PID:2348
- - C:\Windows\system32\sc.exe
    sc stop DiagTrack
    3⤵
    - Launches sc.exe
    PID:4760
- - C:\Windows\system32\sc.exe
    sc config DiagTrack start= disabled
    3⤵
    - Launches sc.exe
    PID:2876
- - C:\Windows\system32\sc.exe
    sc stop dmwappushservice
    3⤵
    - Launches sc.exe
    PID:3344
- - C:\Windows\system32\sc.exe
    sc config dmwappushservice start= disabled
    3⤵
    - Launches sc.exe
    PID:1596
- - C:\Windows\system32\sc.exe
    sc stop diagnosticshub.standardcollector.service
    3⤵
    - Launches sc.exe
    PID:1504
- - C:\Windows\system32\sc.exe
    sc config diagnosticshub.standardcollector.service start= disabled
    3⤵
    - Launches sc.exe
    PID:3888
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "SystemResponsiveness" /t REG_DWORD /d "1" /f
    3⤵
    PID:816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
    3⤵
    PID:1808
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
    3⤵
    PID:4052
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\ControlSet001\Services\Ndu" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Serialize" /v "StartupDelayInMSec" /t REG_DWORD /d "0" /f
    3⤵
    PID:4608
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d "1" /f
    3⤵
    PID:4304
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSecondsInSystemClock" /t REG_DWORD /d "1" /f
    3⤵
    PID:3028
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v MinAnimate /t REG_SZ /d 0 /f
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\MicrosoftEdge\Main" /v "AllowPrelaunch" /t REG_DWORD /d "0" /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\JavaSoft" /v "SPONSORS" /t REG_SZ /d "DISABLE" /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\Wow6432Node\SOFTWARE\JavaSoft" /v "SPONSORS" /t REG_SZ /d "DISABLE" /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1772
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
    3⤵
    PID:2912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocationScripting" /t REG_DWORD /d "1" /f
    3⤵
    PID:1768
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableWindowsLocationProvider" /t REG_DWORD /d "1" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableLocation" /t REG_DWORD /d "1" /f
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\UnsupportedHardwareNotificationCache" /v "SV2" /t REG_DWORD /d "0" /f
    3⤵
    PID:3408
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\UnsupportedHardwareNotificationCache" /v "SV1" /t REG_DWORD /d "0" /f
    3⤵
    PID:2920
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehaviorMode" /t REG_DWORD /d "2" /f
    3⤵
    PID:1688
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_FSEBehavior" /t REG_DWORD /d "2" /f
    3⤵
    PID:2936
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_HonorUserFSEBehaviorMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_DXGIHonorFSEWindowsCompatible" /t REG_DWORD /d "1" /f
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "AutoEndTasks" /t REG_SZ /d "1" /f
    3⤵
    PID:1580
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "HungAppTimeout" /t REG_SZ /d "1000" /f
    3⤵
    PID:4264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "MenuShowDelay" /t REG_SZ /d "8" /f
    3⤵
    PID:4912
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Mouse" /v "MouseHoverTime" /t REG_SZ /d "8" /f
    3⤵
    PID:4056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "LowLevelHooksTimeout" /t REG_SZ /d "1000" /f
    3⤵
    PID:3852
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Control Panel\Desktop" /v "WaitToKillAppTimeout" /t REG_SZ /d "2000" /f
    3⤵
    PID:3688
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLowDiskSpaceChecks" /t REG_DWORD /d "1" /f
    3⤵
    PID:1616
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "LinkResolveIgnoreLinkInfo" /t REG_DWORD /d "1" /f
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveSearch" /t REG_DWORD /d "1" /f
    3⤵
    PID:1036
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoResolveTrack" /t REG_DWORD /d "1" /f
    3⤵
    PID:3076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoInternetOpenWith" /t REG_DWORD /d "1" /f
    3⤵
    PID:628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control" /v "WaitToKillServiceTimeout" /t REG_SZ /d "2000" /f
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewAlphaSelect" /t REG_DWORD /d "0" /f
    3⤵
    PID:1740
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ListviewShadow" /t REG_DWORD /d "0" /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarAnimations" /t REG_DWORD /d "0" /f
    3⤵
    PID:3204
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
    3⤵
    PID:1908
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "AlwaysHibernateThumbnails" /t REG_DWORD /d "0" /f
    3⤵
    PID:636
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "0" /f
    3⤵
    PID:3308
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects" /v "VisualFXSetting" /t REG_DWORD /d "3" /f
    3⤵
    PID:2140
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\AnimateMinMax" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ComboBoxAnimation" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ControlAnimations" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:3724
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\CursorShadow" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:5040
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DragFullWindows" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:856
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DropShadow" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:3200
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMAeroPeekEnabled" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:4876
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMEnabled" /v "DefaultApplied" /t REG_DWORD /d "1" /f
    3⤵
    PID:4972
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\DWMSaveThumbnailEnabled" /v "DefaultApplied" /t REG_SZ /d "1" /f
    3⤵
    PID:5036
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\FontSmoothing" /v "DefaultApplied" /t REG_SZ /d "1" /f
    3⤵
    PID:5104
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListBoxSmoothScrolling" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:3892
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewAlphaSelect" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ListviewShadow" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:2060
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\MenuAnimation" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:3092
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\SelectionFade" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:4836
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TaskbarAnimations" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\ThumbnailsOrIcon" /v "DefaultApplied" /t REG_SZ /d "1" /f
    3⤵
    PID:412
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects\TooltipAnimation" /v "DefaultApplied" /t REG_SZ /d "0" /f
    3⤵
    PID:456
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\ApplicationManagement\AllowGameDVR" /v "value" /t REG_SZ /d "00000000" /f
    3⤵
    PID:4448
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d 1 /f
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d 0 /f
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d 0 /f
    3⤵
    PID:3972
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchSafeSearch" /t REG_DWORD /d 3 /f
    3⤵
    PID:4740
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchPrivacy" /t REG_DWORD /d 3 /f
    3⤵
    PID:2276
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d 0 /f
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1076
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d 0 /f
    3⤵
    PID:3940
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableUAR" /t REG_DWORD /d 1 /f
    3⤵
    PID:748
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "DisableInventory" /t REG_DWORD /d 1 /f
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v "AITEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:3792
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\SQMClient\Windows" /v "CEIPEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:3412
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\SQMClient" /v "CorporateSQMURL" /t REG_SZ /d 127.0.0.1 /f
    3⤵
    PID:2336
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
    3⤵
    PID:2948
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Steps-Recorder" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:3888
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Program-Telemetry" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:816
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Program-Inventory" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1808
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Compatibility-Infrastructure-Debug" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:4052
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d 0 /f
    3⤵
    PID:1068
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Metadata" /v PreventDeviceMetadataFromNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-c..lemetry.lib.cortana_31bf3856ad364e35_10.0.10240.16384_none_40ba2ec3d03bceb0" /v "f!proactive-telemetry-inter_58073761d33f144b" /t REG_DWORD /d 0 /f
    3⤵
    PID:4304
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-c..lemetry.lib.cortana_31bf3856ad364e35_10.0.10240.16384_none_40ba2ec3d03bceb0" /v "f!proactive-telemetry-event_8ac43a41e5030538" /t REG_DWORD /d 0 /f
    3⤵
    PID:3028
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-c..lemetry.lib.cortana_31bf3856ad364e35_10.0.10240.16384_none_40ba2ec3d03bceb0" /v "f!proactive-telemetry.js" /t REG_DWORD /d 0 /f
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-c..lemetry.lib.cortana_31bf3856ad364e35_10.0.10240.16384_none_40ba2ec3d03bceb0" /v "f!dss-winrt-telemetry.js" /t REG_DWORD /d 0 /f
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer\Main" /v "RunOnceComplete" /t REG_DWORD /d 1 /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "CortanaEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "DisableLogonBackgroundImage" /t REG_DWORD /d 1 /f
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "BingSearchEnabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1772
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\lnkfile" /v "NeverShowExt" /f
    3⤵
    - Modifies system executable filetype association
    - Modifies registry class
    PID:2912
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\IE.AssocFile.URL" /v "NeverShowExt" /f
    3⤵
    - Modifies registry class
    PID:2700
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\IE.AssocFile.WEBSITE" /v "NeverShowExt" /f
    3⤵
    - Modifies registry class
    PID:464
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\InternetShortcut" /v "NeverShowExt" /f
    3⤵
    - Modifies registry class
    PID:1768
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\Microsoft.Website" /v "NeverShowExt" /f
    3⤵
    - Modifies registry class
    PID:4628
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\piffile" /v "NeverShowExt" /f
    3⤵
    - Modifies system executable filetype association
    - Modifies registry class
    PID:4148
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\SHCmdFile" /v "NeverShowExt" /f
    3⤵
    - Modifies registry class
    PID:3408
- - C:\Windows\system32\reg.exe
    REG ADD "HKCR\LibraryFolder" /v "NeverShowExt" /f
    3⤵
    - Modifies registry class
    PID:2920
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
    3⤵
    - Modifies visibility of file extensions in Explorer
    PID:1688
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d "506" /f
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\International" /v "iMeasure" /t REG_SZ /d "0" /f
    3⤵
    PID:2936
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\International" /v "iNegCurr" /t REG_SZ /d "1" /f
    3⤵
    PID:2288
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\International" /v "iTime" /t REG_SZ /d "1" /f
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\International" /v "sShortDate" /t REG_SZ /d "dd.MM.yyyy" /f
    3⤵
    PID:4264
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\International" /v "sShortTime" /t REG_SZ /d "HH:mm" /f
    3⤵
    PID:4912
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Control Panel\International" /v "sTimeFormat" /t REG_SZ /d "H:mm:ss" /f
    3⤵
    PID:3688
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3852
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *3DBuilder* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"
    3⤵
    PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Microsoft.Messaging* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *MicrosoftOfficeHub* | Remove-AppxPackage"
    3⤵
    PID:3392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Office.OneNote* | Remove-AppxPackage"
    3⤵
    PID:4276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *OneNote* | Remove-AppxPackage"
    3⤵
    PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *people* | Remove-AppxPackage"
    3⤵
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *SkypeApp* | Remove-AppxPackage"
    3⤵
    PID:1904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *solit* | Remove-AppxPackage"
    3⤵
    PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"
    3⤵
    PID:4056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Twitter* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"
    3⤵
    PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"
    3⤵
    PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *WindowsFeedbackHub* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *WindowsSoundRecorder* | Remove-AppxPackage"
    3⤵
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *windowscommunicationsapps* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"
    3⤵
    PID:952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"
    3⤵
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *BingWeather* | Remove-AppxPackage"
    3⤵
    PID:4444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *Facebook* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -Command "Get-AppxPackage -allusers *zune* | Remove-AppxPackage"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftOfficeHub* | Remove-AppxPackage}
    3⤵
    PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}
    3⤵
    PID:164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}
    3⤵
    PID:640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "New-Item -Path "HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" -Value "" -Force"
    3⤵
    PID:4544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Get-Process explorer | Stop-Process"
    3⤵
    PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "winget uninstall "Windows web experience Pack"ΓÇï
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:1552
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:2064
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f
    3⤵
    PID:2696
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
    3⤵
    PID:532
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowWiFiHotSpotReporting" /v "value" /t REG_DWORD /d 0 /f
    3⤵
    PID:4876
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v " SpyNetReporting" /t REG_DWORD /d 0 /f
    3⤵
    PID:3956
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config" /v "AutoConnectAllowedOEM" /t REG_DWORD /d 0 /f
    3⤵
    PID:3680
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d 2 /f
    3⤵
    PID:2268
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpynetReporting" /t REG_DWORD /d 0 /f
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:4116
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\VSCommon\16.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
    3⤵
    PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='telemetry.enableTelemetry'; $settingValue=$false; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:3916
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\VSCommon\17.0\IntelliCode" /v "DisableRemoteAnalysis" /d 1 /f
    3⤵
    PID:3980
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableActivityFeed" /d "0" /t REG_DWORD /f
    3⤵
    PID:2444
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:4884
- - C:\Windows\system32\reg.exe
    REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Spynet" /v " SubmitSamplesConsent" /t REG_DWORD /d 0 /f
    3⤵
    PID:3600
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\PolicyManager\default\WiFi\AllowAutoConnectToWiFiSenseHotspots" /v "value" /t REG_DWORD /d 0 /f
    3⤵
    PID:4156
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors" /v "DisableSensors" /t REG_DWORD /d "1" /f
    3⤵
    PID:3932
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d 0 /f
    3⤵
    PID:4356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='telemetry.enableCrashReporter'; $settingValue=$false; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:1552
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "AllowInputPersonalization" /t REG_DWORD /d 0 /f
    3⤵
    PID:2380
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
    3⤵
    PID:680
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\Windows\TabletPC" /v "PreventHandwritingDataSharing" /t REG_DWORD /d 1 /f
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports" /v "PreventHandwritingErrorReports" /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
    3⤵
    PID:3568
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d 1 /f
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
    3⤵
    PID:2968
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d 1 /f
    3⤵
    PID:2700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='update.mode'; $settingValue=manual; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:3116
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
    3⤵
    PID:4984
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "DoNotShowFeedbackNotifications" /t REG_DWORD /d 1 /f
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d 0 /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t "REG_DWORD" /d 0 /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:952
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Language" /t REG_DWORD /v "Enabled" /d 0 /f
    3⤵
    PID:2352
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='update.showReleaseNotes'; $settingValue=$false; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:3536
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWindowsSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:4616
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableWebBrowserSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:3408
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:2560
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableStartLayoutSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:2500
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:2888
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisablePersonalizationSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:4496
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableDesktopThemeSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='extensions.autoCheckUpdates'; $settingValue=$false; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:2648
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync\Groups\Credentials" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:4392
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableCredentialsSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='extensions.showRecommendationsOnlyOnDemand'; $settingValue=$true; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:3120
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableAppSyncSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:3120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='git.autofetch'; $settingValue=$false; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:1768
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:3284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$settingKey='npm.fetchOnlinePackageInfo'; $settingValue=$false; $jsonFilePath = """$($env:APPDATA)\Code\User\settings.json"""; if (!(Test-Path $jsonFilePath -PathType Leaf)) {; Write-Host """Skipping, no updates. Settings file was not at `"""$jsonFilePath`"""."""; exit 0; }; try {; $fileContent = Get-Content $jsonFilePath -ErrorAction Stop; } catch {; throw """Error, failed to read the settings file: `"""$jsonFilePath`""". Error: $_"""; }; if ([string]::IsNullOrWhiteSpace($fileContent)) {; Write-Host """Settings file is empty. Treating it as default empty JSON object."""; $fileContent = """{}"""; }; try {; $json = $fileContent | ConvertFrom-Json; } catch {; throw """Error, invalid JSON format in the settings file: `"""$jsonFilePath`""". Error: $_"""; }; $existingValue = $json.$settingKey; if ($existingValue -eq $settingValue) {; Write-Host """Skipping, `"""$settingKey`""" is already configured as `"""$settingValue`"""."""; exit 0; }; $json | Add-Member -Type NoteProperty -Name $settingKey -Value $settingValue -Force; $json | ConvertTo-Json | Set-Content $jsonFilePath; Write-Host """Successfully applied the setting to the file: `"""$jsonFilePath`""".""""
    3⤵
    PID:3724
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableApplicationSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\SettingSync" /v "SyncPolicy" /t REG_DWORD /d 5 /f
    3⤵
    PID:712
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Office\'; $taskNamePattern='OfficeTelemetryAgentFallBack'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:3484
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:5052
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Feedback" /v "Enabled" /t REG_DWORD /d 0 /f
    3⤵
    PID:1072
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:3772
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Common" /v "QMEnable" /t REG_DWORD /d 0 /f
    3⤵
    PID:2276
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:552
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "VerboseLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:2960
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
    3⤵
    PID:4948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Office\'; $taskNamePattern='OfficeTelemetryAgentFallBack2016'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:4120
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d 1 /f
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
    3⤵
    PID:4212
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableUpload" /t REG_DWORD /d 0 /f
    3⤵
    PID:4336
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\16.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3520
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Policies\Microsoft\Office\15.0\OSM" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4192
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Office\'; $taskNamePattern='OfficeTelemetryAgentLogOn'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:3500
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3760
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Calendar" /v "EnableCalendarLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:2444
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:3404
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Office\15.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d 0 /f
    3⤵
    PID:4068
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSyncOnPaidNetwork" /t REG_DWORD /d 1 /f
    3⤵
    PID:3272
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSyncUserOverride" /t REG_DWORD /d 1 /f
    3⤵
    PID:3192
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\SettingSync" /v "DisableSettingSync" /t REG_DWORD /d 2 /f
    3⤵
    PID:3888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Office\'; $taskNamePattern='OfficeTelemetryAgentLogOn2016'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:4740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\Microsoft\Office\'; $taskNamePattern='Office 15 Subscription Heartbeat'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:2184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'AdobeARMservice'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"
    3⤵
    PID:652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'adobeupdateservice'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"
    3⤵
    PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\'; $taskNamePattern='Adobe Acrobat Update Task'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:3028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'dbupdate'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"
    3⤵
    PID:4108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'dbupdatem'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"
    3⤵
    PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\'; $taskNamePattern='DropboxUpdateTaskMachineUA'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:2184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$taskPathPattern='\'; $taskNamePattern='DropboxUpdateTaskMachineCore'; Write-Output """Disabling tasks matching pattern `"""$taskNamePattern`"""."""; $tasks = @(Get-ScheduledTask -TaskPath $taskPathPattern -TaskName $taskNamePattern -ErrorAction Ignore); if (-Not $tasks) {; Write-Output """Skipping, no tasks matching pattern `"""$taskNamePattern`""" found, no action needed."""; exit 0; }; $operationFailed = $false; foreach ($task in $tasks) {; $taskName = $task.TaskName; if ($task.State -eq [Microsoft.PowerShell.Cmdletization.GeneratedTypes.ScheduledTask.StateEnum]::Disabled) {; Write-Output """Skipping, task `"""$taskName`""" is already disabled, no action needed."""; continue; }; try {; $task | Disable-ScheduledTask -ErrorAction Stop | Out-Null; Write-Output """Successfully disabled task `"""$taskName`"""."""; } catch {; Write-Error """Failed to disable task `"""$taskName`""": $($_.Exception.Message)"""; $operationFailed = $true; }; }; if ($operationFailed) {; Write-Output 'Failed to disable some tasks. Check error messages above.'; exit 1; }"
    3⤵
    PID:2356
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d 0 /f
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventRadioPresetsRetrieval" /t REG_DWORD /d 1 /f
    3⤵
    PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'WMPNetworkSvc'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"
    3⤵
    PID:3492
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\WMDRM" /v "DisableOnline" /t REG_DWORD /d 1 /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\WindowsMediaPlayer" /v "PreventMusicFileMetadataRetrieval" /t REG_DWORD /d 1 /f
    3⤵
    PID:2496
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)HealthCheck" /t REG_DWORD /d 0 /f
    3⤵
    PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'Razer Game Scanner Service'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"
    3⤵
    PID:2184
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdaterIpm" /t REG_DWORD /d 0 /f
    3⤵
    PID:1168
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)SoftwareUpdater" /t REG_DWORD /d 0 /f
    3⤵
    PID:1380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -ExecutionPolicy Unrestricted -Command "$serviceName = 'RetailDemo'; Write-Host """Disabling service: `"""$serviceName`"""."""; <# -- 1. Skip if service does not exist #>; $service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue; if(!$service) {; Write-Host """Service `"""$serviceName`""" could not be not found, no need to disable it."""; Exit 0; }; <# -- 2. Stop if running #>; if ($service.Status -eq [System.ServiceProcess.ServiceControllerStatus]::Running) {; Write-Host """`"""$serviceName`""" is running, stopping it."""; try {; Stop-Service -Name """$serviceName""" -Force -ErrorAction Stop; Write-Host """Stopped `"""$serviceName`""" successfully."""; } catch {; Write-Warning """Could not stop `"""$serviceName`""", it will be stopped after reboot: $_"""; }; } else {; Write-Host """`"""$serviceName`""" is not running, no need to stop."""; }; <# -- 3. Skip if already disabled #>; $startupType = $service.StartType <# Does not work before .NET 4.6.1 #>; if(!$startupType) {; $startupType = (Get-WmiObject -Query """Select StartMode From Win32_Service Where Name='$serviceName'""" -ErrorAction Ignore).StartMode; if(!$startupType) {; $startupType = (Get-WmiObject -Class Win32_Service -Property StartMode -Filter """Name='$serviceName'""" -ErrorAction Ignore).StartMode; }; }; if($startupType -eq 'Disabled') {; Write-Host """$serviceName is already disabled, no further action is needed"""; }; <# -- 4. Disable service #>; try {; Set-Service -Name """$serviceName""" -StartupType Disabled -Confirm:$false -ErrorAction Stop; Write-Host """Disabled `"""$serviceName`""" successfully."""; } catch {; Write-Error """Could not disable `"""$serviceName`""": $_"""; }"
    3⤵
    PID:3904
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)GetIpmForTrial" /t REG_DWORD /d 0 /f
    3⤵
    PID:3288
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Piriform\CCleaner" /v "(Cfg)QuickCleanIpm" /t REG_DWORD /d 0 /f
    3⤵
    PID:3724
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate" /v "CreateDesktopShortcut{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}" /t REG_DWORD /d "0" /f
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\EdgeUpdate" /v "CreateDesktopShortcut{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10}????" /t REG_DWORD /d "0" /f
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\Directory\shellex\PropertySheetHandlers\Sharing" /f
    3⤵
    PID:1788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "RotatingLockScreenOverlayEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4220
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitTextCollection" /t REG_DWORD /d "1" /f
    3⤵
    PID:2980
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338393Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2960
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT" /v "Icon" /t REG_SZ /d "themecpl.dll" /f
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\02Color" /v "MUIVerb" /t REG_SZ /d "Color" /f
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool" /v "MUIVerb" /t REG_SZ /d "@SnippingTool.exe,-101" /f
    3⤵
    PID:1688
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:2956
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:2960
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:2724
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:2068
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:2496
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:4820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /f
    3⤵
    PID:4592
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:2512
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:4072
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:3636
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:4752
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:3664
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:5008
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:4920
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:1524
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:4984
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:3560
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:4812
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:4184
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:2356
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:3932
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:3408
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:5092
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool\Shell\2SnippingToolRegion\command" /ve /t REG_SZ /d "SnippingTool.exe /clip" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4332
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool\Shell\2SnippingToolRegion" /v "Icon" /t REG_SZ /d "SnippingTool.exe" /f
    3⤵
    PID:464
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool\Shell\2SnippingToolRegion" /v "MUIVerb" /t REG_SZ /d "@SnippingTool.exe,-15052" /f
    3⤵
    PID:1336
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool\Shell\1SnippingTool\command" /ve /t REG_SZ /d "SnippingTool.exe" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool\Shell\1SnippingTool" /v "Icon" /t REG_SZ /d "SnippingTool.exe" /f
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool\Shell\1SnippingTool" /v "MUIVerb" /t REG_SZ /d "@SnippingTool.exe,-101" /f
    3⤵
    PID:3468
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool" /v "Position" /t REG_SZ /d "Bottom" /f
    3⤵
    PID:3680
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool" /v "Icon" /t REG_SZ /d "SnippingTool.exe" /f
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\SnippingTool" /v "SubCommands" /t REG_SZ /d "" /f
    3⤵
    PID:932
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d 0 /f
    3⤵
    PID:4220
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "3" /f
    3⤵
    PID:2360
- - C:\Windows\system32\mode.com
    mode 300
    3⤵
    PID:4808
- - C:\Windows\system32\msg.exe
    msg Thanks for using my software @BhaggoYT on YouTube
    3⤵
    PID:992
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "1" /f
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "2" /f
    3⤵
    PID:3608
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d "1" /f
    3⤵
    PID:3444
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d "0" /f
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\07Display\Command" /ve /t REG_SZ /d "control.exe desk.cpl,Settings,@Settings" /f
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\07Display" /v "CommandFlags" /t REG_DWORD /d "32" /f
    3⤵
    PID:4004
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\07Display" /v "MUIVerb" /t REG_SZ /d "Classic Display options" /f
    3⤵
    PID:1788
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\07Display" /v "Icon" /t REG_SZ /d "display.dll,-1" /f
    3⤵
    PID:2076
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\06Cursors\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL main.cpl,,1" /f
    3⤵
    PID:3952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\06Cursors" /v "MUIVerb" /t REG_SZ /d "Change mouse pointers" /f
    3⤵
    PID:3412
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\06Cursors" /v "Icon" /t REG_SZ /d "main.cpl" /f
    3⤵
    PID:3536
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\05DesktopIcons\Command" /ve /t REG_SZ /d "rundll32 shell32.dll,Control_RunDLL desk.cpl,,0" /f
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\05DesktopIcons" /v "CommandFlags" /t REG_DWORD /d "32" /f
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\05DesktopIcons" /v "MUIVerb" /t REG_SZ /d "Change desktop icons" /f
    3⤵
    PID:2736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\05DesktopIcons" /v "Icon" /t REG_SZ /d "desk.cpl" /f
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\04Screen Saver\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver" /f
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\04Screen Saver" /v "MUIVerb" /t REG_SZ /d "Screen Saver" /f
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\04Screen Saver" /v "Icon" /t REG_SZ /d "PhotoScreensaver.scr" /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\03Sounds\Command" /ve /t REG_SZ /d "rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl ,2" /f
    3⤵
    PID:4360
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\03Sounds" /v "MUIVerb" /t REG_SZ /d "Sounds" /f
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\03Sounds" /v "Icon" /t REG_SZ /d "mmsys.cpl" /f
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\02Color\Command" /ve /t REG_SZ /d "explorer.exe shell:::{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921} -Microsoft.Personalization\pageColorization" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\02Color" /v "Icon" /t REG_SZ /d "themecpl.dll" /f
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\01DesktopBackground\Command" /ve /t REG_SZ /d "explorer.exe shell:::{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921} -Microsoft.Personalization\pageWallpaper" /f
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\01DesktopBackground" /v "MUIVerb" /t REG_SZ /d "Desktop Background" /f
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT\Shell\01DesktopBackground" /v "Icon" /t REG_SZ /d "imageres.dll,-110" /f
    3⤵
    PID:4984
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT" /v "SubCommands" /t REG_SZ /d "" /f
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT" /v "Position" /t REG_SZ /d "Bottom" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1904
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCR\DesktopBackground\Shell\Appearance_WAT" /v "MUIVerb" /t REG_SZ /d "Appearance" /f
    3⤵
    PID:4812
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.Suggested" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4456
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SilentInstalledAppsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3904
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSyncProviderNotifications" /t REG_DWORD /d "0" /f
    3⤵
    PID:396
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2952
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353696Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2724
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-353694Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SoftLandingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4264
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338389Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2116
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_IrisRecommendations" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4056
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SystemPaneSuggestionsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4180
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338388Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4160
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-310093Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3820
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Start_TrackProgs" /t REG_DWORD /d "0" /f
    3⤵
    PID:2696
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v "AllowTelemetry" /t REG_DWORD /d "0" /f
    3⤵
    PID:1172
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Personalization\Settings" /v "AcceptedPrivacyPolicy" /t REG_DWORD /d "0" /f
    3⤵
    PID:3508
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\InputPersonalization\TrainedDataStore" /v "HarvestContacts" /t REG_DWORD /d "0" /f
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\InputPersonalization" /v "RestrictImplicitInkCollection" /t REG_DWORD /d "1" /f
    3⤵
    PID:4712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Input\TIPC" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:652
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy" /v "HasAccepted" /t REG_DWORD /d "0" /f
    3⤵
    PID:1584
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Privacy" /v "TailoredExperiencesWithDiagnosticDataEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:3680
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\AdvertisingInfo" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32" /ve /t REG_SZ /d "" /f
    3⤵
    PID:932
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\ModernSharing" /f
    3⤵
    PID:1688
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager" /v "SubscribedContent-338387Enabled" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2360
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\Library Location" /f
    3⤵
    PID:2160
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\Folder\ShellEx\ContextMenuHandlers\Library Location" /f
    3⤵
    PID:3608
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\UserLibraryFolder\shellex\ContextMenuHandlers\Sharing" /f
    3⤵
    PID:3444
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\LibraryFolder\background\shellex\ContextMenuHandlers\Sharing" /f
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\Drive\shellex\PropertySheetHandlers\Sharing" /f
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\Sharing" /f
    3⤵
    PID:4004
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\Directory\shellex\CopyHookHandlers\Sharing" /f
    3⤵
    PID:2076
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\Sharing" /f
    3⤵
    PID:3952
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\Directory\Background\shellex\ContextMenuHandlers\Sharing" /f
    3⤵
    PID:3412
- - C:\Windows\system32\reg.exe
    Reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\Sharing" /f
    3⤵
    PID:3536
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d "1" /f
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\WindowsCopilot" /v "TurnOffWindowsCopilot" /t REG_DWORD /d "1" /f
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCopilotButton" /t REG_DWORD /d "0" /f
    3⤵
    PID:2736
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "HideSCAMeetNow" /t REG_DWORD /d "1" /f
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "TaskbarMn" /t REG_DWORD /d "0" /f
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "CortanaConsent" /t REG_DWORD /d "0" /f
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\Explorer" /v "DisableSearchBoxSuggestions" /t REG_DWORD /d "1" /f
    3⤵
    PID:4360
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d "1" /f
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKCU\Software\Policies\Microsoft\Windows\EdgeUI" /v "DisableMFUTracking" /t REG_DWORD /d "1" /f
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "HideFirstRunExperience" /t REG_DWORD /d "1" /f
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "ShowRecommendationsEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "PersonalizationReportingEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Edge" /v "EdgeEnhanceImagesEnabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "1" /f
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
    3⤵
    PID:4984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3288

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:5
1⤵
PID:1408

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3200

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3192

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1720

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4984
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4984 -s 5872
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 532 -p 4984 -ip 4984
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2076

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2560

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3672

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4916

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
dab29f0ff85749876aaa834e6c1b5918

SHA1
d514aa16346e208e62e1289a82af2ca16c5e64d9

SHA256
808cb554c37d8021989c5d145588c2bec772f12b9260dddf8c4d55b3babe65b3

SHA512
ffc6db04dee3b901eafb3a8f0234679694bfd66ced092917a4586f62bf8cbfdca6e6eeae3563a0f7ac7ee530d698aa9e36112cf7a0a483ccdfcafc58085056a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
7695fa280acd1ae2cd030d01b882f897

SHA1
4cd21e020441a6015c98e481cde022b953da2206

SHA256
ed1b2d8a5dac57aa43547e7c41265140f2218328e348ead41a2754f5ba1d0233

SHA512
1f0ff6205f0b47fe8b62f1c74891f50d525d5361e5ac7a690eafbaf7d7111e9e9a6fba8e25d68aac467f196e88c47309680e029392244add3eb27918af4fa65f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
958ec9d245aa0e4bd5d05bbdb37475f4

SHA1
80e6d2c6a85922cb83b9fea874320e9c53740bd9

SHA256
a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d

SHA512
82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7d051db42bc16cbc0b483c28134f3006

SHA1
e1de95b7e49ce47e27cb1dd651d616d87f739b68

SHA256
520d2c4bd6a331e6674697583732533e4cae7a2208d8a3b99a74377f52876e0f

SHA512
cea9a43a11fa8fba40697c7736ecb91396df5f21637b700266b84ba9f3eccf51f81e601b6099696f7a2d14ac327ad029a42b11b2d2571030881e9682fa0a78fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
01df17c8baf2b7523097ee44d4f908b7

SHA1
25755a242c0d0e692fb660236ce5674ce3405c83

SHA256
9d9e3d97ebb0787240c4ba4ea01e9a9eddfa139a2992bdf22e09ed701ff306b0

SHA512
a68604a19da155ea4eae8d0c67708df95f7996e96432bb8a926e9667e923bd8c31b3cee7d554d70c0040bc9e2fab37cdb1e7045f96aa2d289f5b7b99c01afd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adfebea1c4cc7fcde4f02658c22dffbd

SHA1
8ea8faeb66e21fc3a5ac12de0d8c79d9b5480367

SHA256
fb41a850d4d37e7421c56596944cb8f3eb84ea362f6edbbce8b639151d763ccc

SHA512
7f510470ea46b41765e354506b4582b5f54eaba2d7c68ace8dbb1b67547e9b5578f9dc5e25a7dadb1e054f67bb7d94992589367133f4938f744df1ac949d1705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72c127201ca955c8bf44b8fbcaf4d7cb

SHA1
7d85702dcf4237e2f3d227d4be373ecbda3b9b86

SHA256
0437ae2b2e5702617d74b09a49fa5b5c447ae6febb4f54aec8680953a3494b60

SHA512
ae527cacdfb1310b9d816f804ab9b27d8fd56eded727ae6f3536a800e3f6cd70ff01d0fa3d0f639f99664c604f053ca5f540981fe5a3abfe4d1394eafc9a5e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
070246ba8fea645e14bc4fe4f4285400

SHA1
e8c29f6a732fc8efac5941252e04a60f123c8b85

SHA256
14fff639fe3b15527a967a2a08eb4787a9ab96bd532d3c3e148f62d97588fba4

SHA512
86676c1f78cf7b6bb771341dd7add357833fa26c616301922c303553647c507d8a33964d51399f060858b45e4b09360745c09cc191cccef0528a5d535d008e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1381346e53901eb1145a83d8a7bdfec5

SHA1
c1bf642dd76ce4024fbdb187887c9df26362da1f

SHA256
34256979cfbc05d025adc636bc2931d7315680ec88563d2a9e8705476f1d8611

SHA512
c893c02ff21a683f73d22fea56d0eaeafea40a2e01e7c87b0b39f7b8c74902eda09e66c0152fcec2ddfc9717fd4180f036b23c74083731de8d73acc3de02ac4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ee687f63635da688020166f8c9117e8

SHA1
3dc62caf37e9ad51a5360190b0ad7571e369105f

SHA256
9f949ba3993db1d6685cc65d2e692fda4445c7c70f2888b6fd393ff84d65990f

SHA512
d75fa49afc2ac785d6b4a3e962025d672c7ae762ebf44a2c1cc00a71593162f0908adfd7e0f1643cae90644955d3c3bd13898f36ddfc4ee3ce4dc449de577a2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3771d1ab64785a611ac588b614e6666

SHA1
b61fc18fc59f74580a6d6b1ff852fbdd267fbb9b

SHA256
91cf82de9472f16f0c20eec8e79d932cab80bcb79b9db1eaed9d79e9abe7c813

SHA512
a0e9009ba97842d39d91936f82945610f384126de6348b506ed46c4b52142dc8aac96fe9b66d3f02e005ae0350123fdd0eef9500d6869ce9e98e299b899aed2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
089064828efb2a1d6d59238cbc441674

SHA1
1730cf2d696a1298223bfb9fbd3f8d8a28f8daea

SHA256
c86b924942b3c038d672e6cc305f0fa5a54f67375f4a7d6bad1eb8f8e90a4cae

SHA512
aa37719ded9bad0907ee27abcf39e666417dc115b3f73011e08b6d572715fb9ff95d86e6f0366184fc59050b81d743846183105815f7edd6ffd5ea744016f2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e2ba2a071dd4e390137b6bd1455ee1c

SHA1
fcdc2d1a255721a0cf393568ce20526ff867a69d

SHA256
fc292044a1e437ad610c049d7b7a79f6e2965950deeba3855cd94cfcd0ad87a6

SHA512
59f1203af3b067dd6c0e3f53ed5c613b146930e8609422963531f6c7bb1b8b64d05e4a02d52ee31092dc66e37d6f0a9cda31e8f0a530f9ad1f0dc26db2ea61e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
617bcc29d249ac7fadb424405b36778c

SHA1
bbba17759f1c5ffa44ec8b15aa272b7106bf0968

SHA256
0f3f8ffe4e5e3f04b35679ea4d08fa4c771dcf93618a15a410d77161a02e6c4a

SHA512
0491a3b3ed861cb849fd1201f58c31895a9263e8447ba655df09fc53abd1b8efe59306e0a3c7ba2186afe36aaf05de865a7c736d4e93bcb558dad2754c8efc4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
822784d4b2dace0327a17e745407dd54

SHA1
302df119c878f3f761b99cc46ef2c70fb5bdc3fb

SHA256
a363ce92182fa1c87c759edecf307d1c92c9abc3cec17695d32dcffcd6808e80

SHA512
6522aa2ba52e94cc2fe8a977884e35cb388f2846cc57da34c4ccb8a3e63d5e3eab438b12e85dffa5290ca8145f6f6d3aaa5862ba96652abdfc217b332cbcbe69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d86167b1aed43745afa9549f913d5176

SHA1
b3a919079e8a2f6f64afdf926d76562a6b429d08

SHA256
2a7c6f60737b16c892209fd7dc2ddc42f0bb69d7c132ab9b965f2cda5ecbc286

SHA512
e07a1aafb27ff6ec18607fa52ad5fcc276d34563bcb3352a7c02054775e60d799ca348c1acfc238fbd3972862ea54f7bb00a6b2744b0f83ffd9e98bf1d2e385f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e4a796dd29727a47654a2259f1796326

SHA1
bf882d3d864f496d13a73f13cb2a24572881e6e0

SHA256
fb2d8dfb29e8924bc5aa645992db2b7a708746cac23c62cbb5fcd6c4c4417ffe

SHA512
24816cf101105981582d7d684935eb64a2873d58a84373757e14d0025b7da3ad25af0ae01e345bd0016a2958de5ece485b594a798aa2c502bfba8f357b10ce2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
11adb9837654d53fedefcdfd47f672a1

SHA1
4ee130000571159d49a27649c30aea58b3acffcb

SHA256
931eadabcd139361fbc945f39745bda15adf5a47e443cfb93fa0a9969995278f

SHA512
a13c5747667deb825cf69953d7d32d4531aea68a6c26332fc7e89eb2d9bdfd888d0d2cdecb472c38b8ce1e2d6cf9e0ae8ac9e7b14a55465119ddbf6d90cca778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fdb91442929848d2e6cea03466748fb3

SHA1
b85960a2c4e2c95c2e1326cb41c72f2ea13ceadd

SHA256
147b44ca7f95c0c919cb17d82102bc79d60de19d6948cad15eb8810a1b791efe

SHA512
f9f03ff7d76536cafc374bbce2f9ab3ec799231e9dfcce8c93d0f772b38987e8dd52f1f95cf68fa1cc04516808bfd7815c2c339399e06a5398eb675cc54c698a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac2ed61e72952d09013a6edf475be84f

SHA1
0daa10e47c7a1c35db4fde2be794249fcc89c823

SHA256
920e39e9ddcf31a41801d9bc11b2ee2114a8a401829d95c127719cf20a9a79e8

SHA512
28d3d79857abd1371cc3daa210d7b4e8f6eea5b1fe8d865b720ae538bb8050aeb34e84c3c2638a782fd30ef1df0780eb01be12d0619ee214bd81290af4df7caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3f91406a3c9cabceb118ca47303adb4b

SHA1
dc63ef893dbfbf59176c83c2562142953427c9e1

SHA256
16aef561b88dc6f2e63d1272be6140451cc42c126cd63e72dab17db94cc21d5f

SHA512
43e7c1b7ecf0ab473c49cf9861a392d734d6c63d97a2894094c9cd246813e92d00e7d448199c4f92987e25c7e1170d0a28302f9efa611ca69d40d0405aef1d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25054569222a2ca39fd3e9e0130a146f

SHA1
0601b7f285c4bddaf0adb2732a9aa47abf17be25

SHA256
7d52ff04baa78767d5ff696bc640913fe7e013c0d2a89983998be839e9a60932

SHA512
666e6029d9979a7bf84991f64788acb22a303ce156d4ac7491f8cf5121310140a876419e090fed27bd20887ab10a8fbcf1e9edb4013dc96b5974144e8fa68508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4c559e6675ecf013ee7f806a700db9a4

SHA1
c76e638cb6ea79477112a4f6742301479bf13e96

SHA256
31a45cc571e1ac2bb33bfac496ebe6351983207cd2c5001255e3658565df66c3

SHA512
48e78fe7e930f058738830d6c7387fbbb5f184f1fa56e7b165c3946a6e76e9a50a6c6e6d8a1ba8baad8c3d9fb12c8f60a3d712b0f8e2668d0800008f35c061d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d454eee4fc9379d28085b3f81f8defca

SHA1
993a94b38f199003a2f70b3b4ba96063b9ac3ff5

SHA256
45623897d64852ea344c55352906360c0543baeb2c42ff25de37d81723e58c07

SHA512
0c55c9fbdb91e6a1c460ee0e708cd0590f5553612ac36144ec1ed6521af2f765ef1bbce88a9e2f64642444fc9e4a393baa1418b686a32f8aa303293a0ebf046c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0404e0d3996c8a8c27fab8a90fb99a7

SHA1
d0896639b70998ae866a588db3ea01f245337019

SHA256
f9f350cdabcead21874d7319609d2fea2329a6e4e1f1b168955ece815c8cf0e7

SHA512
2cf8deaa2e6735df75158b7f482baa868b2aaa4053233852d15d19f0a37b8d5f8c13bd146b5c9232d8a7ddb82f11f5d4b7d4246950d3eaa7bc79cb1eea9fb43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07a00aafa2b860a66293eed9a32698c9

SHA1
caeab20241b907814a6828d330185e3696dbbeb4

SHA256
b415037864bd7e2274ed051015f5119023da08dd0c56a5bf3bbee24130d7760a

SHA512
a69b74a90cd7310ba8d8767eab071a24b84a9328ffd842ad016f33fdfcf012cd2d5174b58a6b93d5db95666645c250ea0820152933f52473a06d6d79f22e6f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f9791e7674ca9a38ebaf69d6565ba228

SHA1
32abc8820378680d2f9b92cb6d1d1ffeb9690728

SHA256
b83b8f27cbd0a2eae1e96e611fd95f2a03f851dcdce9d19a354371f1f20710cf

SHA512
ea79ce489b9a04f431330e8af4ad2903e70ea647012d0292fd895e7ed27f9440aa4ad8aa3c6ff64b875701c73dcd69128039ce99acfdf4791b889c2c7d7d72d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b4162045163c2da601d8fb1c15c040b

SHA1
3b1330756eabf26526525284cf26d695771c7294

SHA256
4fb0ef0b43fbca7969717bc6efd920ac6f87934557636e5cd95e0d743cf9722d

SHA512
ff0240bf7fc250e7516f550d33982ccdb655b1730e53a9153a901e6980934425220f8dcd16d9c37d34ab2f7c6af8d44ed7b8a00dec9b3b3b19ec970eeda58a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b155cc9a4a121ddcadf6f6e894317bf

SHA1
aa4d56ac0629c5ea0793ec85de9a23317c8bc282

SHA256
7816f2d6be4c7f57c55355c7cbf47413884fa2aa8f5d659f7247c03b73a04fd5

SHA512
9bfd1ee1cc212e58b5ba01fc5f61a2dedbb4ce8b80b2b0d0396d4f5fa5721c4a3210322cb0796a6583ca12c85a57c96250a71f8a465caa5ebadf8788a3ef3997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
253fa2288ad4fecb5627cbe67c4c066c

SHA1
bdb090c9f2ce4f4df1b83eb8728503ba33d63e19

SHA256
07e9d01f5d9a55c7c41721f1502698121e72987caec359f64ad52d986c13b498

SHA512
160a0c166bbbb0868b96009067760fbb6a54d433addfc0401788fa00c1f50daf9a86c6555182c78183c81175b9797b953440256ed84b437834bd6513457ad05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7c4fee9f84b671bc4f64590c0cf989e0

SHA1
9c2b0701e1a8e2697b4635545ed00cdc8bc3110b

SHA256
b78029e0396617f101b37d9c7b8fc3cce84906e0b1c0c8c17d0cedc8eb8c9b20

SHA512
6a9bdb6fd3b8de8330d893c34f59c99b281c90a4c91b3ff9afa5c412422ab2a1f39b534e0eca3fdf8d7cfaadc03b95e9d3a39f8001e6553748139381b961cf0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
41f313f67b8b1f1ee805fdfc2d8459d7

SHA1
7c5bed6dc78a41ff1ebe52a734320805e0dd9154

SHA256
05336e913ae01e78d3fbdfe63c50ab949aab540c10e67d5a6977ffbc37329729

SHA512
21b40e7ec6764ab150b4e0bafcf067cdda1f77e5770010cc603be7cb4e7fa9130e5750d30e8dce1718165affd234d3a87b56d82021c588dcd27b05dad6034b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
dcfe1f94aa15e3ca618b4c5002c9c055

SHA1
b8abdaf68684bc49756086840035b93f79329892

SHA256
cf11bfe8cd92fd4293ae0bd884f2c3d397e68d54ea03352027ed6b6c93e8630d

SHA512
bce3736f22af50ef73c7ca17942eebddc00ea5b216fa9ad8c704fb6b5c0cc8d0b8aa992fc47270148c23d8257ba2ab9cae079ca239abebef7a92182941f8a73c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
de9d4ddc62daa4444b9178c9fc079438

SHA1
f8cb6cc6942a31142b169047ca8b0610201b7882

SHA256
d8f14ccc4389c7313eef1948a13f45a1e4e16007d45c90c309baba365641e57a

SHA512
206ca2532369f1eeddd2efec2b77512d64f6957554e4c8e8e58ac1c5db6bb567aecdb49d6bfa2e99c9647387d19052546b2e7b644394371773ec6d9190d90241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7abf43d4acc700dd327cda4a11cc6020

SHA1
7eef617d8d6346c674a1cc1ea7262962aa4267ac

SHA256
e2117452602e9c5712fd79edc470c30452ba8c6de9eb33997b2309921734c0f6

SHA512
3fb7710b8eb4c3ff871d36638d76de57ca22492ed9ad49a0e7c68b58219f8e730cda0922c53395ba4c992b1c88d173c007437234b0f9b4072209d50deed189c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
63f3daf3ebf7daaa3416a431d50ff3b2

SHA1
cd95e25992a7da97a5cc8b48a47e157867721a04

SHA256
21927689c7ecab2b7af7611474c2e2b20d72d05a941afec01b42337f432dc2fa

SHA512
9f6e37a407af1b6fdeaa89f8753b5b7db087c32b3f9b2b2bd7af027ec3606ab534ad7dc16e179e3e784c04af27cd77befd45d4ef68c2d1af09830b311177f29f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
654a85dc3e762af496de2c27786cebda

SHA1
313de80c0843d9482d636a54c52c05dd6f075635

SHA256
34693c78e95d5a443fa9efe7aaa04a844a16ac6e2dfa109f94231c1411a8b2d6

SHA512
1d249186589efded643f436d72994c41abb07212e456bdd669bb41bf194cff48c5d49b672fa51db15ec4dbd933629a0185e6b0ca2a15560fe49d47e243e57344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
91a39b91c2b22ff00c12e56878baa09b

SHA1
e19e669a9c2c8fec9fb699c4c76384a105471bda

SHA256
931a2eaa61178581995773a9da78f4bfd76ad27c29b44442fa1329b384a0cd96

SHA512
59df651f9cab1c7b960e22d8207766cef07393b33d42f2b759bf4043cd63f2abaf08f9e1b419c6a126fb51a98468d15d34ba09caac46dfbc1a1b658c513aa2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e220febe2c0ee2617582025a2b00fb4e

SHA1
a313b132668558dc0358ffc1974755ae37a1820c

SHA256
0b4805bbd412d464e47096c65a303a8a4e89166611293b7f89ed084436e5ac25

SHA512
265a2e108bbdfdf79af872fcaacfe4cdf4dfc6169db57d373ddb61292bc377ec4f952cce2cc49457ab9b522b13c72814cc919c50813ab13ef9b7b247d60f0582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6e24a9793ab18a6055bda65af4e6adde

SHA1
7dbf3d4cac2b070260c3eb0ab6842fffc2965b91

SHA256
17e3823220cdfa36cf63ed75157468c6fe046ced8a532fb6fffde4a75d5cd25b

SHA512
3416e0213e3f9cdb3ef94b162e37ab833d982a4ece358debfef9cc2408776c261b8986c031c890074c0465846445cfa19c7d3641f272b84aae7e2e6a05caa48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c1487182538584339be4c31c7fdef07

SHA1
d4bdceb3cd231c59b41db482d02166b7f2efaf4b

SHA256
5d6861554848dad2d73a7dbdeb8b84c6d91f9e3f036d45ebaf2ffb4bc252292a

SHA512
d61b0a9c1de34f6e8080ce93081cb1252a148fcf2cf6dba78f762e23b596a632a6a5b116ffd4345ad96d6270e7fe2c9622306d6d69a4a1349ced9f6071eba42e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a416419e98baed6c59abfdfbcd6d165

SHA1
8298c62fa466db390c7e2e6c5d5d3caac5df3ff7

SHA256
dab4c8efeb9823cc645db8e8699c7a8697ea973ca88b2156d7da24fc0308c180

SHA512
a8fcc350f334c85e0d876a7946072fa4797f0e731cc4e0a5a0094329eff5ce00d1e033eb3ba54587daea71d943e040718f49ea32d511c5d1d99210825ed0fa8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c032c869633a60230ea2d1ebe802da4

SHA1
4fce37e286cc2a24850dfc20579c70743066f023

SHA256
7ac56ac0d7fbed0cbba9149c49d117f3fc7bafa99de31c386e330ddb7dd3b42c

SHA512
8b138c31d08dcdf08b981d2d0a30fc2605b4ba0cfe752aa8ac5ca09fd7977bbc0d6eb58cde8954f8be0a1af3fd064930015eb9366e68ea6d6355c52ce81ee7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
feacefd0f7fb2108e78aafac509c3c5d

SHA1
99a2ba807e4f13367a0ee6f1c35a808f6568f552

SHA256
c246a8191c8b1b1cde56ec6efc80dc3752557eec27b592fd7d0b95f917440207

SHA512
c35dd177064fc712c69e75448243671991670c46fe2c41d13e969169f7b97cf21ad533f7a54c0f4e27028a72ec06ef7d24bafd2aaac68fa72dc7678b2bba6ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c70da5f8ef9cc315061b6c6cb46dd98c

SHA1
248338838dda4e47a35375134e5e1191b91e5b1b

SHA256
3b160d7c9ff5cc97661fd77897e8dae5910c6679f096d8b6d9daa7e3952febc8

SHA512
86f811bac4e3131ac74237d737ae459ee1406feae0a9f08d856642074ff1f5b8d735943f94018813cce2fa79cb9bbd38c8cda39a06b1a34f2245da8c4dbcb047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
df7c9342322fcf994538d818ae2daa77

SHA1
2bade8fd6cfa4d1843cb450e28f85568cbae4847

SHA256
c27197ac51cd5094188acc01d94ef689bbecc982dae4a4ab4d631d750c557e25

SHA512
2b55be67bd38a4e9feee09dfd7a4b2abd4d011c4e0a3112230745429823d9ae05eac1ab697a4f9db6e81247b106e4324c73f829e7df40b927436f1e635350915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5d258ee4b5ae905c3108a6de43f5df2

SHA1
1b76bc774cb3f16e1a436921148fe640c5087a0b

SHA256
91d6e5bc589201d4bc8445c5620292d9aa70f941321ee8eaedb94dba577d70f3

SHA512
ff6970456765d50dc8c0ce9d1d06008e40ec357af1673543a2b7319c7714cbab7b2611a75f188cdcc338a9cbd107b58682abc337e2e0a3566b4fe0c242e86358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3669e671bb1ead38f2518ed560092aa

SHA1
545fb4688fa5c24a36e7a8cf727da9b6de703c06

SHA256
f3e7a03a85e0eb833aaad05ad52d3487076155845965cf29e2cb2fad4f19a6e8

SHA512
b15f2ca1b6101cf2c550d6158a92799e9004eb18e54b99615b2f365bcaf7830dab61358f6649625c02d72c248525d6ae6a1860d99d5dd13c77aa12216e092c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
973e46d81248521314d352bdb1a2a667

SHA1
97843149cf8cedfc4cf260e66e931d84396c0138

SHA256
f29d494e151d5fcc8ed844773c19e465b5392e1145e78593c639e9253b5dc65f

SHA512
0050458bea940c058f0b4e8790edd2d7243b5dd74014ea1daa54ac857606be4e5c7e3effb351386b95a2a04e5cdd3e79fced1eef617e5e6b547979bf98246e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02d80366f97d669ccdf5b6efc8f86ab0

SHA1
11f912f3d561de66f036d434a9c787e5a4480385

SHA256
32927322cfd8ac38111725a3c4a6827079d23aad4e37fcb79157c95b8f5e327c

SHA512
4fb6a52aa3975f592b8df4ff4eee704d4fa7266ee65f5a69df56226110481ed0d8dacb3ef31ea44136fac669c65b0b1ebc856924d4cb4435d889e035a2fc9d43

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
d9bab8c65fb56bef48bb2ef862827a69

SHA1
25455f345639c7298c17c4209fc22f088c345f6f

SHA256
2df9964d60c3b4a00eb521eca4897de64498bbd1275841d785f75c7fb1cab0a4

SHA512
396f0b147088c9a61705f3a004a94738628438f1edf4a6a988660db0c52a398fa5f60d843861cb2df9bd8eda4d7c335864230e8ec3b2471574fc8f07a83c8cd5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\V50TXLKS\microsoft.windows[1].xml

Filesize
97B

MD5
0dd9849d7dcb276fe7952fbef01f27d2

SHA1
696b4212cc8a84291f88203695dbfe81567db0b9

SHA256
ab905cb2e3d901f2d2e2abbe041717c3c220c2fbf8f5a6b84554246918e1ccd0

SHA512
7c9ee87c2c2a4bb137141e1fdf4d5f64e3873c734dc3848bc98d9f4c5511c11124a700ce84c927ad8d76f6afbd3f8fa653a70f744927517249fda132767ca715

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BQC.bat

Filesize
199KB

MD5
39b88c2c11cbf678789f9d9cfc323a37

SHA1
61e054c4bec2ad651e3196be984c0c780cbb3acd

SHA256
bd3420278b602052c8a04c256841a7257d76da626b491eb630dd848356deb3f2

SHA512
e4b4060349d3b78d1f3ab3dace26cfbccb765b0c28bce664883a8cade514975e82658a5a67e959b0088c8c4043c6f0311c0dd5b7478547cdc7fe257e7f1ebec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohivdx5t.txb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~tmpSendKeysTemp.vbs

Filesize
220B

MD5
3dec10528f311221eb1158ff547bc0da

SHA1
8dd369995bbb0dd83a82f4c6c7382c1aa86badd8

SHA256
a74ed6dbbe51a7226b50a792a831b1c51b3fe6e3399dc7d4b65f032f3d9b565d

SHA512
af7b08247cc979354ee3b753b716e45537b34427857ed81551442d374d06a6f62295628fdf75dba880b2a495a793a4b8f653a0a623f519fbb018c912f2b3d42b

Download Submit
memory/1068-205-0x0000028768610000-0x0000028768620000-memory.dmp

Filesize
64KB

Download
memory/1068-202-0x0000028768610000-0x0000028768620000-memory.dmp

Filesize
64KB

Download
memory/1068-203-0x0000028768610000-0x0000028768620000-memory.dmp

Filesize
64KB

Download
memory/1068-196-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1068-204-0x0000028768610000-0x0000028768620000-memory.dmp

Filesize
64KB

Download
memory/1068-207-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1092-983-0x0000019E97180000-0x0000019E971A0000-memory.dmp

Filesize
128KB

Download
memory/1092-987-0x0000019E97550000-0x0000019E97570000-memory.dmp

Filesize
128KB

Download
memory/1092-985-0x0000019E97140000-0x0000019E97160000-memory.dmp

Filesize
128KB

Download
memory/1180-53-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1180-50-0x000001A072CF0000-0x000001A072D00000-memory.dmp

Filesize
64KB

Download
memory/1180-51-0x000001A072CF0000-0x000001A072D00000-memory.dmp

Filesize
64KB

Download
memory/1180-49-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1336-948-0x000001D809CC0000-0x000001D809CE0000-memory.dmp

Filesize
128KB

Download
memory/1336-952-0x000001D80A2A0000-0x000001D80A2C0000-memory.dmp

Filesize
128KB

Download
memory/1336-950-0x000001D809C80000-0x000001D809CA0000-memory.dmp

Filesize
128KB

Download
memory/1348-35-0x000001F9E3CA0000-0x000001F9E3CB0000-memory.dmp

Filesize
64KB

Download
memory/1348-34-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1348-38-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1572-87-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1572-93-0x000001BC488E0000-0x000001BC488F0000-memory.dmp

Filesize
64KB

Download
memory/1572-92-0x000001BC488E0000-0x000001BC488F0000-memory.dmp

Filesize
64KB

Download
memory/1572-96-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1616-113-0x0000029347180000-0x00000293471A6000-memory.dmp

Filesize
152KB

Download
memory/1616-111-0x0000029346DC0000-0x0000029346DD6000-memory.dmp

Filesize
88KB

Download
memory/1616-109-0x000002932DCD0000-0x000002932DCE0000-memory.dmp

Filesize
64KB

Download
memory/1616-110-0x000002932DCD0000-0x000002932DCE0000-memory.dmp

Filesize
64KB

Download
memory/1616-107-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1616-116-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1616-112-0x0000029346DA0000-0x0000029346DAA000-memory.dmp

Filesize
40KB

Download
memory/1720-592-0x000001CF11F60000-0x000001CF11F80000-memory.dmp

Filesize
128KB

Download
memory/1720-597-0x000001CF12320000-0x000001CF12340000-memory.dmp

Filesize
128KB

Download
memory/1720-594-0x000001CF11F20000-0x000001CF11F40000-memory.dmp

Filesize
128KB

Download
memory/1904-222-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1904-218-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/1904-219-0x0000023A6EA90000-0x0000023A6EAA0000-memory.dmp

Filesize
64KB

Download
memory/1904-220-0x0000023A6EA90000-0x0000023A6EAA0000-memory.dmp

Filesize
64KB

Download
memory/2076-873-0x0000020A46EA0000-0x0000020A46EC0000-memory.dmp

Filesize
128KB

Download
memory/2076-875-0x0000020A474C0000-0x0000020A474E0000-memory.dmp

Filesize
128KB

Download
memory/2076-871-0x0000020A46EE0000-0x0000020A46F00000-memory.dmp

Filesize
128KB

Download
memory/2252-1004-0x000002EC9E940000-0x000002EC9E960000-memory.dmp

Filesize
128KB

Download
memory/2252-1006-0x000002EC9E900000-0x000002EC9E920000-memory.dmp

Filesize
128KB

Download
memory/2252-1008-0x000002EC9ED10000-0x000002EC9ED30000-memory.dmp

Filesize
128KB

Download
memory/2352-966-0x000001C3AB9E0000-0x000001C3ABA00000-memory.dmp

Filesize
128KB

Download
memory/2352-968-0x000001C3AB9A0000-0x000001C3AB9C0000-memory.dmp

Filesize
128KB

Download
memory/2352-971-0x000001C3ABDB0000-0x000001C3ABDD0000-memory.dmp

Filesize
128KB

Download
memory/2360-131-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/2360-127-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/2360-128-0x0000013E43350000-0x0000013E43360000-memory.dmp

Filesize
64KB

Download
memory/2560-927-0x000001DA59DE0000-0x000001DA59E00000-memory.dmp

Filesize
128KB

Download
memory/2560-929-0x000001DA59DA0000-0x000001DA59DC0000-memory.dmp

Filesize
128KB

Download
memory/2560-931-0x000001DA5A1B0000-0x000001DA5A1D0000-memory.dmp

Filesize
128KB

Download
memory/2616-1025-0x0000024D57A00000-0x0000024D57A20000-memory.dmp

Filesize
128KB

Download
memory/2616-1027-0x0000024D577C0000-0x0000024D577E0000-memory.dmp

Filesize
128KB

Download
memory/2616-1029-0x0000024D57DD0000-0x0000024D57DF0000-memory.dmp

Filesize
128KB

Download
memory/3192-698-0x000000000B330000-0x000000000B549000-memory.dmp

Filesize
2.1MB

Download
memory/3392-159-0x0000014AE65B0000-0x0000014AE65C0000-memory.dmp

Filesize
64KB

Download
memory/3392-158-0x0000014AE65B0000-0x0000014AE65C0000-memory.dmp

Filesize
64KB

Download
memory/3392-157-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/3392-161-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/3400-1051-0x0000022C9AD00000-0x0000022C9AD20000-memory.dmp

Filesize
128KB

Download
memory/3400-1048-0x0000022C9A6F0000-0x0000022C9A710000-memory.dmp

Filesize
128KB

Download
memory/3400-1046-0x0000022C9A730000-0x0000022C9A750000-memory.dmp

Filesize
128KB

Download
memory/3800-737-0x00000171856E0000-0x0000017185700000-memory.dmp

Filesize
128KB

Download
memory/3800-739-0x00000171856A0000-0x00000171856C0000-memory.dmp

Filesize
128KB

Download
memory/3800-740-0x0000017185CC0000-0x0000017185CE0000-memory.dmp

Filesize
128KB

Download
memory/3892-8-0x0000020152BD0000-0x0000020152BF2000-memory.dmp

Filesize
136KB

Download
memory/3892-19-0x0000020150A50000-0x0000020150A60000-memory.dmp

Filesize
64KB

Download
memory/3892-18-0x00007FF82C8B0000-0x00007FF82D371000-memory.dmp

Filesize
10.8MB

Download
memory/3892-20-0x0000020150A50000-0x0000020150A60000-memory.dmp

Filesize
64KB

Download
memory/3892-23-0x00007FF82C8B0000-0x00007FF82D371000-memory.dmp

Filesize
10.8MB

Download
memory/3984-142-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/3984-146-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/3984-143-0x0000024F0CFA0000-0x0000024F0CFB0000-memory.dmp

Filesize
64KB

Download
memory/3984-144-0x0000024F0CFA0000-0x0000024F0CFB0000-memory.dmp

Filesize
64KB

Download
memory/4056-248-0x000001FF77110000-0x000001FF77120000-memory.dmp

Filesize
64KB

Download
memory/4056-251-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4056-247-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4056-249-0x000001FF77110000-0x000001FF77120000-memory.dmp

Filesize
64KB

Download
memory/4080-78-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4080-79-0x00000201A3980000-0x00000201A3990000-memory.dmp

Filesize
64KB

Download
memory/4080-81-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4276-172-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4276-176-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4276-174-0x0000023E4DCE0000-0x0000023E4DCF0000-memory.dmp

Filesize
64KB

Download
memory/4276-173-0x0000023E4DCE0000-0x0000023E4DCF0000-memory.dmp

Filesize
64KB

Download
memory/4332-236-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4332-234-0x000001B964410000-0x000001B964420000-memory.dmp

Filesize
64KB

Download
memory/4332-228-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4368-190-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4368-187-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4368-188-0x0000020A65560000-0x0000020A65570000-memory.dmp

Filesize
64KB

Download
memory/4612-59-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download
memory/4612-64-0x0000020FC55C0000-0x0000020FC55D0000-memory.dmp

Filesize
64KB

Download
memory/4612-67-0x00007FF82BBD0000-0x00007FF82C691000-memory.dmp

Filesize
10.8MB

Download